Security you can verify.
Every secret is encrypted before it touches our database. The CLI is open source so you can audit exactly what leaves your machine.
Encryption at rest
Every secret is encrypted using AES-256-GCM the moment you save it — before it's written to disk. GCM mode provides both confidentiality and integrity, meaning we can detect if stored data has been tampered with.
Open source CLI
The EnvMaster CLI is fully open source. You can read every line of code that runs on your machine — see exactly what gets sent to our servers, how credentials are stored locally, and how variables are injected into your processes.
Honest limitations
We're not zero-knowledge. True zero-knowledge encryption means the server can never decrypt your
secrets — but it also means no web dashboard, no API keys for CI/CD, and complex key exchange
for team sharing. EnvMaster is designed to be useful first.
If your threat model requires zero-knowledge guarantees,
Infisical's self-hosted option is worth looking at.
Security principles
Minimal exposure
Plaintext values only exist in memory during the request lifecycle. They're never written to disk, never logged, and never included in error messages or stack traces.
Separation of concerns
Encryption keys and encrypted data live in completely separate stores. Compromising one without the other is useless.
Transparency over obscurity
The CLI is open source so you can verify our claims. We document our limitations honestly rather than hiding them in fine print.
Per-project access control
Team members only have access to projects they're explicitly invited to. A frontend developer can never see backend secrets.
Full audit trail
Every write and delete is logged with a timestamp and the actor responsible. When something breaks you'll know if a secret change was involved.
Found a vulnerability?
If you've found a security issue in EnvMaster, please disclose it responsibly. Email us directly and we'll respond within 48 hours.
contact@atlantisservices.net