Overview

SecretStash is a centralized environment variable management service designed for modern development teams.

SecretStash provides a secure and organized way to manage environment variables across your entire organization, multiple applications, and various deployment environments. By centralizing your secrets, you can ensure consistency, improve security, and streamline the onboarding process for new developers.

Core Features

  • Centralized Management: A powerful web interface to organize your applications, environments, and secrets in one place.
  • PHP CLI: A dedicated CLI tool (secret-stash-cli) that seamlessly syncs your local .env files with the SecretStash service. Available as a Laravel Artisan package or as a standalone binary for any PHP project.
  • Node Module: A TypeScript/JavaScript package (@secret-stash/cli) that provides both a CLI and a programmatic API for managing secrets in Node.js projects. Installable globally or as a project dependency.
  • Environment-Specific Encryption: Each environment (e.g., local, staging, production) uses its own unique encryption key, ensuring that secrets are only decrypted where they are needed.
  • Secure by Design: Values are encrypted client-side using your environment's unique key before they are ever transmitted or stored, providing a zero-knowledge security model for your most sensitive data.

Concepts

To effectively use SecretStash, it's important to understand how it organizes your data:

  1. Organization: The top-level container for all your projects and team members.
  2. Application: Represents a specific project or service within your organization (e.g., "Marketing Site" or "API Service").
  3. Environment: Specific deployment targets for an application, such as local, development, staging, or production.
  4. Variables: The individual key-value pairs (secrets) that make up your environment configuration.

How it Works

SecretStash bridges the gap between your development environment and your production infrastructure:

  • Web Interface: Use the SecretStash dashboard to create applications and environments, manage team access, and manually update secret values when necessary.
  • CLI Integration: The SecretStash CLI tools allow developers to "pull" the latest secrets into their local .env file or "push" new local changes up to the service. The PHP CLI works as a Laravel Artisan package or as a standalone command (vendor/bin/secret-stash). The Node module provides the secret-stash CLI command and a full TypeScript API for programmatic access.
  • Local Decryption: When you pull variables, the CLI uses a locally stored environment key to decrypt the values. The SecretStash servers never see your raw, unencrypted secrets.

Security Model

Security is at the heart of SecretStash:

  • Personal Access Tokens: All API interactions are authenticated using secure personal access tokens.
  • Client-Side Encryption: Secret values are encrypted locally by the CLI before being sent to our servers.
  • Zero-Knowledge Storage: Because encryption happens client-side, SecretStash stores only encrypted blobs. Even in the unlikely event of a data breach, your raw secrets remain protected.
  • Audit Trails: (Coming Soon) Track who accessed or modified secrets and when.
Getting Started
Create your SecretStash account and complete the onboarding wizard to set up your first organization, application, and API token.