whisper-secrets

Zero-knowledge .env secret manager for teams. Encrypt, store, and share secrets — secrets are encrypted before leaving your machine. No signup, no accounts.

Install

npm install -g whisper-secrets

Features

• Client-side encryption: AES-256-GCM encryption with PBKDF2 key derivation — your server never sees plaintext
• Team sharing: Initialize a project, share the passphrase link, and teammates can pull secrets instantly
• Ephemeral secrets: One-time share links with auto-expiration and optional self-destruct
• .env workflow: Push, pull, import, rotate, and remove secrets — works with your existing .env files

Quick Start

# Initialize a project (generates passphrase + share link for your team)
ws init

# Import your existing .env or push secrets one by one
ws import
ws push STRIPE_SECRET_KEY

# Teammates:
git clone <repo> && cd <repo>
ws join <link-from-teammate>    # auto-pulls if .env.whisper is present

Tip: ws is a shortcut for whisper-secrets. Both work.

Managed Secrets (.env workflow)

ws init                          # set up a project
ws init --url https://your.host  # use your own server
ws import                        # upload existing .env
ws push SECRET_NAME              # encrypt & upload one secret
ws push                          # pick untracked .env entries interactively
ws pull                          # download & decrypt to .env
ws rotate SECRET_NAME            # update a secret in-place
ws remove SECRET_NAME            # delete a secret
ws status                        # show tracked, missing, and untracked secrets

Team Collaboration

ws invite                        # generate a new share link for a teammate
ws join <link>                   # join a project (auto-pulls if .env.whisper is present)

Ephemeral Secrets (one-time sharing)

ws share                                # 1h, self-destruct
ws share -e 24h                         # custom expiration
ws share -e 7d --no-self-destruct       # keep after first view
ws get https://whisper.example.com/...  # retrieve by URL or ID

How It Works

1. whisper-secrets init generates a random passphrase and creates .whisperrc
2. The passphrase derives an encryption key (PBKDF2-SHA256, 600k iterations) and an auth token
3. push / import encrypt secrets client-side, then upload the ciphertext to the server
4. pull downloads ciphertext and decrypts locally
5. The server only stores encrypted blobs — zero knowledge of your secrets

Files created:

• .whisperrc — project config (URL + passphrase). Auto-added to .gitignore by init
• .env.whisper — mapping of secret names to server IDs. Commit this to git
• .env — plaintext secrets, generated by pull. Add to .gitignore

Security

• AES-256-GCM authenticated encryption with unique nonce per secret
• PBKDF2-SHA256 key derivation (600,000 iterations)
• Bearer token authentication derived from the same passphrase
• No plaintext ever leaves your machine or is stored on the server

Supported Platforms

| Platform | Architecture | |----------|-------------| | Linux | x64, arm64 | | macOS | arm64 (Apple Silicon) | | Windows | x64 |

Self-hosting

Whisper is open source. You can host your own server:

# See full setup instructions
git clone https://github.com/quentinved/Whisper

Then point the CLI to your server:

whisper-secrets init --url https://your-whisper-instance.com

Telemetry

whisper-secrets sends anonymous usage events to help us understand which commands are actually used and measure real adoption (npm download counts include bots and CI, so they don't reflect real usage).

What's collected: the command name (e.g. push, pull), success/failure, CLI version, OS, and CPU architecture. A random anonymous ID is stored in ~/.whisper-secrets/telemetry_id so we can count unique users.

What's never collected: secrets, secret names, file paths, passphrases, environment variable names, or any personal data.

To opt out, set the DO_NOT_TRACK environment variable:

export DO_NOT_TRACK=1

License

MIT — github.com/quentinved/Whisper