Show HN: I Built Zero-Knowledge .env Sharing

I run a small dev agency in Germany. Every week someone shares database credentials, API keys, or a .env file via Slack or email. Not because they don’t care: because there’s no frictionless alternative.

Vault setups are heavy. Enterprise tools are expensive. I just needed: upload → share link → done. But encrypted before leaving the browser.

So I built SecretDrop.dev.

What it does

Files encrypted client-side (AES-256-GCM, PBKDF2 600k iterations)

Built entirely on WebCrypto

No third-party crypto libraries

Server stores only encrypted blobs

Recipient decrypts in their browser

No account required (password mode)

The server cannot read files, filenames, or passwords.

Premium mode

Encrypt with recipient’s public key (ECIES)

No shared password

Digital signature verifies sender identity

Only intended recipient can decrypt

Why

The real competitor isn’t Vault. It’s “paste in Slack.”

I optimized for:

Zero setup

Dev workflow simplicity

Default secure behavior

Free tier includes encrypted password-protected sharing. No credit card.

I’m exploring:

VSCode extension (right-click .env → share)

CLI tool (secretdrop share .env --expires 24h)

Would this fit your workflow? Any concerns about the crypto model or threat assumptions?

Happy to go deep on the architecture.