Frequently Asked Questions

Every secret is encrypted using AES-256-GCM with a unique 32-byte data encryption key (DEK). Each DEK is wrapped by a key encryption key (KEK) via KMS using envelope encryption. Secrets are never stored in plaintext at rest.

No. envnest performs server-side encryption and decryption using envelope encryption with KMS. The server needs access to the KEK to wrap and unwrap data encryption keys. We believe transparency about our security model is more valuable than a misleading marketing claim. For full control over key material, you can bring your own AWS KMS.

Yes. Use `envnest inject` to inject secrets into any process at runtime, which works seamlessly in CI/CD pipelines. GitHub Actions integration is available for syncing secrets directly. GitLab and Vercel integrations are coming soon.

Secrets already injected into running processes are unaffected. For new deployments, you can keep a local encrypted backup using `envnest sync pull`. Your secrets are always encrypted at rest and in transit, so even cached copies remain protected.

Run `envnest auth login` to authenticate with your API token or email and password. The CLI stores your session token locally. For CI/CD environments, you can use scoped API tokens tied to specific projects and environments via service accounts.

It runs any command with secrets injected as environment variables. For example, `envnest inject -- npm start` starts your app with all secrets available as env vars. No .env files touch the disk and nothing is exposed in process listings.

Yes. envnest uses a built-in KMS by default, but you can configure your own AWS KMS for complete control over key encryption keys. This means the KEK never leaves your AWS account.

Every change to a secret creates a new version. You can view the full history with `envnest secret history`, compare values between versions, and rollback to any previous version instantly with `envnest secret rollback`.

All paid plans include four AI features that work exclusively on secret metadata — never plaintext values. Sync diff analysis (`envnest sync diff --ai`) summarizes environment differences with a risk assessment before you deploy. Secret risk analysis (`envnest secrets analyze`) scans for stale secrets, leaked keys, suspicious patterns like CHANGEME or DUMMY, and secrets shared across environments, returning severity-rated findings with remediation advice. Secret grouping automatically recommends group names when you create or update a secret to keep your environment organized. Natural language ask (`envnest ask`) lets you query your secrets in plain English — "how many secrets haven't been rotated in 90 days?" or "which keys appear in staging but not production?" — with answers drawn from metadata only. Every AI call counts toward your monthly quota (50 on Solo, 100 on Team, unlimited on Business).

The `envnest ask` command lets you query your secrets using plain English. You can ask things like "how many secrets are empty?", "which keys are flagged as leaked?", or "list all secrets in the database group". The AI uses tool calls to look up counts, key names, and metadata — it never reads or reveals secret values. This is available on all paid plans and counts toward your monthly AI call quota.

envnest organizes secrets in a three-level hierarchy: organizations, projects, and environments. You set your working context once with `envnest context set --org=acme --project=api --env=staging` and all subsequent commands operate within that context.

Secret sharing lets you create time-limited, single-use links to share individual secrets securely. The link expires after a set duration or after the first access, so secrets are never left exposed in chat threads or email.

envnest integrates with Have I Been Pwned (HIBP) to check whether any of your secret values have appeared in known data breaches. This is available on Team and Business plans and helps you identify compromised credentials proactively.

Protected environments add an extra layer of safety to sensitive environments like production. They can require approval workflows before secrets are modified and prevent accidental changes from unauthorized team members.

Service accounts are non-human identities used for CI/CD pipelines, automated scripts, and integrations. They have scoped API tokens tied to specific projects and environments, so your automation only accesses what it needs.

envnest provides fine-grained RBAC at the organization, project, and environment level. Team plans include built-in roles, while Business plans let you define custom roles with granular permission sets tailored to your workflow.

GitHub Actions integration is available now for syncing secrets into your CI/CD workflows. Webhooks are supported on Team and Business plans for custom integrations. GitLab and Vercel integrations are coming soon.

The Free plan includes 7 days of activity history. The Team plan retains 30 days of audit logs. The Business plan provides full audit log retention for 1 year or more, covering every read, write, delete, and permission change.

Available on the Business plan, policy enforcement lets you configure approval workflows for secret changes, set deploy rules for specific environments, and enforce organizational security policies across all projects.

Yes. On the Business plan, you can schedule automatic key rotation for your encryption keys. This ensures your key material is regularly refreshed without manual intervention, following security best practices.

Yes. The Free plan includes 1 user, 1 project with 3 environments, basic secrets management, secret sharing with time-limited links, and 7-day activity history. No credit card required to get started.

Yes. EnvNest can be deployed on your own infrastructure using Docker Compose. It runs six services — app, worker, scheduler, PostgreSQL, Redis, and MinIO — with a single `docker compose up -d`. Self-hosted plans start at $1,500/year for up to 10 seats. Distributed as pre-built Docker images — no source code access required.

Yes. Self-hosted ships with a software KMS using envelope encryption and a local key by default. For enterprise deployments you can plug in HashiCorp Vault (Transit secrets engine) or AWS KMS. The KMS driver is configured via a single `KMS_DRIVER` environment variable.