// encrypted environment storage

Your .env files
deserve a vault.

Not a Slack message. Not a shared Google Doc. A real encrypted store that your whole team can pull from.

Start for free See the CLI

plaintext

DATABASE_URL=postgres://prod:s3cret@db/app

STRIPE_KEY=sk_live_4eC39HqLyjW

JWT_SECRET=a7f3b2e9d1c8f4a6b0e5

REDIS_URL=redis://cache:6379/0

encrypted

4f8a2c1e9b3d7f6a...

e7c4b9f2a1d8e3c6...

2b8f5c3a7e1d9f4b...

9d1e7a4c2f8b3e6d...

● AES-256-GCM · encrypted at rest

// workflow

Three commands. Zero config.

Create a project

Organize by project. Each holds its own set of environments—production, staging, dev.

→

Push your .env

Run passbook push. Passbook stores it with AES-256-GCM encryption on the server.

→

Pull anywhere

Team runs passbook pull. Right config, right directory. No Slack, no plaintext.

// capabilities

Built for the way developers actually work.

Server-side encryption

AES-256-GCM authenticated encryption. Secrets are encrypted at rest and decrypted only for authenticated access.

AES-256

CLI-first workflow

pull, push, diff three commands that fit into any existing workflow. No GUI required.

CLI

Team sharing with roles

Invite teammates as viewers or editors. Per-project access control. Share exactly what they need.

RBAC

Environment diffing

Compare local and remote before pushing. See exactly what changed. Catch mistakes before they ship.

DIFF

Cloudflare edge network

Deployed on Cloudflare Workers. Sub-50ms worldwide. No cold starts. No servers to manage.

EDGE

// security model

Your secrets stay yours.

Environment variables are encrypted at rest with AES-256-GCM. The encryption key lives in Cloudflare's secret store—separate from the database and never committed to code. Passbook decrypts only when an authenticated user or CLI command needs access.

Server-side encryption at rest
Keys kept outside the database
Plaintext is never stored in the database
Cloudflare Workers isolation
Tamper detection via GCM auth tags

encryption pipeline

# what you write DATABASE_URL=postgres://prod:s3cret@db/app STRIPE_KEY=sk_live_4eC39HqLyjWDarjtT1zdp7dc REDIS_URL=redis://cache.internal:6379/0

# what we store 4f8a2c1e9b3d7f6a0e5c8b4d2a9f1e7c3b8d6a4f2e0c9b5d... e7c4b9f2a1d8e3c6f0b5a7d4e2c8f1b3a6d9e5c2f7b0a4d8... 9d1e7a4c2f8b3e6d0a5c9f2b4e7d1a3c6f8b2e5a0d4c7f9b1...

// developer experience

Four commands. That's the whole API.

~/projects/api

$ npm i -g @passbook/cli

// questions

Things you'd want to know.

Is Passbook free?

Yes. Passbook is free for individual developers. Create projects, push environments. No credit card, no trial expiration, no feature gates.

How are my secrets encrypted?

Every environment is encrypted using AES-256-GCM authenticated encryption before it is stored. The key is stored in a separate Cloudflare secret, not in the database. If someone got only the database, they'd get ciphertext.

Can you read my environment variables?

Passbook decrypts environment variables only to serve authenticated users and CLI commands with access. The key is kept in a separate Cloudflare secret and is not stored alongside encrypted data. We do not claim zero-knowledge or end-to-end encryption.

How does team sharing work?

You invite teammates by email. Each person gets a role per project: editor (can view and modify environments) or viewer (read-only). You control access at the project level. sharing one project doesn't expose anything else in your account.

What happens if Passbook goes down?

Passbook runs on Cloudflare Workers, which operates across 300+ edge locations with a 99.99% uptime SLA. But even in the worst case, your local .env files still work. Passbook is a sync tool, not a runtime dependency. your apps never call Passbook to start.

Do I need the CLI? Can I just use the web app?

Either works. The web app has a full editor with syntax highlighting where you can create, edit, and manage environments. The CLI adds push, pull, and diff for developers who prefer to stay in the terminal. Use whichever fits your workflow.

How is this different from .env files in a private repo?

A private repo still stores secrets in plaintext. Anyone with repo access sees everything. Git history preserves deleted secrets forever. Passbook encrypts at rest, gives you per-person role-based access, and lets you pull configs without cloning an entire repository.

Your .env filesdeserve a vault.