Documentation

Everything you need to seal your secrets

EnvSync keeps your .env files encrypted, organized, and out of Slack. This guide walks you through setup, the zero-knowledge model, and every core feature.

Overview

What is EnvSync?

EnvSync is a zero-knowledge vault for managing environment variables. It solves the everyday pain of keeping .env secrets organized across projects and teammates — without ever pasting them into Slack, email, or a shared doc.

Zero-knowledge by design

Variables are encrypted on your device with AES-256-GCM before they ever leave it. Our servers only ever store ciphertext.

Organized by project

Group secrets by project and team so the right keys are always one click away — never scattered across files.

Built for teams

Share projects with role-based access (Owner, Admin, Member, Viewer) and onboard collaborators in seconds.

Full audit trail

Every change is versioned. Review history and roll back to a previous value whenever you need to.

Setup

Getting Started

You can secure your first project in under two minutes. The web app does everything — no setup required.

  1. 1

    Create your account

    Sign in with Google or an email magic link from the sign-in page. The Free plan needs no card and includes your first project.

  2. 2

    Create a project

    From the dashboard, click New Project and give it a name (for example, my-app — production).

  3. 3

    Add your variables

    Paste an existing .env file with Upload .env, or add keys one at a time. Everything is encrypted in your browser before it's saved.

  4. 4

    Invite your team

    Share a project and scope each teammate's access by role — Owner, Admin, Member, or Viewer. No plaintext ever changes hands.

.env.local
1DATABASE_URL=mongodb://localhost/app
2API_KEY=sk_live_••••••••
3JWT_SECRET=super_secret_value
Upload & go

Drag in your existing .env and EnvSync parses every key and encrypts it locally — only ciphertext is ever stored, with no reformatting needed.

Architecture

How It Works

EnvSync follows a strict zero-knowledge model. Plaintext secrets never touch the network or our database.

1

Encrypt locally

Your variables are encrypted with AES-256-GCM in the browser using a key only you hold.

2

Store as ciphertext

Only encrypted ciphertext is sent to EnvSync. Your plaintext secrets never touch the network or our database.

3

Decrypt on access

Variables are decrypted locally in your browser with a key only you hold — our servers can never read them.

Why zero-knowledge matters: because we never receive your encryption key, a breach of EnvSync's servers would only expose unreadable ciphertext. For team projects, keys are wrapped per-member so access can be granted and revoked without re-sharing the underlying secret.

Capabilities

Core Features

Everything EnvSync does, organized by what you'll reach for day to day.

Project organization

Group secrets by project or client. Each project keeps its own isolated, encrypted set of variables.

Team collaboration

Invite members by email and assign roles — Owner, Admin, Member, or Viewer — for fine-grained access control.

Version history & rollback

Every edit is recorded with a timestamp and author. Roll any variable back to a previous value in one click.

Instant .env import

Drop a .env file and every key is parsed and encrypted in your browser — then export a project's variables whenever you need them.

Plans & limits

Configuration

Pick the plan that matches your team size. Limits are enforced per project.

PlanProjectsVars / projectHistory
Free1507 days
Solo Developer51,00030 days
Team100UnlimitedUnlimited

Need a different setup? Compare plans on the pricing page or upgrade anytime from your dashboard.

Questions

FAQ

Can EnvSync see my secrets?

No. Variables are encrypted on your device with AES-256-GCM before they're sent. We only ever store ciphertext — we never receive your encryption key.

Where are my secrets stored?

Encrypted in our database as ciphertext only. Because encryption happens in your browser, what we hold is unreadable without your key.

How does team sharing stay secure?

Project keys are wrapped per member, so you can grant or revoke access to individual teammates without re-sharing or rotating the underlying secret.

Can I import an existing .env file?

Yes. Drop or paste a .env file and EnvSync parses every key and encrypts it in your browser before saving. You can export a project's variables at any time too.

Which platforms are supported?

EnvSync runs entirely in the browser, so it works anywhere with a modern browser — Windows, macOS, or Linux.

Ready to stop sharing secrets in Slack?

Create a free account and secure your first project in under two minutes.

Documentation | EnvSync