EnvDrop
82

EnvDrop

Zero-knowledge encrypted secret sharing for developers. Paste a secret or drop a .env file, everything encrypts in your browser. The server never sees it.

Mar 26, 2026, 11:37 AM

Every developer has done it. Pasted an API key in Slack. Emailed a .env file to a teammate. Dropped database credentials in a Discord DM. It works, but that Stripe key you shared six months ago is still sitting in plaintext in someone's chat history.

Most "secret sharing" tools out there either need everyone to install something and create an account, or the server can still read your data. I wanted something where the server is blind by design and sharing a secret takes a few seconds with no signup. That's why I built EnvDrop.

EnvDrop


How it works

Your browser encrypts everything before it leaves your machine. The server only ever stores encrypted noise.

Encrypt in your browser. Your browser generates a random AES-256-GCM key and encrypts the secret client-side using the Web Crypto API.

The key stays in the URL. The encryption key goes into the URL fragment (the part after #). Browsers never send fragments over HTTP, so the server never sees the key.

Recipient decrypts locally. When someone opens the link, their browser fetches the encrypted blob and decrypts it using the key from the URL.

You                          EnvDrop Server                    Recipient
 │                               │                               │
 ├─ Encrypt in browser ──────►   │                               │
 │  (AES-256-GCM)                │                               │
 │                               ├─ Store encrypted blob         │
 │                               │  (zero knowledge)             │
 ├─ Get share link ◄─────────    │                               │
 │  (key lives in URL fragment)  │                               │
 │                               │                               │
 ├─ Send link to recipient ──────────────────────────────────►   │
 │                               │                               │
 │                               │    ◄── Fetch encrypted blob ──┤
 │                               │                               │
 │                               │        Decrypt in browser ────┤
 │                               │        (AES-256-GCM)          │

What you can do with it

Paste any secret, an API key, a database password, a connection string, and get a secure link in seconds. No signup, no accounts.

You can also configure how the secret behaves:

  • Burn after read so it self-destructs after one view
  • Auto-expiry with options for 1 hour, 24 hours, or 3 days

Drag and drop a .env file (or any sensitive file up to 200KB) and the entire thing gets encrypted client-side. The recipient opens the link and gets the decrypted contents right in their browser, ready to copy or download.

You can add an optional password as a second layer. The password never goes to the server. It's used as extra key material via PBKDF2 to derive a wrapping key that encrypts the master key.


The security model

Zero-Knowledge Architecture

Even if the server gets compromised, an attacker gets nothing but encrypted noise. The decryption key only exists in the share link's URL fragment, which never touches the server.

  • Encryption and decryption happen exclusively in the browser using the Web Crypto API
  • The server stores only encrypted ciphertext and has no way to decrypt it
  • Burn-after-read deletion is triggered client-side after successful decryption, so a page reload won't destroy the secret before it's actually been read
  • All API endpoints are rate-limited per IP using Upstash Ratelimit

The encryption engine behind this is @redenv/e2ee, a standalone zero-knowledge encryption library I built and open sourced separately.


The road ahead

  • CLI Tool: npx envdrop push .env to encrypt and share directly from the terminal. Developers live in the terminal, so EnvDrop should too.
  • Team Spaces: Shared encrypted vaults with role-based access and audit logs for teams that need to manage secrets together.
  • Slack & Discord Bots: /envdrop share right inside your team chat.
  • API Access: A REST API for CI/CD pipelines to rotate and share credentials programmatically.