~/envtools
.env · security🔥 popular

ENV Encrypt

Encrypt a .env with a passphrase before sharing. Uses AES-GCM via WebCrypto — keys never leave your browser.

Be the first to rate
# click Encrypt to produce output
AES-256-GCM · PBKDF2 210,000 iterations · runs in your browser

What it does

  • AES-256-GCM via the browser's WebCrypto API
  • PBKDF2 key derivation (210,000 iterations)
  • Random salt + IV per encryption — no reuse
  • Passphrase never leaves your browser
  • Copy encrypted blob → paste anywhere

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

Usage examples

Encrypt
DB_PASSWORD=s3cret
API_KEY=xxxxx

passphrase: correct horse battery staple
ENVTOOLS:v1:base64url(salt.iv.ciphertext)
# Share this blob + passphrase via separate channels
Decrypt (reverse)
ENVTOOLS:v1:abc...
passphrase: correct horse battery staple
DB_PASSWORD=s3cret
API_KEY=xxxxx

When to use this tool

  • Sharing a .env with a teammate over Slack / email / ticket
  • Storing an .env in a shared password manager without leaking plain values
  • Emailing a one-time .env to a contractor safely
  • Transferring a .env between devices over a public network

Common mistakes

  • Using a weak passphrase — AES-256 is strong, but brute force on a 6-char password is trivial
  • Sending the passphrase in the same channel as the ciphertext (defeats the purpose)
  • Reusing the same passphrase across projects — if one leaks, all leak
  • Trusting the encrypted blob to stay private in logs — CI/CD stdout captures everything

ENV Encrypt — share .env files safely with a passphrase

Need to send an .env to a teammate but don't have a proper secret manager set up? This tool encrypts the file with AES-256-GCM using a passphrase you choose. The encryption happens in your browser via the WebCrypto API — the passphrase, ciphertext, and plaintext never leave your machine.

How it works

  1. You paste a .env and type a passphrase.
  2. Browser derives a 256-bit key from the passphrase using PBKDF2 with 210,000 iterations (OWASP 2024 recommendation for SHA-256).
  3. A random 16-byte salt and 12-byte IV are generated per encryption. The same input produces different ciphertext each time.
  4. AES-GCM encrypts and authenticates the content. Tampering is detectable — a modified ciphertext fails to decrypt rather than returning corrupted data.
  5. Output format: ENVTOOLS:v1:{base64url(salt + iv + ciphertext)}

Important — this is not a secret manager

This tool is for transport-layer secrecy — sending a file through an untrusted channel once. For persistent, multi-team secret management, use Doppler, Infisical, or AWS Secrets Manager. They rotate, audit, and scope access in ways a passphrase never will.

Related tools

ENV Leak Checker
Detect leaked secrets in seconds
Secret Generator
Crypto-strong random secrets
.env.example Generator
Safe .env.example in one click

Learn more

guide · 8 min
10 .env best practices every team should follow
Battle-tested rules for .env files: what to commit, what to rotate, how to structure secrets across dev, staging, and production, and the common mistakes that cause outages.
guide · 5 min
How to hide .env from git (and recover if you already committed it)
Step-by-step: keep .env out of git from day one, and what to do when a secret leaks into your commit history. Includes rotation checklist.
coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.