Skip to main content

Learn More

Learn more about the Ghostable platform

What is Ghostable?

Ghostable is a secure, collaborative platform for managing and sharing environment variables in Laravel applications. Ghostable simplifies configuration management, enabling you to effortlessly secure and scale your development workflows. Ghostable v2 introduces a completely zero-knowledge architecture. The Ghostable CLI performs all encryption and decryption locally, so only ciphertext and non-sensitive metadata are transmitted to Ghostable for storage. Your secrets never leave your workstation in a readable form—Ghostable itself cannot view or recover them. Ghostable abstracts the complexity of securely handling sensitive environment data, ensuring consistency and compliance across your projects and organizations. With Ghostable, you’ll benefit from:
  • Secure Sharing & Management: Safely share environment variables across organizations, projects, and CI/CD pipelines.
  • Comprehensive Versioning: Track every change with full history and instant rollbacks to previous environment configurations.
  • Granular Access Control: Precisely manage permissions at the user, organization, and project level.
  • CI/CD Integration: Seamlessly integrate Ghostable into your automated testing and deployment workflows.
  • Activity Logging: Complete audit trails of environment variable interactions for compliance and security audits.
  • Easy Local Inspection: Effortlessly pull environment variables locally for debugging and testing.
  • API Driven: Full-featured API to integrate with third-party compliance tools, monitoring platforms, and AI-powered workflows.
In short, you can think of Ghostable as your central hub for secure, compliant, and collaborative environment variable management—built specifically with Laravel developers in mind.

Security

Ghostable never compromises on the fundamentals: zero-knowledge architecture, strong encryption, and transparency. We treat your environment variables with the same care and respect as our own — because your trust depends on it.

Zero-knowledge

Your environment data is encrypted locally before it ever leaves your machine. The ciphertext stored on Ghostable’s servers is mathematically impossible for us to decrypt — because we never see your encryption keys. Your encryption keys live securely inside your operating system’s keychain and are managed entirely on your devices. You can export or import the master seed that Ghostable uses to derive per-environment keys, making it easy to onboard additional trusted machines.
Ghostable never stores or transmits your key material in plaintext form — only encrypted ciphertext and metadata are ever persisted.
# Export the master seed
ghostable key:export

# Import the master seed
ghostable key:set
The exported value is shown only once and should be stored securely in a team-managed vault such as 1Password, Bitwarden, or LastPass. Setting the same master seed on another workstation allows it to derive identical per-environment keys, ensuring seamless decryption across trusted devices. Even with a shared seed, access remains gated by Ghostable’s permission system — only users authorized to pull a specific environment can decrypt its data.

What We Can See

  • That an environment exists.
  • Basic metadata about each encrypted variable — such as the algorithm used, ciphertext size, and a keyed hash (HMAC) that lets us detect changes or duplicates.
  • When variables are updated or accessed (for audit history).
  • Which user or system performed an action.

What We Cannot See

  • Your environment variable values.
  • Your encryption keys or any data derived from them.
  • Anything that could be used to decrypt your environments.

Strong Encryption

Because Ghostable is zero-knowledge by default, we never have access to your secret values. Even the operational metadata — like algorithm identifiers, HMACs, and ciphertext size — is encrypted at rest using industry-standard AES-256-GCM.
This ensures that every piece of data, no matter how small, is protected with the same level of care as your actual environment secrets.

Transparent Access

Ghostable gives your team complete visibility into how environments are used—without ever exposing sensitive data. Every push, pull, and change is logged, so you always know when data changed, who accessed it, and what actions were taken. Comprehensive audit trails and permission logs keep your team accountable while removing the need to manage or commit .env files by hand.

Permissions, Not Keys

Each team member can push or pull environments only if their assigned role allows it—and even then, decryption happens only with their own locally-held key. Because of this, you never need to check an encrypted .env file into your repository. No merge conflicts, no stale variables, and no relying on commit messages to guess what changed. Environment history and access control live in Ghostable—not in Git. Paid plans add fine-grained controls, letting you restrict access down to individual projects or environments within an organization, ensuring that developers, contractors, and CI systems only see what they actually need.

Collaborators

You can invite others to your organization through the Ghostable web app. Each collaborator can be assigned a specific role and permission level — for example, read-only or read-write access to environment variables. Paid plans unlock advanced, fine-grained access controls, letting you scope permissions down to individual projects or even specific environments within an organization. This allows larger teams to delegate access safely while maintaining tight control over production secrets. Our Terms of Service and Privacy Policy outline the terms, conditions, and privacy practices for using Ghostable. By using Ghostable, you agree to these policies.