Show HN: Keyline, share .env files encrypted before they leave your laptop

boyadzhiev1 pts0 comments

Keyline: Secrets your whole team can share

We host your secrets. We can't read them.<br>AES-256 Β· client-side encryption Β· audit everything

# engineeringtoday, 2:47 PM

JD

Jordan 2:46 PM

hey can someone send me the prod keys real quick? deploy is broken 😩

MR

Maria 2:47 PM

here you go, don't share lol<br>OPENAI_API_KEY=sk-proj-51Hb...9aQ2<br>DATABASE_URL=postgres://admin:hunter2@…

⚠ now lives in Slack forever

The problem

Your live keys are in a chat thread right now.

Every small team starts the same way. It works, until it doesn't.

βœ•Slack & DMs keep an unencrypted, searchable copy of your credentials forever. That includes anyone you offboard.

βœ•Shared drives & pinned docs drift out of date, so half the team runs the wrong key.

βœ•.env in the repo means one bad git push from a public leak and a 3am rotation scramble.

βœ•No record of who saw what, when. A leak becomes an unanswerable question.

How it works

Up and running in five minutes.

Keyline speaks .env natively. If your app reads environment variables today, nothing in your code changes. Here is the whole journey, no hidden steps.

Youabout 2 minutes

Install the CLI

One command. macOS, Linux, or Windows.

$ curl -fsSL keyline.sh/install | sh

Create your account

Two questions: team name and your email. No card, no browser.

$ keyline login

Link this folder

Once per project. Keyline remembers.

$ keyline link acme-api --env prod

Push your .env

Encrypted on your laptop before it leaves. We store ciphertext.

$ keyline push

the invite email<br>carries the join code

Your teammateabout 1 minute

Invite your teammate

You run this. They get an email with a one-time join code.

$ keyline members invite sam@acme.com

They join

Their machine gets its own key. Nothing shared over chat.

$ keyline join QVJX-3F9K-TX2M

They pull

The same .env, decrypted only on their machine.

$ keyline pull β€Ί wrote .env

Day two and beyond: someone leaves, you cut them off in one command. Every read and write lands in a tamper-evident audit log.<br>$ keyline revoke jordan@acme.com

The mental model

One workspace. A project per repo.

Your folders stay exactly where they are. keyline link binds each one to a project and an environment, and from then on push and pull just know where to go.

On your laptop

~/code

β”œβ”€ acme-api/

β”‚ β”œβ”€ .env gitignored

β”‚ └─ .keyline.json safe to commit

└─ acme-web/

β”œβ”€ .env gitignored

└─ .keyline.json safe to commit

keyline link<br>binds folder to environment

In your workspace

Acme workspace Β· your team

β”œβ”€ acme-api project

β”‚ β”œβ”€ prod ← this laptop

β”‚ └─ staging

└─ acme-web project

└─ prod ← this laptop

Workspace Your team. Members, billing, and the audit log live here. You need exactly one.

Project One per repo or app. Created on the fly the first time you link a folder.

Environment prod, staging, dev. Each holds one .env, and access is granted per environment.

.keyline.json holds ids only, never secrets. Commit it and teammates who pull the repo are one keyline pull away from running the app.

The demo

Forty-four seconds. Nothing sped up.

A real install, push, and pull. Recorded as-is.

install β†’ login β†’ link β†’ push β†’ pull β†’ run Β· 44s

Built for agents

Agents run your code. They don't need your keys.

Claude Code, Cursor, CI bots. An agent needs your app to run, not your secrets to read. keyline run keeps values out of prompts, logs, and diffs.

Out of the context window

The agent starts your app through Keyline. Secrets are injected in memory, into the app process. Never into the prompt.

$ keyline run -- npm test

Scoped like any teammate

Give an agent read on dev and nothing on prod. Tokens expire on their own. Revoke in one command.

$ keyline members grant agent@ci --env dev --role read

Audited like production

Every pull an agent makes lands in the tamper-evident log. Who, what, when.

$ keyline audit --env dev

k_

Your machine<br>encrypt with your workspace key

⬇ a8f3..d91c (ciphertext only)

Keyline servers<br>store + sync, can't decrypt

⬆ a8f3..d91c (ciphertext only)

k_

Teammate's machine<br>decrypt locally β†’ .env

Zero-knowledge architecture

Secrets are sealed before they leave your laptop.

Encryption and decryption happen entirely on your machines. Our servers only ever hold ciphertext.

βœ“We can't see your secrets The encryption key is derived from a workspace secret you control. It never touches our servers.

βœ“A breach of us isn't a breach of you If someone stole our entire database, they'd get a pile of unreadable bytes.

βœ“No subpoena, no insider, no accident You can't hand over data you mathematically cannot read. Neither can we.

Everything a small team needs

Boring infrastructure. Flawlessly executed.

One-command CLI<br>Install in seconds, no concepts to learn. keyline pull and you're working.

Per-environment access<br>Scope people to dev, staging, or prod. Interns never see live keys; seniors get everything.

Tamper-evident audit log<br>Every read, write, and denied attempt is recorded with who, what, and...

keyline pull acme secrets team read

Related Articles