Zero-Knowledge Architecture Live

Stop sending production secrets over Slack.

EnvGuard provides mathematically proven client-side encryption for .env files. Decrypted only by the recipient. Invisible to our servers.

Start Sharing for Free View The Architecture
secure-terminal — bash
1~ envguard push config.env --burn-after-read
2Initializing Web Crypto API (AES-256-GCM)...
3Deriving wrapping keys via PBKDF2...
4Success! Zero-Knowledge link generated:
5https://envguard-io.vercel.app/share.html?id=8a7b#wrapped=X8j2Pq9...
6 Alert: EnvGuard servers have 0 bytes of decryption key data.

Enterprise Grade Security

Features designed for paranoid teams.

Client-Side Encryption

Cryptographic operations happen strictly in the browser using the native Web Crypto API. Plain text never touches a network request.

Burn After Reading

Ensure a secret is only viewed once. The moment the recipient decrypts the payload, it is instantly and permanently wiped from the database.

2FA Key Wrapping

Add a password to your links. We use PBKDF2 to derive a wrapping key, ensuring even intercepted URLs cannot be decrypted without the PIN.

Granular TTL Expiry

Set strict Time-To-Live limits ranging from 24 hours to 60 days. Automated CRON jobs scrub expired ciphertexts at the database level.

Instant .env Parsing

Drag and drop raw `.env` files. Our client-side FileReader extracts and renders the keys into a beautiful, masked IDE-style UI for the receiver.

Tamper Detection

Powered by the Galois/Counter Mode (GCM). If a single byte of the encrypted payload is altered in transit, decryption mathematically fails.

Secure Transfer

How to securely share environment variables.

1

Upload your .env file

Paste your raw variables into the client-side secure editor. The plain text remains strictly in your browser memory.

2

Generate a Zero-Knowledge Link

The data is encrypted locally using AES-256-GCM. The vital decryption key is generated exclusively as a URL hash fragment.

3

Share the Link

Send the link to your colleague. Their browser parses the hash fragment and decrypts the payload locally, rendering the secret variables.

Ecosystem Compatibility

Node.js
Docker
Python
React/Next.js
Vercel

The Stack

No black boxes. Pure cryptographic math.

We believe security tools should be transparent. EnvGuard is built on a vanilla web stack prioritizing speed, removing third-party dependencies, and leveraging the immense power of modern browser APIs.

  • Web Crypto API (AES-256-GCM)
  • Vercel Edge Serverless Functions
  • Supabase Postgres (RLS Enforced)
  • Pure HTML/JS DOM Manipulation
View detailed architecture arrow_right_alt

1. Browser Sandbox

Plain Text → Ciphertext + Key

Ciphertext

Sent to Supabase

Decryption Key

Stays in URL Hash

Transparent Pricing

Security shouldn't be a premium feature.

Current Plan

Public Cloud

$0 / forever

Everything you need to share secrets securely. Hosted on our Vercel/Supabase infrastructure.

  • Unlimited Encryptions
  • Burn After Reading
  • Max 50KB Payload Size
  • Up to 60 Days TTL
Start Sharing

Self-Hosted

Free / open-source

Own your infrastructure. Fork the repository and deploy EnvGuard entirely on your own domain and database.

  • 100% Open Source Code
  • Bring Your Own Supabase
  • Custom TTL Limits
  • Full Audit Control
View Source on GitHub

Frequently Asked Questions

Can EnvGuard read my environment variables?
No. EnvGuard uses a zero-knowledge architecture. Your data is encrypted entirely within your browser using the native Web Crypto API (AES-256-GCM). We only receive and store the resulting encrypted ciphertext.
Where is the decryption key stored?
The decryption key is generated locally and appended to the final URL strictly as a hash fragment. Modern web browsers are designed to never send hash fragments to the server, ensuring we mathematically cannot decrypt your data.
What happens when a link expires?
We utilize PostgreSQL CRON jobs on our database to run automated sweeps. The exact moment a ciphertext passes its Time-To-Live (TTL), or is accessed if "Burn After Reading" is enabled, the row is permanently deleted from our database.
How does the 2FA Password work?
If you apply a password, we generate a random salt and use PBKDF2 to derive a "wrapping key" from your password. This wrapper encrypts the main decryption key. The recipient must enter the correct password to unwrap the key before the ciphertext can be decrypted.

Built to solve real developer friction.

EnvGuard was architected and built by a full-stack developer based in India, driven by a simple frustration: passing sensitive deployment credentials across development teams was inherently unsafe.

Relying on chat platforms or email to transmit STRIPE_KEYS or DATABASE_URLS leaves permanent footprints on third-party servers. EnvGuard was created to eliminate that footprint entirely.

Project Architect
Dippan Bhusal

Secure your environment today.

No signups. No credit cards. Just pure, mathematically sound client-side encryption.

Create Secure Link

Privacy & Analytics

We use standard analytics to monitor site performance. However, all cryptographic operations remain 100% client-side. Your secrets are never tracked or transmitted.

Read Policy