// encrypted environment storage

Your .env files
deserve a vault.

Not a Slack message. Not a shared Google Doc. A real encrypted store that your whole team can pull from.

Start for free See the CLI

plaintext

DATABASE_URL=postgres://prod:s3cret@db/app

STRIPE_KEY=sk_live_4eC39HqLyjW

JWT_SECRET=a7f3b2e9d1c8f4a6b0e5

REDIS_URL=redis://cache:6379/0

encrypted

4f8a2c1e9b3d7f6a...

e7c4b9f2a1d8e3c6...

2b8f5c3a7e1d9f4b...

9d1e7a4c2f8b3e6d...

● AES-256-GCM · encrypted at rest

// workflow

Three commands. Zero config.

Create a project

Organize by project. Each holds its own set of environments—production, staging, dev.

→

Push your .env

Run passbook push. It's encrypted with AES-256-GCM before leaving your machine.

→

Pull anywhere

Team runs passbook pull. Right config, right directory. No Slack, no plaintext.

// capabilities

Built for the way developers actually work.

End-to-end encryption

AES-256-GCM authenticated encryption. Your secrets are ciphertext before they leave the browser. We never see plaintext.

AES-256

CLI-first workflow

pull, push, diff three commands that fit into any existing workflow. No GUI required.

CLI

Team sharing with roles

Invite teammates as viewers or editors. Per-project access control. Share exactly what they need.

RBAC

Environment diffing

Compare local and remote before pushing. See exactly what changed. Catch mistakes before they ship.

DIFF

Cloudflare edge network

Deployed on Cloudflare Workers. Sub-50ms worldwide. No cold starts. No servers to manage.

EDGE

// security model

Your secrets stay yours.

Environment variables are encrypted in the browser before they're sent anywhere. The encryption key lives in Cloudflare's secret store—never in the database, never in the code. We can't read your data. That's the point.

Encrypted before leaving the browser
Zero-knowledge architecture
No plaintext stored, ever
Cloudflare Workers isolation
Tamper detection via GCM auth tags

encryption pipeline

# what you write DATABASE_URL=postgres://prod:s3cret@db/app STRIPE_KEY=sk_live_4eC39HqLyjWDarjtT1zdp7dc REDIS_URL=redis://cache.internal:6379/0

# what we store 4f8a2c1e9b3d7f6a0e5c8b4d2a9f1e7c3b8d6a4f2e0c9b5d... e7c4b9f2a1d8e3c6f0b5a7d4e2c8f1b3a6d9e5c2f7b0a4d8... 9d1e7a4c2f8b3e6d0a5c9f2b4e7d1a3c6f8b2e5a0d4c7f9b1...

// developer experience

Four commands. That's the whole API.

~/projects/api

$ npm i -g @passbook/cli

// questions

Things you'd want to know.

Is Passbook free?

Yes. Passbook is free for individual developers. Create projects, push environments. No credit card, no trial expiration, no feature gates.

How are my secrets encrypted?

Every environment is encrypted using AES-256-GCM. the same authenticated encryption standard used by banks and governments. The key is stored in separate secret store, completely separate from your data. If someone got the database, they'd get ciphertext.

Can you read my environment variables?

No. The encryption key lives in separate secret store. it's used at runtime but never exposed, logged, or stored alongside the encrypted data. There is no admin panel, no backdoor, no "decrypt all" button. Your plaintext exists only in your browser and your terminal.

How does team sharing work?

You invite teammates by email. Each person gets a role per project: editor (can view and modify environments) or viewer (read-only). You control access at the project level. sharing one project doesn't expose anything else in your account.

What happens if Passbook goes down?

Passbook runs on Cloudflare Workers, which operates across 300+ edge locations with a 99.99% uptime SLA. But even in the worst case, your local .env files still work. Passbook is a sync tool, not a runtime dependency. your apps never call Passbook to start.

Do I need the CLI? Can I just use the web app?

Either works. The web app has a full editor with syntax highlighting where you can create, edit, and manage environments. The CLI adds push, pull, and diff for developers who prefer to stay in the terminal. Use whichever fits your workflow.

How is this different from .env files in a private repo?

A private repo still stores secrets in plaintext. Anyone with repo access sees everything. Git history preserves deleted secrets forever. Passbook encrypts at rest, gives you per-person role-based access, and lets you pull configs without cloning an entire repository.

Your .env filesdeserve a vault.