Calyx

A personal, zero-knowledge secrets manager for environment variables

The Problem I Was Solving

You know that moment when you clone your project on a new device, run npm install, fire up the dev server, and... nothing works? Then you realize you need to hunt down all those .env files from Slack messages, old laptops, or that one Google Doc you created 6 months ago.

Yeah, I got tired of that too.

So I built Calyx - a simple, secure way to store and access my environment variables across all my devices without ever exposing them to the server. No more searching through chat history or USB drives. Just unlock, copy, and you're back to coding.

What Makes It Different?

Zero-Knowledge Architecture

Your secrets are encrypted in your browser before they ever touch the server. I literally can't read them even if I wanted to. The encryption key is derived from your passphrase and lives only in memory - it's gone the moment you close the tab.

Built for Developers

Copy individual variables, download entire .env files, or grab everything as encrypted backups. It works the way you work.

Actually Secure

AES-GCM-256 encryption, PBKDF2 key derivation with 350,000 iterations, unique IVs for every encryption, and auto-lock after 30 minutes of inactivity. Your secrets stay secret.

Version Control Built-In

Every change is automatically tracked. View complete version history, see line-by-line diffs between versions, and restore previous versions with one click. Your audit trail is always encrypted.

Features

Client-side encryption

Your passphrase never leaves your browser

Multiple projects

Organize env files by project

Multiple environments

Store dev, staging, prod files separately

Download options

Get your .env files in original format

Smart locking

Auto-lock on inactivity or tab switch

Fully responsive

Works on mobile, tablet, and desktop

Version control

Track changes and restore previous versions

How It Works

Sign in with Supabase authentication
Create a project (e.g., "My Awesome App")
Add environment files (paste your .env content)
Set up your passphrase (first time only)
Unlock when needed - Your secrets decrypt in the browser
Copy or download - Get your env vars back instantly
View version history - See all changes with line-by-line diffs
Lock when done - Encryption key is cleared from memory

Security Details

Encryption: AES-GCM-256 (industry standard)
Key Derivation: PBKDF2-SHA256 with 350,000 iterations
Salt: 16 random bytes per user (stored in database)
IV: 12 random bytes per encryption (never reused)
Key Storage: In-memory only (React Context)
Passphrase Verification: Test ciphertext stored in database
Auto-lock: 30 minutes of inactivity or tab visibility change
RLS Policies: Row-level security ensures you only see your own data

Tech Stack

FrameworkNext.js 15

LanguageTypeScript

StylingTailwind CSS v4

UI Componentsshadcn/ui

AuthenticationSupabase Auth

DatabaseSupabase (PostgreSQL)

EncryptionWeb Crypto API

State ManagementReact Context

Why "Calyx"?

A calyx is the protective outer layer of a flower bud - it shields what's inside until it's ready to bloom. Seemed fitting for a secrets manager. 🌸

Ready to Get Started?

Stop hunting for your .env files and start managing them securely.

Get Started View on GitHub