Overview

SecretStash is a centralized environment variable management service designed specifically for modern development teams and Laravel applications.

SecretStash provides a secure and organized way to manage environment variables across your entire organization, multiple applications, and various deployment environments. By centralizing your secrets, you can ensure consistency, improve security, and streamline the onboarding process for new developers.

Core Features

  • Centralized Management: A powerful web interface to organize your applications, environments, and secrets in one place.
  • First-Party CLI: A dedicated Laravel Artisan package (secret-stash-cli) that seamlessly syncs your local .env files with the SecretStash service.
  • Environment-Specific Encryption: Each environment (e.g., local, staging, production) uses its own unique encryption key, ensuring that secrets are only decrypted where they are needed.
  • Secure by Design: Values are encrypted client-side using your environment's unique key before they are ever transmitted or stored, providing a zero-knowledge security model for your most sensitive data.

Concepts

To effectively use SecretStash, it's important to understand how it organizes your data:

  1. Organization: The top-level container for all your projects and team members.
  2. Application: Represents a specific project or service within your organization (e.g., "Marketing Site" or "API Service").
  3. Environment: Specific deployment targets for an application, such as local, development, staging, or production.
  4. Variables: The individual key-value pairs (secrets) that make up your environment configuration.

How it Works

SecretStash bridges the gap between your development environment and your production infrastructure:

  • Web Interface: Use the SecretStash dashboard to create applications and environments, manage team access, and manually update secret values when necessary.
  • CLI Integration: The SecretStash CLI (available as a Laravel Artisan package) allows developers to "pull" the latest secrets into their local .env file or "push" new local changes up to the service.
  • Local Decryption: When you pull variables, the CLI uses a locally stored environment key to decrypt the values. The SecretStash servers never see your raw, unencrypted secrets.

Security Model

Security is at the heart of SecretStash:

  • Personal Access Tokens: All API interactions are authenticated using secure personal access tokens.
  • Client-Side Encryption: Secret values are encrypted locally by the CLI before being sent to our servers.
  • Zero-Knowledge Storage: Because encryption happens client-side, SecretStash stores only encrypted blobs. Even in the unlikely event of a data breach, your raw secrets remain protected.
  • Audit Trails: (Coming Soon) Track who accessed or modified secrets and when.
Installation
Install the SecretStash CLI package and configure environment variables for secure variable management in Laravel applications.