Whisper

Whisper

Built to Disappear.

whisper-secrets

A zero-knowledge .env secret manager for teams

Stop sending API keys over Slack. Stop sharing .env files on Google Drive.
whisper-secrets encrypts your secrets on your machine before anything touches the network. The server only sees ciphertext — no accounts, no signup, just a passphrase.

Install

The CLI is not yet publicly available. Binary releases will be published soon.

Quick Start

Choose the path that fits your situation:

Starting a new project

# 1. Generate a config with a random passphrase
#    You'll get a Whisper link to share with your team
whisper-secrets init

# 2. Push your first secret (value is prompted, never in shell history)
whisper-secrets push DATABASE_URL

# 3. Your teammate drops in their .whisperrc and runs:
whisper-secrets pull

Already have a .env?

# 1. Set up your config
whisper-secrets init

# 2. Upload every entry from your existing .env
whisper-secrets import

# 3. Commit .env.whisper to your repo (it only contains UUIDs, no secrets)
# 4. Your teammate clones, adds their .whisperrc, and pulls
whisper-secrets pull

.env.whisper maps variable names to server-side UUIDs — no secrets in it. Commit it to your repo. Keep .whisperrc in your .gitignore.

Commands

init

Create a .whisperrc config with a randomly generated passphrase. A Whisper link (expires in 24h) is created automatically — send it to your team.

whisper-secrets init
whisper-secrets init --url http://localhost:1212
whisper-secrets init --manual-passphrase

import

Read your existing .env and push every entry. Entries already tracked in .env.whisper are skipped.

whisper-secrets import

push

Encrypt and upload a single secret. You'll be prompted for the value.

whisper-secrets push DATABASE_URL
whisper-secrets push STRIPE_SECRET_KEY

pull

Download and decrypt every secret listed in .env.whisper, writing the result to .env.

whisper-secrets pull

rotate

Update a secret in-place — same UUID, new encrypted value.

whisper-secrets rotate DATABASE_URL

remove

Delete a secret from the server and remove it from .env.whisper and .env.

whisper-secrets remove OLD_API_KEY

share

Create a one-time secret link, just like the Whisper web UI. Defaults to 1 hour, self-destructs after first view.

whisper-secrets share
whisper-secrets share -e 24h
whisper-secrets share -e 7d --no-self-destruct

get

Retrieve a shared secret from a Whisper link or ID, straight from your terminal.

whisper-secrets get https://whisper.quentinvedrenne.com/get_secret?shared_secret_id=...
whisper-secrets get 550e8400-e29b-41d4-a716-446655440000

How It Works

  1. Your passphrase is stretched into a 256-bit key using PBKDF2-SHA256 (600 000 iterations). The passphrase never leaves your machine.
  2. Each secret is encrypted with AES-256-GCM using a unique random nonce. The server stores only ciphertext.
  3. .env.whisper maps each variable name to a UUID on the server — no secrets, safe to commit.
  4. When you pull, the CLI fetches each UUID, decrypts locally, and writes the result to .env.

The server is zero-knowledge: even if the database leaks, your secrets stay encrypted. Only someone with the passphrase can decrypt them.

Configuration

The .whisperrc file lives in your project root:

{
  "url": "https://whisper.quentinvedrenne.com",
  "passphrase": "your-team-passphrase"
}
  • passphrase — required, generated by init or chosen with --manual-passphrase
  • url — optional, defaults to https://whisper.quentinvedrenne.com

Add .whisperrc to your .gitignore — it contains your passphrase.

CI/CD

Store the .whisperrc JSON as a CI secret, then write it to disk before pulling:

# GitHub Actions example
- name: Pull secrets
  run: |
    echo '${{ secrets.WHISPERRC }}' > .whisperrc
    whisper-secrets pull

Debugging

Use -v to see what's happening under the hood:

whisper-secrets -v push DATABASE_URL

FAQ

What happens if I lose the passphrase?

The secrets are gone. That's the zero-knowledge guarantee — nobody can recover them, not even us. Keep a backup in a password manager.

How do I onboard a new teammate?

  1. Send them the Whisper link from init (or share the passphrase securely).
  2. They create their own .whisperrc with the passphrase.
  3. They clone the repo (which includes .env.whisper) and run whisper-secrets pull.

A credential got leaked. Now what?

  1. Revoke the compromised key in the relevant service.
  2. Rotate the value: whisper-secrets rotate LEAKED_KEY
  3. Tell the team to whisper-secrets pull.

Can I self-host?

Not yet, but it's coming soon. Whisper will be a single binary you can deploy anywhere — just point --url at your own instance.