Every developer has done it. Pasted an API key in Slack. Emailed a .env file to a teammate. Dropped database credentials in a Discord DM. It works, but that Stripe key you shared six months ago is still sitting in plaintext in someone's chat history.
Most "secret sharing" tools out there either need everyone to install something and create an account, or the server can still read your data. I wanted something where the server is blind by design and sharing a secret takes a few seconds with no signup. That's why I built EnvDrop.
![]()
How it works
Your browser encrypts everything before it leaves your machine. The server only ever stores encrypted noise.
Encrypt in your browser. Your browser generates a random AES-256-GCM key and encrypts the secret client-side using the Web Crypto API.
The key stays in the URL. The encryption key goes into the URL fragment (the part after #). Browsers never send fragments over HTTP, so the server never sees the key.
Recipient decrypts locally. When someone opens the link, their browser fetches the encrypted blob and decrypts it using the key from the URL.
You EnvDrop Server Recipient
│ │ │
├─ Encrypt in browser ──────► │ │
│ (AES-256-GCM) │ │
│ ├─ Store encrypted blob │
│ │ (zero knowledge) │
├─ Get share link ◄───────── │ │
│ (key lives in URL fragment) │ │
│ │ │
├─ Send link to recipient ──────────────────────────────────► │
│ │ │
│ │ ◄── Fetch encrypted blob ──┤
│ │ │
│ │ Decrypt in browser ────┤
│ │ (AES-256-GCM) │What you can do with it
Drag and drop a .env file (or any sensitive file up to 200KB) and the entire thing gets encrypted client-side. The recipient opens the link and gets the decrypted contents right in their browser, ready to copy or download.
You can add an optional password as a second layer. The password never goes to the server. It's used as extra key material via PBKDF2 to derive a wrapping key that encrypts the master key.
The security model
Zero-Knowledge Architecture
Even if the server gets compromised, an attacker gets nothing but encrypted noise. The decryption key only exists in the share link's URL fragment, which never touches the server.
- Encryption and decryption happen exclusively in the browser using the Web Crypto API
- The server stores only encrypted ciphertext and has no way to decrypt it
- Burn-after-read deletion is triggered client-side after successful decryption, so a page reload won't destroy the secret before it's actually been read
- All API endpoints are rate-limited per IP using Upstash Ratelimit
The encryption engine behind this is @redenv/e2ee, a standalone zero-knowledge encryption library I built and open sourced separately.
The road ahead
- CLI Tool:
npx envdrop push .envto encrypt and share directly from the terminal. Developers live in the terminal, so EnvDrop should too. - Team Spaces: Shared encrypted vaults with role-based access and audit logs for teams that need to manage secrets together.
- Slack & Discord Bots:
/envdrop shareright inside your team chat. - API Access: A REST API for CI/CD pipelines to rotate and share credentials programmatically.
