Stop Slacking your secrets. Use GitHub instead.
Source: Dev.to
The .env Problem
Three months ago a friend of mine onboarded a contractor.
He DM’d him the .env. Standard practice. Two days later the contractor pushed a debug log to a public repo with one of the keys still in it.
- They rotated. Customers didn’t notice.
- But that file is still in his Slack archive.
- It’s still in the contractor’s Slack archive.
- It’s still cached on two computers.
- It will still be there in five years.
That’s the .env problem. Most teams “solve” it the same way:
| Method | Issue |
|---|---|
| Slack DM (plaintext forever, in two chat archives) | Leaks secrets |
| Notion page (anyone who can read the page can read prod) | Leaks secrets |
| 1Password vault item (works, but now you have a second ACL to maintain) | Extra ACL overhead |
.env.example with fake values (drifts in 48 hours) | Stale data |
| “I’ll send it to you on Signal” (still plaintext on two phones) | Leaks secrets |
I tried the existing tools:
- Doppler – great for 50‑person teams with a budget (
$21/user/mo+ sales call). - Infisical – open‑source but feels Kubernetes‑shaped, built for DevOps teams.
- dotenvx – clever encryption‑in‑git story, but you still have to share the encryption key out‑of‑band, and there’s no team‑revocation story.
What I Actually Wanted
- Zero new accounts, zero new ACLs.
- If GitHub already says you can push to the repo, you should be able to pull the env.
So I built boltenv.
- Revoke a teammate’s GitHub access → they lose env access. Done.
- GitHub repo permissions are the access list. No parallel user system to keep in sync.
Quick Start
Push your .env (encrypted on your machine, only ciphertext leaves)
npm i -g @boltenv.dev/cli
boltenv push
# ⚡ .env → org/app:development v1 (12 vars, permanent)Teammate pulls it
boltenv pull
# ⚡ .env ← org/app:development (12 vars)That’s it. No invites. No ACL panel. No “create a project.”
The first push generates an AES‑256 key locally. The server only ever sees ciphertext. You share the key with your teammate once via a secure channel:
# You
boltenv key export
# → dGhpcyBpcyBhIDMyIGJ5dGUga2V5...
# Teammate
boltenv key import dGhpcyBpcyBhIDMyIGJ5dGUga2V5...After that, the teammate just runs boltenv pull from any machine. They authenticate to GitHub once via Device Flow — same UX as gh auth login.
Security Details (Three Independent Layers)
| Layer | Description |
|---|---|
| GitHub Permission Check | Server calls GET https://api.github.com/repos/{owner}/{repo} with the user’s GitHub token. If permissions.push is false or the token is missing, the request is rejected before any data moves. |
| AES‑256‑GCM (NIST standard) | • Key derivation: HKDF‑SHA256 (separate sub‑keys for encryption & HMAC) • IV: 12 bytes, random per push • Auth tag: 16 bytes (tamper detection) |
| Key Management | Master key never leaves the laptop. Stored at ~/.boltenv/keys/{owner}/{repo}.key with mode 0600. Server stores ciphertext + a 16‑char key fingerprint to catch mismatched keys early. |
Environment Mapping
| Branch | Environment |
|---|---|
main, master | production |
staging | staging |
develop | development |
| anything else | development |
The branch you’re on determines what you push/pull. Override with -e production if needed. No confusing “environment dropdown” foot‑gun.
Revoking Access – The Real‑World Scenario
| Today | With boltenv |
|---|---|
| ✅ Remove user from GitHub | ✅ Remove user from GitHub → they can’t pull any more envs |
| ❌ Remove them from Doppler/Infisical/Vault (manual, often forgotten) | ❌ No extra platform to clean up |
| ❌ Rotate every secret they had access to (rarely happens) | ❌ No automatic rotation (you can rotate manually) |
❌ Their .env files in ~/projects/* become museum pieces of your prod stack | ❌ Their cached .env stays on disk (no tool can fix that), but they can’t get a fresh one or push poison |
This isn’t a perfect security model – it’s pragmatic for small teams. If you need HIPAA‑level compliance, use Vault. If you’re five people shipping a SaaS, this is the right level of control.
Comparison Table
| Tool | Per‑user cost | New accounts? | Encryption | ACL source |
|---|---|---|---|---|
| Slack DMs | Free | None | None | “I trust you” |
| dotenvx | Free | None | AES‑256 in git | Manual key sharing |
| Doppler | $21/mo | Yes | Server‑managed | Doppler users |
| Infisical | $8/mo | Yes | Server‑managed | Infisical users |
| 1Password Dev | $7.99/mo bundled | Yes | 1P‑managed | 1Password users |
| boltenv | Free ≤ 3, then $4/mo | None | Client‑side AES‑256‑GCM | GitHub repo permissions |
Using boltenv in CI/CD (GitHub Actions)
- name: Pull env
env:
BOLTENV_TOKEN: ${{ secrets.GITHUB_TOKEN }} # any PAT with repo scope
BOLTENV_KEY: ${{ secrets.BOLTENV_KEY }} # base64 master key
run: |
npm i -g @boltenv.dev/cli
boltenv pull -e production -yBOLTENV_TOKENworks withsecrets.GITHUB_TOKENin GitHub Actions.BOLTENV_KEYis the master key, stored as a single repo secret.- The binary (
boltenv) is the SDK.
Minimal local usage
export BOLTENV_TOKEN=$GITHUB_TOKEN # any PAT with repo scope
export BOLTENV_KEY=
boltenv pull -yMultiple .env Files
Most real projects have more than one env file (.env.backend, .env.frontend, .env.workers). boltenv discovers them automatically:
$ boltenv push
⚡ Found 3 env files:
.env.backend 18 vars
.env.frontend 9 vars
.env.workers 6 vars
3 files → org/app:development (permanent)Pull preserves the layout. Save the file list to .boltenv.yaml and commit it — teammates pull the same set without configuration drift.
Scope & Limitations (Honest Disclosure)
- No org‑level RBAC – repo permissions are the rules.
- No automated key rotation – rotating means everyone re‑imports.
- No HSM, no compliance certifications – pre‑SOC2 product.
- No native Coolify / Railway / Vercel sync yet – on the roadmap.
- Today you can do
boltenv pull --stdout --format dotenvand paste, or run boltenv on the VPS itself with the env‑var auth above.
- Today you can do
If any of those are deal‑breakers, boltenv isn’t for you – and that’s fine.
Install & Get Started
npm i -g @boltenv.dev/cli
cd your-project
boltenv pushRepository:
Website: (replace with actual site if different)
boltenv.dev
License: FSL-1.1-MIT
(free for everyone, including commercial use, with non‑compete)
I’d love to hear what breaks for you. Comment, file an issue, or DM me – I read every one.
If this saved you from one Slack‑DM’d .env, that’s the entire goal.