dotEnv

Security at dotEnv Cloud

Your secrets are encrypted with AES-256-GCM and, with client-managed keys, can be made unreadable to us by design. Here's exactly how it works.

Encryption you can verify

Every secret is encrypted before it's stored, using the same authenticated cipher across our platform, CLI, and every SDK.

AES-256-GCM

Secrets are sealed with AES-256-GCM using 32-byte keys and a fresh 12-byte IV for every encryption. GCM is authenticated, so tampering is detected on decryption.

Consistent wire format

Ciphertext is stored and transported as base64(IV + ciphertext + tag), byte-for-byte identical across the web app and the Go, PHP, and JavaScript SDKs.

PBKDF2 key derivation

The 32-byte AES data key is derived with PBKDF2-HMAC-SHA256. The same (key, salt) always yields the same data key, locked by a cross-language test vector.

Zero-knowledge, client-managed keys

Choose client-managed custody and your encryption key never reaches our servers. Encryption and decryption happen on your machine (through the CLI or an SDK), so we only ever store ciphertext we cannot read.

The data key is derived the same way regardless of who holds the key. That means switching custody never re-encrypts your secrets and never requires downtime.

Zero-knowledge Client decrypts locally

With client-managed keys the server never sees your key. Decryption only ever happens client-side, so a breach of our database exposes ciphertext, not secrets.

No re-encryption on custody switch

Because a project's key and salt always derive the same AES data key, moving between server-managed and client-managed custody leaves your stored ciphertext untouched.

Key-proof verification

For client-managed keys we store a PBKDF2 key proof (600,000 iterations), never the key itself. Every write is checked against it, so a mistyped or wrong key is rejected instead of silently corrupting your secrets.

Access control & accountability

Encryption is only half the story. Access to your account and your data is scoped, authenticated, and logged.

Scoped API tokens

API tokens carry explicit abilities, so each token grants only the permissions it needs. Tokens can be created, scoped, and revoked independently.

Two-factor authentication

Protect your account with TOTP-based two-factor authentication. Setup is confirmed end-to-end before it's enabled, with recovery codes for backup access.

Audit logging

Activity across your organization is recorded in an audit log you can review (who did what, and when), scoped to your organization and retained per your plan.

Policies & responsible disclosure

Read our formal commitments, or report a vulnerability. We take responsible disclosure seriously and welcome reports from security researchers.

Security Policy Service Level Agreement

Found a vulnerability? Reach our team through the contact page for responsible disclosure.