Okay, confession: I used to email .env files to teammates. Sometimes to myself. Over Gmail. Unencrypted. π
I knew it was bad. I just didn't have a better option that didn't involve setting up an entire secrets manager for a side project.
So I built one.
EnvVault is a tiny browser-based tool that lets you:
- Paste your
.envcontents - Encrypt them with AES-GCM (using the browser's native Web Crypto API β no libraries)
- Export as a
.jsonvault or β my favorite part β hide it inside a PNG using steganography
The image looks completely normal. Your secrets are encrypted inside the pixels. You can drop it in Slack and nobody's the wiser.
The best part? Nothing ever leaves your browser. No server, no account, no install. You can literally disconnect your Wi-Fi before typing your secrets. Once the page loads, it works fully offline.
The encryption uses PBKDF2 for key derivation and a unique IV for every vault, so it's not just a gimmick β the security is solid.
The workflow ends up being:
- Encrypt the vault β share the file however you want
- Share the passphrase separately (call, text, password manager)
- Recipient decrypts in their browser
That's it. The channel you use to share doesn't matter anymore because it only ever sees ciphertext.
It's free, open to use, and takes about 30 seconds to try: id8.co.in/tools/env-vault
Would love to know what you're currently doing for secret sharing on small projects β always curious if there's a smarter way I'm missing.
Top comments (0)