ENVCRYPT: A Zero-Knowledge .env Vault for Fast-Moving Dev Teams

This is a submission for the DEV Weekend Challenge: Community.

The Community

I built this for developers who move fast and pass secrets around constantly across local/dev/staging/prod.

This is especially useful for:

• Indie hackers and solo builders
• Small startup engineering teams
• Students and hackathon teams
• Anyone currently storing secrets in plaintext files, chat apps, or notes

The goal was simple: keep the workflow fast, but remove plaintext secret handling.

What I Built

I built ENVCRYPT (Envault), a zero-knowledge environment variable vault.

Core idea

Secrets are encrypted in the browser before storage, so the backend only receives ciphertext.

Main features

• Google/GitHub OAuth login
• Project-based secret organization
• Add single variables or bulk import from .env
• Client-side encryption with Argon2id + AES-256-GCM
• Ciphertext-only storage (value_encrypted)
• In-memory key handling + auto-lock
• One-click .env export (decrypted in-browser)

Security model

• API rejects plaintext value payloads
• Database stores encrypted values only
• RLS policies isolate user data
• Even with a DB leak, attacker gets ciphertext without your decryption key

Demo

• Live app: https://envcrypt.vercel.app/

Code

• GitHub repo: https://github.com/badcaptain0001/envault

How I Built It

Stack

• Next.js 16 (App Router, TypeScript)
• React 19
• Tailwind CSS v4 + shadcn/ui
• Supabase (Auth + Postgres + RLS)
• hash-wasm (Argon2id) + Web Crypto API (AES-256-GCM)
• Zustand
• Vitest

Implementation highlights

• Derive encryption key locally from master password with Argon2id
• Encrypt each secret with AES-GCM + random IV
• Persist only encrypted payloads
• Decrypt only in-browser during explicit export action