Security

Security you can verify

Envie is built on zero-trust principles. We don't ask you to trust us — the code is open source and the architecture ensures we can't access your secrets even if we wanted to.

Zero-Knowledge Architecture

Envie servers never have access to your unencrypted data. All encryption and decryption happens locally on your device.

Client-Side Encryption

Every piece of data is encrypted using XChaCha20-Poly1305 before leaving your device. The server only stores encrypted blobs.

Key Ownership

You control all encryption keys. Project keys, team keys, and your master identity key never leave your device unencrypted.

Secure Local Storage

Encryption keys are stored in Stronghold, a secure storage library designed for cryptocurrency wallets.

How encryption works

All encryption happens on your device. The server only sees encrypted data.

Your Device
DATABASE_URL=postgres://...
API_KEY=sk_live_...
Plaintext data
Encryption keys
XChaCha20-Poly1305

Encrypted before leaving device

Envie Server
7A93F4B2C1D8E9F0...
3B2A1C4D5E6F7890...
Only encrypted blobs
Cannot decrypt

Key hierarchy

Envie uses a hierarchical key structure for maximum security and flexibility.

1

Master Identity Key

Your personal key that unlocks access to all your projects and teams. Stored securely in Stronghold on your device.

2

Team Keys

Shared keys for team collaboration. Encrypted with each team member's public key so only members can decrypt.

3

Project Keys

Individual keys for each project. Can be rotated independently when team members leave.

4

File Encryption Keys

Each file has its own encryption key, further wrapped by the project key for defense in depth.

Additional security measures

Double-Admin Key Rotation

For organizations, key rotation requires approval from two admins. This prevents a single compromised account from affecting all secrets.

Device Identities

Each device generates its own Ed25519 key pair. New devices must be approved by existing devices before accessing secrets.

Asymmetric Key Exchange

Team keys are securely shared using X25519 key exchange. Only recipients with the correct private key can decrypt.

Server Blindness

The server facilitates sync but cannot read your data. Even a compromised server reveals nothing useful to attackers.

Verify it yourself

Envie is fully open source. Review the code, audit the encryption, and verify our security claims yourself.

View Source on GitHub