Env Encryptor

Zero-Knowledge Sharing

When you need to send a sensitive environment variable or password to a colleague, sending it via Slack or Email is risky because it creates a permanent record in those systems. Our tool uses Client-Side AES-GCM Encryption to protect your data.

How it works

1. Encrypt: Client generates a random encryption key locally. Your secret is encrypted with this key.
2. Link Generation: A URL is created containing the encrypted data (in the query/path) and the decryption key (in the #hash).
3. Server Blindness: When you send the link, the server receives the request but URL fragments (everything after #) are NEVER sent to the server by browsers. The key stays on the client side.
4. Decrypt: The recipient opens the link. Their browser extracts the key from the #hash and decrypts the content locally.

Modern browsers support the Web Crypto API for secure, native cryptographic operations. Here is how to implement AES-GCM encryption in vanilla JavaScript.

AES-GCM Encryption Example

async function encryptMessage(message) {
    // 1. Generate a Key
    const key = await window.crypto.subtle.generateKey(
        { name: "AES-GCM", length: 256 },
        true,
        ["encrypt", "decrypt"]
    );

    // 2. Encode message
    const encoded = new TextEncoder().encode(message);

    // 3. Generate IV (Initialization Vector)
    const iv = window.crypto.getRandomValues(new Uint8Array(12));

    // 4. Encrypt
    const ciphertext = await window.crypto.subtle.encrypt(
        { name: "AES-GCM", iv: iv },
        key,
        encoded
    );

    return { ciphertext, iv, key };
}

Security Note

AES-GCM is an authenticated encryption mode, meaning it ensures both confidentiality and integrity. Always use a unique IV for every encryption operation.