Envault
Core Concepts

Architecture

Understanding Envault's security model

Security Architecture

Envault prioritizes security above all else. Our architecture is designed to ensure that your secrets remain confidential, even in the event of a database compromise.

Hybrid Encryption Model

We use a multi-tiered encryption strategy (Envelope Encryption).

Request Flow

When a user requests a secret (e.g., via envault pull):

  1. Auth: CLI authenticates via Device Flow.
  2. Permission Check: Server verifies user has Viewer or Editor role.
  3. Key Retrieval: Server fetches the encrypted Data Key for the project.
  4. Decryption: Server decrypts the Data Key using the Master Key.
  5. Secret Decryption: Server uses the Data Key to decrypt the secrets.
  6. Transmission: Secrets are sent over TLS to the CLI.

This ensures that the plaintext secrets never reside on disk on the server side (except potentially in swap, which should be disabled or encrypted in production).

Initial Setup

Configuring your Envault instance

Security

Security practices and standards

On this page

Security Architecture
Hybrid Encryption Model
Request Flow