Zero plaintext · Zero trust

Your secrets never
touch our servers.

packshell encrypts your .env files locally with AES-256-GCM, syncs the cipher through the cloud, and decrypts them only on your teammates’ machines. Not on the server. Not in the database. Nowhere in between.

See how it works
AES-256-GCMRSA-4096 OAEPNode 20+ · MIT
— packshell secure session
$
Vercel-ready APIFirebase AuthFirestore audit trailPublished on npmCI/CD friendly
The problem

Plaintext secrets drift everywhere.

A single .env file passes through dozens of hands and tools — and every hop is a place a key can leak, get cached, or quietly outlive the person who shared it.

Terminals

Pasted into a shell, captured in history forever.

DMs & chat

Dropped in Slack, screenshotted, never deleted.

Tickets

Logged into Jira, visible to the whole org.

Handoffs

Copied between branches and deploy scripts.

How it works

Five commands. One sealed pipeline.

From your terminal to your team — encryption happens before anything leaves your machine, and decryption happens only on theirs.

1

auth

RSA-4096 keypair, generated on your machine.

2

init

Link a project. Get an AES-256 project key.

3

push

Encrypt locally, then upload the cipher blob.

4

share

Wrap the key to each teammate’s public key.

5

pull

Teammate decrypts on their machine. Done.

your machine
STRIPE_KEY=sk_live_…
DB_URL=postgres://…
encrypt
cipher blob
a9f3 7c1e b40d 9e22
e8a1 4f6c 02db 71aa
decrypt
teammate
STRIPE_KEY=sk_live_…
DB_URL=postgres://…
The cloud only ever holds the cipher blob — never a readable value.
Security model

Built for custody, not convenience.

Encryption isn’t a feature bolted on top — it’s the architecture. Here’s exactly what protects your secrets.

Local-first encryption

Every value is sealed with AES-256-GCM on your machine — a random IV per push, bound to your company, project, and environment.

Per-user key wrapping

Project keys are sealed individually to each member’s RSA-4096 public key. Access is granted without exposing a single secret.

Zero-knowledge server

The API receives only authenticated cipher bytes. There is no decryption key anywhere on the server. Ever.

Instant revocation

Remove a member and their wrapped key copy vanishes. They can’t decrypt future — or cached — versions.

Versioned & audited

Plan-aware retention with a full Firestore audit trail: who pushed or pulled what, and when.

Integrity by checksum

Each push records a SHA-256 of the plaintext and a key count, so corruption and drift are caught instantly.

What the server stores

  • Authenticated cipher blobs (AES-256-GCM)
  • Per-member wrapped project keys (RSA-OAEP)
  • Key counts & SHA-256 checksums
  • Audit logs — who did what, when

What it never sees

  • Plaintext .env contents
  • Secret values of any kind
  • Your private keys
  • Anything decryptable in a breach
The CLI

Lives where you
already work.

No dashboards to babysit. packshell is a calm, fast command-line tool that fits straight into your existing workflow.

$ packshell auth

Log in via browser, register your public key.

$ packshell init

Link the current project, mint a project key.

$ packshell push

Encrypt .env locally and upload the cipher.

$ packshell pull

Download the latest version and decrypt it.

$ packshell diff

See changed keys — never any values.

$ packshell invite

Add a teammate and seal them the key.

$ packshell watch

Auto-pull when a newer version lands.

~/projects/api
$ packshell init my-api
✓ linked · wrote .packshell.json
✓ project key sealed to your public key
$ packshell invite dev@team.com
✓ invite sent · key wrapped to their key
$ packshell diff --env production
Changed remotely
STRIPE_KEY
REDIS_URL (added)
values are never shown — only key names
Pricing

Start free. Scale when ready.

Every plan ships full client-side encryption. Upgrade anytime with a premium code — packshell redeem.

Free Solo

$0
  • 1 project
  • 3 members
  • 1 environment
  • 7-day history
  • 250 pushes / mo
  • Audit logs

Free Team

$0
  • 2 projects
  • 5 members
  • 2 environments
  • 14-day history
  • 500 pushes / mo
  • Audit logs

Starter

$9 /mo
  • 3 projects
  • 5 members
  • 2 environments
  • 30-day history
  • 2,000 pushes / mo
  • Audit logs
Most popular

Team

$29 /mo
  • 10 projects
  • 15 members
  • 3 environments
  • 90-day history
  • Audit logs
  • 15,000 pushes / mo

Studio

Custom
  • Unlimited projects
  • Unlimited members
  • Unlimited envs
  • Forever history
  • Audit logs
  • Unlimited pushes

Encrypt your secrets
in the next five minutes.

Install the CLI, run packshell auth, and your team is syncing sealed environments before your coffee’s cold.

$npm install -g packshell
Star on GitHub