About

We're fixing how
teams share secrets.

Sharing .env files over Slack is the single most common developer security mistake. boltenv makes the secure path the easy path.

The Problem

The .env leak epidemic.

Every year, hundreds of thousands of .env files are accidentally committed to public GitHub repositories. API keys, database credentials, payment processor secrets — all exposed to anyone who knows where to look.

But accidental git commits are only part of the problem. The bigger issue is how teams share secrets day to day: Slack DMs, email threads, shared Google Docs, Discord messages. These channels are not encrypted end-to-end, are not access-controlled, and leave a permanent paper trail of your most sensitive credentials.

When someone leaves the team, you can't revoke their access to a Slack message they already read. When a Slack workspace is breached, every secret shared there is exposed. When you need to rotate a key, there's no way to know who has the old one.

100k+

.env files leaked on GitHub annually

Based on public GitHub search data and security research reports

62%

of data breaches involve credentials

IBM Cost of a Data Breach Report 2024

$4.88M

average cost of a data breach

IBM Cost of a Data Breach Report 2024

< 60s

to set up boltenv for your team

No infrastructure, no dashboard, just one CLI command

Our Approach

The secure path should be
the easy path.

Every existing solution to the .env problem requires you to choose between security and convenience. boltenv is designed so the two are the same thing.

Use what you already have

Your GitHub repository is already your source of truth for who's on the team. boltenv uses GitHub repo write access as the access control list for secrets — no new permissions system to manage, no new accounts to create.

Encrypt on your machine

Secrets are encrypted with AES-256-GCM before they leave your computer. The boltenv server stores only ciphertext — it is mathematically incapable of reading your secrets even if an attacker gains full database access.

Make it one command

boltenv push encrypts and uploads. boltenv pull downloads and decrypts. That's it. No web dashboard to navigate, no YAML to write, no infrastructure to provision. Works from your terminal exactly the way git does.

Access control that actually works

Remove a teammate from the GitHub repo and they immediately lose access to secrets — not on the next sync, not after a cache expires. The server checks GitHub permissions on every single push and pull.

Never see a conflict again

boltenv runs a three-way merge when two teammates push simultaneously. Non-conflicting changes auto-merge. Real conflicts get standard git-style markers that every editor already handles — no proprietary conflict UI to learn.

Works everywhere git works

Local dev, Docker, GitHub Actions, GitLab CI, CircleCI, Kubernetes — if it can run a shell command and has a GitHub token, boltenv works there. No agent to install, no sidecar, no special runner.

Design Principles

What we believe.

Security should be invisible.

The best security is the kind developers don't have to think about. If using the secure path requires extra effort, developers will find the path of least resistance — and that path is usually Slack.

The server should be blind.

We designed boltenv so that a full compromise of our servers reveals nothing about your secrets. Ciphertext without the key is useless. This is a technical guarantee, not a policy promise.

GitHub is the right trust anchor.

You already decided who's on your team when you added them to GitHub. We use that decision — not a second, separate permissions system — to gate secret access.

CLI-first, always.

Developers live in the terminal. A web dashboard for secret management adds friction and a new attack surface. boltenv is intentionally CLI-only for the operations that matter.

Honest about limitations.

We publish our complete threat model including what boltenv does not protect against. No security tool covers everything, and we'd rather you know the gaps than discover them later.

Comparison

Why not just use Doppler?

Doppler, Infisical, HashiCorp Vault, and similar tools are excellent products built for different use cases. Here's how boltenv compares honestly.

boltenv

  • Client-side AES-256-GCM encryption
  • Zero new accounts — GitHub OAuth
  • Access control via GitHub repo permissions
  • Free for up to 3 users
  • CLI-only — no web dashboard
  • Three-way merge for concurrent pushes
  • Works in any CI/CD with a GitHub PAT

Doppler

  • ·Server-side encryption (Doppler holds keys)
  • ·New account + dashboard required
  • ·Own IAM system (groups, roles)
  • ·Free for 1 user only
  • ·Web dashboard + CLI
  • ·No merge — last write wins
  • ·$10/user/month for teams

Infisical

  • ·Server-side or client-side (E2EE tier)
  • ·New account required
  • ·Own IAM system
  • ·Free for 5 users (limited features)
  • ·Web dashboard + CLI
  • ·No merge
  • ·Self-host option available

HashiCorp Vault

  • ·Server-side encryption
  • ·Complex setup required
  • ·Highly flexible ACL system
  • ·No free cloud tier
  • ·Self-hosted or HCP
  • ·Enterprise-grade but complex
  • ·Significant operational overhead

Ready to stop leaking secrets?

Free for small teams. Setup takes 60 seconds.

Get Started FreeSecurity details