Stop Slacking
your secrets.

Share .env files using the access list you already have — your GitHub repo collaborators.

Get Started FreeView on GitHub
$ curl -fsSL https://boltenv.dev/install.sh | sh
$boltenv push
Reading .env · 12 variables found
Deriving key · HKDF-SHA256 · 12-byte IV
Encrypting · AES-256-GCM...
Pushed · acme/api:production · v4
teammate pulls
$boltenv pull
Fetching · acme/api:production...
Decrypting · AES-256-GCM...
Synced · .env · 12 vars · 0 conflicts

What is boltenv?

boltenv is a CLI tool that lets developer teams share .env files securely. Every push encrypts locally with AES-256-GCM before leaving your machine. The server stores only ciphertext — it mathematically cannot read your secrets.

Who is it for?

Small to medium engineering teams already using GitHub who want encrypted secret sharing without the complexity of Doppler, Vault, or Infisical. If you're sharing .env files over Slack, boltenv is for you.

Why GitHub?

You already decided who's on your team when you added them to GitHub. boltenv uses repo write access as the access control list — no second permissions system to manage. Remove someone from GitHub, they immediately lose access.

Three commands. That's it.

No dashboards. No config files. No infrastructure. Just your terminal.

01

Login with GitHub

One-time OAuth Device Flow. No passwords, no new accounts.

$ boltenv login
✓ Logged in as anasahmad
02

Push your .env

Encrypted locally with AES-256-GCM. Server stores ciphertext only.

$ boltenv push
⚡ .env → acme/api:production v1
03

Teammates pull

GitHub permissions gate the key. No paste, no Slack, no infra.

$ boltenv pull
✓ .env ← acme/api:production (12 vars)

Ciphertext only. We never see your values.

Real AES-256-GCM runs in your browser — type anything and watch it encrypt live.

.env
plaintext · editable
start typing…on your machine only
AES
256
encrypted envelope
← type something to encrypt
key never leaves your browser
12-byte random IV per encryption
128-bit GCM authentication tag

HKDF-SHA256 key derivation · same primitives as Signal & 1Password

Built for developers. Not enterprise dashboards.

GitHub permissions = your ACL

Server checks GitHub repo write access on every push and pull. Remove a teammate from the repo, they immediately lose env access.

Branch-aware sync

Auto-maps branches to environments. Configurable in .boltenv.yaml with wildcard patterns like release/*.

Three-way merge

Concurrent pushes get auto-merged when keys don't collide. Real conflicts get git-style markers your editor already understands.

Works everywhere

Local dev, Docker, CI/CD, headless VPS. Set BOLTENV_TOKEN to any GitHub PAT and the same flow works in any pipeline.

AES-256-GCM encryption

Encrypted on your machine with HKDF-SHA256-derived keys. Server stores ciphertext only.

Version history

Every push is a versioned snapshot. Roll back with --revision N. 50 per environment, free forever.

How it stacks up.

Setup time

boltenv60 seconds
dotenvHours
VaultHours

Access control

boltenvGitHub permissions
dotenvManual
VaultCustom ACL

Encryption

boltenvAES-256-GCM (client-side)
dotenvNone
VaultServer-side

Conflict resolution

boltenvThree-way merge
dotenvNone
VaultLast-write-wins

Versioning

boltenv50 per env
dotenvNone
VaultVaries

Infrastructure

boltenvZero
dotenvZero
VaultSelf-host or SaaS

Team sync

boltenvOne command
dotenvCopy-paste
VaultDashboard

CI/CD

boltenvGitHub PAT only
dotenvManual .env
VaultAPI token

Free for small teams. Pay when you grow.

No credit card required. Start free and upgrade when your team needs more.

Free

$0

forever

For indie devs and side projects.

  • Up to 3 users
  • 5 repositories
  • 10 versions per environment
  • AES-256-GCM encryption
  • GitHub OAuth
  • Multi-file sync
  • Branch-based environments
Get Started
Popular

Team

$8/ user / mo

$6 / user with annual billing

For teams that ship together. $24 / mo minimum.

  • Unlimited users
  • Unlimited repositories
  • 50 versions per environment
  • Unlimited pushes & pulls
  • TTL-based expiration
  • Audit log
  • Priority support
Start Free Trial

No credit card required · Cancel anytime · Billed monthly

Questions.

Everything you need to know about boltenv. Can't find what you're looking for? Read the docs.

Security
How does access control actually work?

On every push and pull, the server calls GET /repos/{repo} with your GitHub token and reads permissions.push. If you don't have write access, the request is rejected before any data moves. Add a teammate to the GitHub repo, they can pull. Remove them, they can't.

Where do encryption keys live?

By default, the master key is encrypted on the server with a KMS-style wrapping key (BOLTENV_KEY_WRAPPER) and gated by GitHub repo permission. Teammates pull → server unwraps → key arrives over TLS, no manual sharing. Run with --client-key-only if you want the key to never leave your machine.

Is the encryption itself secure?

AES-256-GCM with HKDF-SHA256 key derivation, 12-byte random IV per push, 16-byte auth tag. Same primitives as Signal, 1Password, AWS Secrets Manager. Encryption happens on YOUR machine — the server only ever sees ciphertext.

Workflow
What happens if my teammate and I push at the same time?

boltenv runs a three-way merge against the common ancestor. Keys touched on only one side auto-merge. Keys with real conflicts get git-style markers in your .env file — VS Code, Cursor, and JetBrains all recognize them natively.

Can I use boltenv in CI/CD?

Yes. Set BOLTENV_TOKEN to any GitHub PAT (or secrets.GITHUB_TOKEN in Actions) with repo scope. Set BOLTENV_REPO if there's no .git in the runner. The server checks the token's repo permission and releases the key — same flow as your laptop.

How does branch mapping work?

boltenv reads your current git branch and maps it to an environment. Defaults: main → production, staging → staging, develop → development. Customize with wildcard patterns in .boltenv.yaml (e.g., release/* → staging) or override with --env.

General
What if I lose my laptop?

Your local key cache at ~/.boltenv/keys/ is gone, but the server has it. Login on a new machine, run 'boltenv pull', and the key auto-fetches. If you used --client-key-only, you'll need a teammate to re-export their copy of the key.

Can I self-host boltenv?

Not today. Cloud-only. If you need on-prem secrets management, use HashiCorp Vault or Infisical. boltenv is built for small teams who want managed simplicity without the Doppler price tag.

What does the threat model NOT defend against?

Full server compromise (attacker with both database and BOLTENV_KEY_WRAPPER env var would be able to decrypt stored keys), supply-chain attacks against the npm package, and malicious-but-authorized teammates. See SECURITY.md for the full breakdown.

Your team's secrets, under control.

Free to start. No infrastructure. No dashboard. Just boltenv push.

Get Started FreeRead the docs

free tier  ·  no credit card  ·  setup in 60 seconds

boltenv — Encrypted .env Management for Developer Teams