@cortlet-org/env-vault

The Product Identity

At its core, @cortlet-org/env-vault is a cryptographic wrapper for application configuration. It allows engineering teams to move away from centralized, third-party secret managers and use a Sovereign Security model.

Instead of trusting a cloud provider to hold your master keys, this product uses infrastructure you already own: your RSA SSH identities.

The Problem: The "Dotenv" Vulnerability

Standard .env files are one of the most common vectors for security breaches. They are:

• Accidentally Committed: One wrong git push can expose your infrastructure secrets.
• Stored in Plain Text: Anyone with server access or a backup of your local drive may be able to read your database credentials.
• Vendor Dependent: Many solutions require a hosted “Secret Manager” service just to keep your keys safe.

The Solution: Asymmetric Vaulting

The product solves these issues by separating the lifecycle of a secret into two distinct phases using RSA SSH public/private keys:

1. The Locking Phase (Public)

The product uses your public SSH key (id_rsa.pub) to lock your .env into an encrypted vault file. Once encrypted, the vault is designed to be safely shared or committed without exposing the original plain-text secrets.

2. The Injection Phase (Private)

At runtime, the product uses your private SSH key (id_rsa) to decrypt the vault in memory. The secrets are not written back to disk in plain text; they exist only inside the active process environment of your application.

Why Sovereignty Matters

By utilizing @cortlet-org/env-vault, the security of your application is tied directly to your local SSH identity. This creates a security model where:

• The Cloud Provider cannot see your secrets.
• The Git Provider cannot see your secrets.
• The Vault is useless without the corresponding local SSH private key.

// Concept: Standard process.env access remains unchanged
// The product handles the decryption layer transparently
const databaseUrl = process.env.DATABASE_URL;