Variables

Add, edit, delete, and import environment variables in SecretStash with client-side encryption.

Variables are the individual key-value pairs that make up your environment configuration (e.g., DATABASE_URL, API_SECRET). All variable values are encrypted client-side before being stored, ensuring that SecretStash servers never have access to your raw secrets.

Viewing Variables

On the application detail page, select an environment tab to see its variables displayed in a data table. The table shows each variable's name and provides actions to edit or delete individual entries.

Adding a Variable

Open the create dialog

Click the Add Variable button above the variables table for the selected environment.

Enter the key and value

Key — the variable name (e.g., DATABASE_URL). Must be unique within the environment.
Value — the secret value. This will be encrypted client-side before being sent to the server.

Submit

Click Create to save the variable. It will appear in the variables table.

Variable creation is subject to your subscription plan limits. If you have reached your variable limit, you will be prompted to upgrade your plan.

Editing a Variable

Click the edit action on any variable row to open the edit dialog. Update the key or value and click Save. The updated value is re-encrypted client-side before being stored.

Deleting Variables

Single Variable

Click the delete action on any variable row. Confirm the deletion in the dialog that appears.

Bulk Delete

Select multiple variables using the checkboxes in the data table, then use the bulk delete action to remove them all at once.

Deleting variables is permanent and cannot be undone.

Importing a .env File

SecretStash supports importing variables directly from a .env file. This is useful for quickly onboarding an existing project.

Open the import dialog

Click the dropdown arrow next to the Add Variable button and select Import .env file.

Upload your file

Drag and drop a .env file into the upload area, or click to browse and select a file. The file will be parsed and its variables listed for review.

Review and confirm

Review the parsed variables. Any variables that already exist in the environment will be flagged as duplicates. Choose to overwrite existing values or skip them, then confirm the import.

All imported variables are encrypted client-side before being sent to the server, just like manually created variables.

Client-Side Encryption

Every variable value is encrypted in your browser using the environment's unique Data Encryption Key (DEK) with AES-256-GCM encryption. The encrypted payload is then sent to SecretStash for storage. When you view a variable, the encrypted payload is retrieved and decrypted locally using your device's private key and the environment's DEK.

SecretStash uses a zero-knowledge architecture. Your raw secret values never leave your browser unencrypted.

Next Steps

Use the CLI to pull and push variables between SecretStash and your local .env file.
Learn more about encryption keys and envelopes.

Environments

Create and manage deployment environments for your SecretStash applications.

Organizations

Manage organizations, invite team members, and configure billing in SecretStash.

On This Page

Viewing Variables
Adding a Variable
Editing a Variable
Deleting Variables
- Single Variable
- Bulk Delete
Importing a .env File
Client-Side Encryption
Next Steps

Star the CLI on GitHub Report an issue