Vaults & Security

Security isn't a feature; it's our foundation. EnvPush is built on a zero-knowledge architecture that ensures your secrets are never exposed.

Zero-Knowledge Architecture

In a zero-knowledge system, the service provider (us) has no way to access the data you store. Your encryption keys are derived from your password entirely within your browser or CLI.

How we encrypt your data

Key Derivation

We use PBKDF2 with 100,000 iterations and a unique cryptographic salt to derive a 256-bit AES key from your vault password.

Encryption Standard

Data is encrypted using AES-256-GCM (Galois/Counter Mode), providing both confidentiality and authenticity for every secret.

Vault Life Cycle

Encryption (Local)

The browser encrypts the secret. Only the encrypted "ciphertext" is sent to our servers.

Storage (Server)

We store the ciphertext, IV (Initialization Vector), and Auth Tag. We have no key to decrypt it.

Decryption (Local)

When you access a vault, your browser pulls the ciphertext and decrypts it using the key derived from your password.

Technical Specifications

Our cryptography is implemented using the standard Web Crypto API, ensuring it is natively supported and highly performant in all modern browsers.