Sanjula Perera

Student & CEO

Back
Envshare.io Landing page
Envshare.io

EnvShare: Share .env securely without the copy‑paste chaos (open source)

We’ve all done it: “Can you Slack me your .env?” — followed by a wall of secrets, a few typos, and a quiet sense of dread. EnvShare is an open‑source way to fix that. It gives your team a dead‑simple workflow to store, encrypt, audit, and share environment variables — without dumping secrets into chat or Git.

This post gives you the why, the what, and just enough how to understand how EnvShare keeps your data safe while staying out of your way.

What you get

  • End‑to‑end encryption for secrets using AES‑256‑GCM
  • Per‑project keys (derived with scrypt) so one project can’t decrypt another
  • Token‑based access with permissions (read | write) and scoping to specific keys
  • A fast, modern dashboard to manage projects, secrets, and tokens
  • A CLI that writes .env files for you and fits into any workflow
  • Framework SDKs (React, Vue, Svelte, Solid, Next.js, Vanilla JS) for easy app integration
  • Full audit logging (IPs, user agents, who did what, when)

How it works (plain English, light on buzzwords)

  1. You sign in with GitHub via Firebase Auth. Requests to the API include your token.

  2. For each project, EnvShare derives a unique 32‑byte key using scrypt:

  • key = scrypt(ENVSHARE_SECRET_KEY, projectId, 32)
  • Secrets are encrypted with AES‑256‑GCM using a unique IV and authentication tag
  1. Encrypted secrets and metadata are stored in DynamoDB. The important tables:
  • EnvaultProjects (by projectId, with a GSI to list projects by user)
  • EnvaultSecrets (by projectId + secret key) — stores value, iv, authTag
  • EnvaultAccessTokens (by token) — permissions, accessibleKeys, TTL via expiresAt
  • EnvaultAuditLogs (by logId, GSI for project + timestamp)
  1. Access happens via short‑lived tokens with permissions:
  • Read or write
  • Optional scoping to a subset of keys
  • Single‑use or multi‑use, with automatic cleanup via DynamoDB TTL
  1. Every sensitive action is logged (who, what, where, when). Audit logging never blocks your main flow.

Feature highlights

  • Security by default

    • AES‑256‑GCM encryption, per‑project keys via scrypt, unique IVs + auth tags
    • Token model makes least‑privilege practical (scope to specific keys)
    • No secrets in logs; HTTPS everywhere

  • Developer experience that feels familiar

    • Next.js 15 App Router, TypeScript (strict), Turbopack
    • shadcn/ui + Radix UI for accessible, consistent components
    • Path aliases with @/*, clean APIs, and a CLI that writes .env.local

  • Built to scale from day one

    • DynamoDB with PAY_PER_REQUEST, GSIs for the hot paths
    • Serverless API routes; fast enough for local dev, comfortable in prod

Quick start (local dev)

# Install and run the app
npm install
npm run dev

# Lint, build, and try a production build
npm run lint
npm run build

# Build all framework packages (optional)
npm run build:packages

# Try the CLI (local)
./bin/envshare.js --help

You’ll need standard environment variables to run locally (Firebase, AWS, and an ENVSHARE_SECRET_KEY). See the repo’s environment section for the full list.

CLI in 60 seconds

Generate a token in the dashboard, then pull secrets into .env.local:

# Pull secrets for a project into .env.local
./bin/envshare.js pull --project <projectId> --token <token>

# Create a read token that expires in 1 hour
./bin/envshare.js generate-token --project <projectId> --permissions read --expires 3600

Tokens can be single‑use or multi‑use, scoped to specific keys, and are cleaned up automatically when they expire.

SDKs for your framework

Each package under packages/* gives you framework‑native primitives:

  • React: Context provider + hooks
  • Vue: Composables
  • Svelte: Stores
  • Solid: Signals
  • Next.js: App Router‑friendly helpers
  • Vanilla JS: Lightweight utilities

You can fetch, decrypt, and render secrets with a few lines of code — no reinventing auth or crypto.

Under the hood (for the curious)

  • App: Next.js 15 App Router, TypeScript (strict), Tailwind, shadcn/ui, Radix UI
  • Auth: Firebase Authentication (GitHub OAuth) + server‑side verification via Firebase Admin
  • Data: DynamoDB tables for projects, secrets, access tokens (with TTL), and audit logs
  • Crypto: AES‑256‑GCM with per‑project keys from scrypt(ENVSHARE_SECRET_KEY, projectId, 32)
  • CLI: Node.js tool (bin/envshare.js) with commands for pull/sync/token ops

Roadmap

  • Webhooks and CI/CD integrations
  • Secret versioning and diffing
  • Advanced audit exports and filtering
  • Notifications and policy alerts
  • Optional client‑side encryption modes

Why teams pick EnvShare

  • It’s secure by default but doesn’t make you jump through hoops
  • The CLI and SDKs reduce copy‑paste errors to zero
  • Project‑scoped keys keep blast radius small
  • Audit logging gives you confidence (and receipts)
  • It’s open source — extend it, fork it, contribute back

Contribute

Issues, PRs, and feedback are very welcome. If you build something cool on top of EnvShare (a plugin, CI integration, or a new SDK helper), share it — we’d love to feature it.

Ready to stop pasting secrets into chat? Give EnvShare a spin.

Links