Frequently Asked Questions

Every secret is encrypted using AES-256-GCM with a unique 32-byte data encryption key (DEK). Each DEK is wrapped by a key encryption key (KEK) via KMS using envelope encryption. Secrets are never stored in plaintext at rest.

No. envnest performs server-side encryption and decryption using envelope encryption with KMS. The server needs access to the KEK to wrap and unwrap data encryption keys. We believe transparency about our security model is more valuable than a misleading marketing claim. For full control over key material, you can bring your own AWS KMS.

Yes. Use `envnest inject` to inject secrets into any process at runtime, which works seamlessly in CI/CD pipelines. GitHub Actions integration is available for syncing secrets directly. GitLab and Vercel integrations are coming soon.

Secrets already injected into running processes are unaffected. For new deployments, you can keep a local encrypted backup using `envnest sync pull`. Your secrets are always encrypted at rest and in transit, so even cached copies remain protected.

Run `envnest auth login` to authenticate with your API token or email and password. The CLI stores your session token locally. For CI/CD environments, you can use scoped API tokens tied to specific projects and environments via service accounts.

It runs any command with secrets injected as environment variables. For example, `envnest inject -- npm start` starts your app with all secrets available as env vars. No .env files touch the disk and nothing is exposed in process listings.

Yes. envnest uses a built-in KMS by default, but you can configure your own AWS KMS for complete control over key encryption keys. This means the KEK never leaves your AWS account.

Every change to a secret creates a new version. You can view the full history with `envnest secret history`, compare values between versions, and rollback to any previous version instantly with `envnest secret rollback`.

Running `envnest sync diff --ai` compares your local .env against the remote version and uses AI to analyze the differences. It provides risk assessments, identifies potential issues, and gives context about what changed and why it might matter.

envnest organizes secrets in a three-level hierarchy: organizations, projects, and environments. You set your working context once with `envnest context set --org=acme --project=api --env=staging` and all subsequent commands operate within that context.

Secret sharing lets you create time-limited, single-use links to share individual secrets securely. The link expires after a set duration or after the first access, so secrets are never left exposed in chat threads or email.

envnest integrates with Have I Been Pwned (HIBP) to check whether any of your secret values have appeared in known data breaches. This is available on Team and Business plans and helps you identify compromised credentials proactively.

Protected environments add an extra layer of safety to sensitive environments like production. They can require approval workflows before secrets are modified and prevent accidental changes from unauthorized team members.

Service accounts are non-human identities used for CI/CD pipelines, automated scripts, and integrations. They have scoped API tokens tied to specific projects and environments, so your automation only accesses what it needs.

envnest provides fine-grained RBAC at the organization, project, and environment level. Team plans include built-in roles, while Business plans let you define custom roles with granular permission sets tailored to your workflow.

GitHub Actions integration is available now for syncing secrets into your CI/CD workflows. Webhooks are supported on Team and Business plans for custom integrations. GitLab and Vercel integrations are coming soon.

The Free plan includes 7 days of activity history. The Team plan retains 30 days of audit logs. The Business plan provides full audit log retention for 1 year or more, covering every read, write, delete, and permission change.

Available on the Business plan, policy enforcement lets you configure approval workflows for secret changes, set deploy rules for specific environments, and enforce organizational security policies across all projects.

Yes. On the Business plan, you can schedule automatic key rotation for your encryption keys. This ensures your key material is regularly refreshed without manual intervention, following security best practices.

Yes. The Free plan includes 1 user, 1 project with 3 environments, basic secrets management, secret sharing with time-limited links, and 7-day activity history. No credit card required to get started.