Share secrets securely
End-to-end encrypted .env sharing with automatic expiration. Your secrets never touch our servers unencrypted.
Paste or drop .env file
⌘V to paste · Tap to browse
Someone sent you a secret
Enter the passphrase they shared separately
Secret will be copied to clipboard and deleted from server
Secret Not Found
This secret has already been viewed or has expired.
Frequently Asked Questions
How does this work?
Your secret is encrypted in your browser using AES-256-GCM before it ever leaves your device. The encryption key is split into two parts: a random component (in the link) and a password-derived component (the passphrase). The server only stores the encrypted blob and cannot decrypt it.
Can you read my secrets?
No. The server never sees your plaintext secret, the encryption key, or the passphrase. We only store encrypted data. Even if our database is compromised, attackers get meaningless ciphertext.
Why do I need both a link AND a passphrase?
Defense in depth. If someone intercepts just the link (e.g., from your email), they still can't decrypt without the passphrase. Send them through different channels (e.g., link via Slack, passphrase via Signal).
What happens after someone views my secret?
It's permanently deleted from our servers. The "burn-on-read" happens atomically—there's no window where two people could read it.
What if someone enters the wrong passphrase?
After 3 failed attempts, the secret is automatically destroyed. This prevents brute-force attacks.
What encryption do you use?
AES-256-GCM (authenticated encryption) with PBKDF2-SHA256 key derivation using 600,000 iterations. Random values are generated using the Web Crypto API.
Can browser extensions see my secrets?
Yes—any extension with broad permissions can read page content. For maximum security, use a private/incognito window with extensions disabled.
What about Slack/Discord link previews?
Link preview bots cannot decrypt secrets because they don't have the passphrase, the "Click to Decrypt" button stops automated access, and even if they clicked, they'd burn the secret.
Is the code open source?
Yes. View it at github.com/mrmps/safe-env. The code is intentionally simple so you can audit it yourself.
Why is the key in the URL fragment (#)?
URL fragments are never sent to the server—it's part of the browser specification. This means even our server logs can't capture the decryption key.
What's the maximum secret size?
512KB of encrypted data. For larger files, use a file sharing service and share the password via envshare.
How long do secrets last?
You choose: 5 minutes, 30 minutes, 1 hour, 6 hours, or 24 hours. After expiration, the secret is automatically deleted even if never viewed.