Show HN: Enseal – Stop pasting secrets into Slack .env sharing from the terminal

[ops_mechanic]

We've all done it — "hey can you DM me the staging .env?" Secrets end up in Slack history, email threads, shared notes — all searchable, all persistent. The secure path (1Password, GPG, etc.) always had more friction than the insecure one, so people took the shortcut. enseal makes the secure path faster than the insecure one: # sender $ enseal share .env Share code: 7-guitarist-revenge Expires: 5 minutes or first receive

# recipient $ enseal receive 7-guitarist-revenge ok: 14 secrets written to .env Zero setup, no accounts, no keys needed for basic use. Channels are single-use and time-limited. The relay never sees plaintext (age encryption + SPAKE2 key exchange). For teams that want more: identity mode with public key encryption, process injection (secrets never touch disk), schema validation, at-rest encryption for git, and a self-hostable relay. Written in Rust. MIT licensed. Available via cargo install, prebuilt binaries, or Docker. Looking for feedback on the UX and security model especially. What would make you actually reach for this instead of the Slack DM?

Detailed documentation here: https://enseal.docsyard.com/

[ivannovazzi]

Nice tool. The core problem you're solving (secrets leaking through comms channels) is real — we've seen teams paste API keys in Slack channels "just this once" and never rotate them.

We approached the same problem from a different angle with KeyEnv (https://keyenv.dev): instead of encrypting the .env transfer, we eliminate .env files entirely. Secrets live in KeyEnv, the CLI injects them at runtime with `keyenv run -- your-command`, and nothing ever touches the filesystem. No file to share, no file to leak.

Your tool still has value for teams that can't migrate away from .env — good building block.