RSA Identity-Based Access

Env Vault leverages your existing SSH identity for cryptographic operations. By using your local SSH keys, the vault ensures that only authorized SSH identities can lock or inject environment secrets, maintaining a strictly Zero-Cloud lifecycle.

The Local Identity Model

The system operates on a Zero-Cloud philosophy: no accounts, no subscriptions, and no internet required. All cryptographic operations occur locally on your machine.

Key Discovery & Usage

The CLI automatically utilizes your standard RSA keys:

  • Public Key: ~/.ssh/id_rsa.pub (Used for the allow command to authorize identities)
  • Private Key: ~/.ssh/id_rsa (Used for the run command to decrypt the vault in-memory)

You can specify a different key using the -i or --identity flag.

Encryption Technicals

The .env.vault is secured using a two-tier encryption strategy:

  1. Payload Encryption: The .env content is encrypted using AES-256-GCM.
  2. Key Wrapping: The unique AES key is wrapped via RSA-OAEP with SHA-256 using the public keys of all authorized SSH identities.

Core Commands

  • lock: Generates a new vault key, encrypts the .env file, and wraps the key for the current user.
  • allow [path/to/id_rsa.pub]: Authorizes a new SSH identity by wrapping the existing vault key with the provided public key.
  • run -- [command]: Decrypts the vault key with your private key, decrypts the payload in-memory, and injects variables into the process.

Since there is no cloud synchronization, access is tied strictly to the authorized SSH private keys. Access is non-recoverable if the authorized private keys are lost.