Security

EnvFly CLI is built with security as a top priority. This page explains the security features and best practices for keeping your environment variables safe.

Encryption

Client-Side Encryption

All environment variables are encrypted before they leave your machine. EnvFly CLI uses industry-standard encryption to ensure your secrets remain private.

Zero-Knowledge Architecture

EnvFly CLI follows a zero-knowledge approach:
  • Your encryption key never leaves your machine
  • Storage providers only see encrypted data
  • Even EnvFly servers cannot decrypt your secrets
  • You control access to your data

Key Management

Encryption Key Storage

For different storage providers, keys are managed differently:

Git Repository

# You provide the encryption key during init
Enter encryption key for Git storage: ********
Security Considerations:
  • Store your encryption key securely
  • Consider using a password manager
  • Never commit the key to version control
  • Share the key securely with team members

Cloud Providers (AWS, Azure, GCP)

# Keys are managed by the cloud provider
# EnvFly CLI uses your cloud credentials
aws configure
az login
gcloud auth application-default login
Security Benefits:
  • Leverages cloud provider security
  • IAM/role-based access control
  • Automatic key rotation
  • Audit logging

EnvFly Cloud Service

# API keys are stored securely using keytar
envfly login
Security Features:
  • API keys stored in system keychain
  • Automatic key validation
  • Secure token refresh

Access Control

Role-Based Permissions

When using EnvFly Cloud Service, you can assign different roles to team members:

Environment-Level Access

Granular permissions per environment: 
# Grant specific access to an environment
envfly team grant alice@company.com production readwrite

# Grant read-only access
envfly team grant bob@company.com staging readonly

# Grant access to specific variables only
envfly team grant charlie@company.com production readonly --keys API_KEY,DATABASE_URL

Cross-Team Sharing

Share environments between teams with controlled access: 
# Share environment with another team
envfly team share-env production frontend-team

# Grant specific permissions to shared environment
envfly team grant frontend-team production readonly

Audit Logging

Comprehensive Audit Trail

All actions are logged for security and compliance: 
# View audit logs for an environment
envfly audit production
Logged Events:
  • Environment pushes and pulls
  • Team member invitations
  • Permission changes
  • Access attempts
  • Configuration modifications

Audit Log Details

Each audit entry includes: 
{
  "timestamp": "2024-01-15T10:30:00Z",
  "user": "alice@company.com",
  "action": "environment.push",
  "environment": "production",
  "ip_address": "192.168.1.100",
  "user_agent": "envfly-cli/1.0.0",
  "details": {
    "variables_modified": 3,
    "variables_added": 1,
    "variables_removed": 0
  }
}

Best Practices

Encryption Key Management

Access Control

Network Security

Compliance

Security Standards

EnvFly CLI helps you meet various compliance requirements:

Security Features Summary

FeatureDescriptionBenefit
Client-side encryptionAES-256-GCM encryptionData never leaves unencrypted
Zero-knowledgeServer never sees plaintextComplete privacy
Role-based accessGranular permissionsControlled access
Audit loggingComplete activity trailCompliance & security
Key managementSecure key storageKey security
Network securityHTTPS enforcementSecure communication

Security Checklist

Before using EnvFly CLI in production:
  • Generate strong encryption keys
  • Configure secure key storage
  • Set up role-based access control
  • Enable audit logging
  • Configure network security
  • Train team on security practices
  • Set up monitoring and alerting
  • Create incident response plan
  • Regular security reviews
  • Key rotation schedule

Reporting Security Issues

If you discover a security vulnerability:
  1. Do not create a public GitHub issue
  2. Email security@envfly.io with details
  3. Include steps to reproduce the issue
  4. Provide affected versions and platforms
We take security seriously and will respond promptly to all security reports.