Available now Web app ยท self-hosted on your server

๐Ÿ—๏ธ Secretbox

Self-hosted team secrets and env-var manager, no per-seat Doppler bill.

Doppler charges $12 per user per month to store key-value pairs, so a five-person team pays about $2,160 over three years, forever, in Doppler's cloud. Secretbox does projects, environments, envelope-encrypted secrets, versioning with rollback, env diffs, scoped API tokens and a zero-dependency CLI on your own box. $39, once.

$12/user/mo forever $39once
Screenshot on the way

Secretbox screenshot is being captured โ€” the app is shipped and real.

What's in the box

Features

Envelope encryption at rest

Every value gets its own random AES-256-GCM data key, wrapped by a master key that lives only in your .env and never in the database.

Projects and environments

Organize projects into dev, staging, prod and custom environments, with secret versioning and one-click rollback.

Audit-logged reveals

Every reveal, pull, edit and rollback is recorded with who, what and when.

Environment diff

See which keys are missing or different between dev and prod without exposing the values.

Scoped API tokens

Per-project, read-only or read-write tokens, shown once and stored as SHA-256 hashes.

Zero-dependency CLI

secretbox pull writes an env file, secretbox run injects env and writes nothing to disk, and secretbox push adds a key.

Desktop mode or VPS

Run it as an Electron app, or docker compose up on a $5 VPS.

The receipt

Secretbox vs Doppler Team

Doppler Team at $12/user/mo runs roughly $144/year โ€” $288 over two years. Secretbox is $39, once.

SecretboxDoppler Team
Price$39 once$12/user/mo
5-person team, 3 years$39~$2,160
Encrypted at restYes, envelope AES-256-GCMYes
Your secrets on your serverYesNo
Versioning + rollbackYesYes
Env diffYesYes
CLI pull / run injectionYesYes
Audit logYesHigher tiers only

Under four months of Doppler for a five-person team already costs more than Secretbox, which then never charges per seat again.

Setup

Three steps, no subscription

STEP 01

Buy once on Whop

One payment of $39 gets you the packaged 1-click installer, or clone the MIT source at github.com/bensblueprints/env-secrets-manager and run it yourself for free.

STEP 02

Deploy on your own server

docker compose up on a $5 VPS behind HTTPS, or run the Electron desktop build, then set ADMIN_PASSWORD and back up your MASTER_KEY.

STEP 03

Wire up your CLI

Point the zero-dependency CLI at your host with a scoped token and run secretbox pull or secretbox run to feed secrets straight into your deploys.

FAQ

Honest answers

Is it really free on GitHub?

Yes. Secretbox is MIT-licensed at github.com/bensblueprints/env-secrets-manager and always will be. The $39 buys the packaged 1-click installer and setup; building from source is free.

Where do my secrets live?

In a SQLite database on your own server, envelope-encrypted per value. Nothing goes to us or any third-party cloud.

Is this zero-knowledge like Vaultly?

No, and honestly so: this is server-side encryption, because a secrets manager that feeds CI must hold the key to hand plaintext to your deploys. If you need client-side zero-knowledge crypto, that is our Vaultly product. Protect the box and protect the .env.

Is this a subscription in disguise?

No. $39 once, no renewal, no per-seat billing, no license server. Just back up your MASTER_KEY, because without it your secrets are unrecoverable.

Own Secretbox forever

$39 once. Deploy on your own server โ€” your data never leaves it. No renewal, no account with us, no meter. Or build it yourself from the MIT source โ€” it's the same app.