๐๏ธ Secretbox
Self-hosted team secrets and env-var manager, no per-seat Doppler bill.
Doppler charges $12 per user per month to store key-value pairs, so a five-person team pays about $2,160 over three years, forever, in Doppler's cloud. Secretbox does projects, environments, envelope-encrypted secrets, versioning with rollback, env diffs, scoped API tokens and a zero-dependency CLI on your own box. $39, once.
Secretbox screenshot is being captured โ the app is shipped and real.
Features
Envelope encryption at rest
Every value gets its own random AES-256-GCM data key, wrapped by a master key that lives only in your .env and never in the database.
Projects and environments
Organize projects into dev, staging, prod and custom environments, with secret versioning and one-click rollback.
Audit-logged reveals
Every reveal, pull, edit and rollback is recorded with who, what and when.
Environment diff
See which keys are missing or different between dev and prod without exposing the values.
Scoped API tokens
Per-project, read-only or read-write tokens, shown once and stored as SHA-256 hashes.
Zero-dependency CLI
secretbox pull writes an env file, secretbox run injects env and writes nothing to disk, and secretbox push adds a key.
Desktop mode or VPS
Run it as an Electron app, or docker compose up on a $5 VPS.
Secretbox vs Doppler Team
Doppler Team at $12/user/mo runs roughly $144/year โ $288 over two years. Secretbox is $39, once.
| Secretbox | Doppler Team | |
|---|---|---|
| Price | $39 once | $12/user/mo |
| 5-person team, 3 years | $39 | ~$2,160 |
| Encrypted at rest | Yes, envelope AES-256-GCM | Yes |
| Your secrets on your server | Yes | No |
| Versioning + rollback | Yes | Yes |
| Env diff | Yes | Yes |
| CLI pull / run injection | Yes | Yes |
| Audit log | Yes | Higher tiers only |
Under four months of Doppler for a five-person team already costs more than Secretbox, which then never charges per seat again.
Three steps, no subscription
Buy once on Whop
One payment of $39 gets you the packaged 1-click installer, or clone the MIT source at github.com/bensblueprints/env-secrets-manager and run it yourself for free.
Deploy on your own server
docker compose up on a $5 VPS behind HTTPS, or run the Electron desktop build, then set ADMIN_PASSWORD and back up your MASTER_KEY.
Wire up your CLI
Point the zero-dependency CLI at your host with a scoped token and run secretbox pull or secretbox run to feed secrets straight into your deploys.
Honest answers
Is it really free on GitHub?
Yes. Secretbox is MIT-licensed at github.com/bensblueprints/env-secrets-manager and always will be. The $39 buys the packaged 1-click installer and setup; building from source is free.
Where do my secrets live?
In a SQLite database on your own server, envelope-encrypted per value. Nothing goes to us or any third-party cloud.
Is this zero-knowledge like Vaultly?
No, and honestly so: this is server-side encryption, because a secrets manager that feeds CI must hold the key to hand plaintext to your deploys. If you need client-side zero-knowledge crypto, that is our Vaultly product. Protect the box and protect the .env.
Is this a subscription in disguise?
No. $39 once, no renewal, no per-seat billing, no license server. Just back up your MASTER_KEY, because without it your secrets are unrecoverable.
Own Secretbox forever
$39 once. Deploy on your own server โ your data never leaves it. No renewal, no account with us, no meter. Or build it yourself from the MIT source โ it's the same app.