Encryption & Security

Overview

EnvMark supports optional AES-256-GCM encryption for your .env files. When enabled:

Files are encrypted before being pushed to the repository
Files are decrypted after being pulled from the repository
Encryption keys are stored locally and never transmitted
Even if someone gains access to your Git repository, they cannot read your secrets

How It Works

┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ Local .env │ ──▶ │ Encrypted │ ──▶ │ Git Repository │ │ (plaintext) │ │ (AES-256-GCM) │ │ (encrypted) │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │ uses ▼ ┌─────────────────┐ │ ~/.envmark/keys │ │ project.key │ │ (local only) │ └─────────────────┘

Each project has its own encryption key stored at ~/.envmark/keys/<project>.key.

Setting Up Encryption

Step 1: Generate a Key

terminal

$ envmark keygen

📦 Encryption Key Management

──────────────────────────────────────

ℹ Project:

Name: my-app

Key file: ~/.envmark/keys/my-app.key

🔑 Encryption key generated

Your new key:

a1b2c3d4e5f6789012345678901234567890abcdef...

⚠ IMPORTANT: Save this key securely!

- Share it with your team through a secure channel

- The key is stored in: ~/.envmark/keys/my-app.key

- Never commit this key to version control

Step 2: Enable Encryption

Edit your global config to enable encryption:

// ~/.envmark/config.json
{
  "remote": "git@github.com:team/secrets.git",
  "defaultEnv": "development",
  "encrypt": true  // <-- Enable this
}

Step 3: Push Encrypted Files

Now when you push, files will be automatically encrypted:

terminal

$ envmark push dev

📦 Push to development

──────────────────────────────────────

Project: my-app

Environment: dev (branch: development)

Encryption: enabled

✔ Pushed successfully

📄 .env pushed to development (encrypted)

Sharing Keys with Teammates

When a new team member needs access to encrypted .env files:

Show the current key:

$ envmark keygen --show

Current Key:

a1b2c3d4e5f6789012345678901234567890abcdef...
Share via secure channel: Use a password manager, encrypted chat, or in-person.
Teammate saves the key: Create the key file manually at ~/.envmark/keys/<project>.key

Never share keys via: Email, Slack, Teams, or any unencrypted channel.

Key Management Commands

Command	Description
`envmark keygen`	Generate a new encryption key
`envmark keygen --show`	Display the current key
`envmark keygen --delete`	Delete the key (warning: you won't be able to decrypt existing files)
`envmark keygen -p other-project`	Manage key for a different project

Security Best Practices

🔒

Private Repository

Always use a private Git repository. Encryption is an additional layer, not a replacement for access control.

🛡️

Branch Protection

Enable branch protection rules on your Git provider to require reviews for production changes.

🔑

Key Rotation

Periodically rotate encryption keys, especially when team members leave. Re-encrypt all files after rotation.

📋

Audit Log

Git provides a natural audit log. Review commit history to track who changed what and when.

🚫

Never Commit Keys

Never add ~/.envmark/keys/ to version control. Add it to your global .gitignore.

💾

Key Backup

Back up your encryption keys securely. If lost, you cannot decrypt existing encrypted files.

Technical Details

Encryption Algorithm

Algorithm: AES-256-GCM (Galois/Counter Mode)
Key Size: 256 bits (32 bytes)
IV Size: 96 bits (12 bytes), randomly generated for each encryption
Authentication Tag: 128 bits (16 bytes)

Encrypted File Format

Encrypted .env files are stored as base64-encoded strings with the format:

ENVMARK_ENCRYPTED:<iv>:<authTag>:<encryptedData>

Key Storage

Keys are stored in:

~/.envmark/keys/<project-name>.key

File permissions are set to 600 (read/write by owner only).