Encryption Specs
EnvPush is built on a foundation of zero-knowledge encryption. We leverage industry-standard cryptographic primitives to ensure your data is accessible only by you.
Zero-Knowledge Architecture
Zero-knowledge means that your data is encrypted **locally** using keys derived from a password that only you know. Our servers store only the encrypted blobs (ciphertexts) and never have access to your keys or plaintext data.
Key Derivation
We use **PBKDF2-HMAC-SHA256** to derive your encryption key from your master password.
- • Iterations: 100,000
- • Salt: Unique per-user
- • Hash: SHA-256
Data Encryption
Every secret is encrypted using **AES-256-GCM**, providing both confidentiality and integrity.
- • Algorithm: AES-256
- • Mode: GCM (Galois/Counter Mode)
- • IV: 96-bit unique nonce
Threat Model
Server Breaches
Since data is encrypted client-side, a breach of our database would only expose encrypted data which is useless without your master password.
Man-in-the-Middle
All communication is forced over HTTPS, and since the data is already encrypted before being sent, network eavesdroppers cannot see your secrets.
Open-Source DNA
Our encryption logic is transparently implemented in the `envpush-cli` and web app. Security through obscurity is not security. We believe in open, peer-vetted code.