Encryption
AES-256-GCM
Military grade encryption. The same standard used by governments and banks worldwide.
Argon2id
Key derivation using Argon2id, the winner of the Password Hashing Competition. Resistant to GPU attacks.
Zero Knowledge
We never see your passphrase or your secrets. All encryption happens locally.
Air Gapped
Your vault lives on a USB drive, completely isolated from the internet.
How It Works
When you initialize a vault, a random encryption key is derived from your passphrase using Argon2id. This key encrypts your secrets using AES-256-GCM in authenticated encryption mode.
Important: Initializing a vault will erase all existing files on the target drive or folder. Make sure to backup any data before proceeding.
# Initialize vault
# WARNING: Existing files on drive will be erased
lenver
# Add secrets (encrypted immediately)
lenver set STRIPE_KEY=sk_live_xxx
# Export when needed (decrypts to .env temporarily)
lenver export .env
Security Properties
- Authentic encryption - Tampering with encrypted data is detected
- No plaintext storage - Secrets are never written to disk unencrypted
- Memory protection - Passphrases are cleared from memory after use
- No network calls - Lenver doesn't make any external connections
What We Don't Do
- No telemetry or analytics
- No automatic updates that phone home
- No cloud sync
- No password recovery (by design)
Best Practices
For maximum security:
- Use a strong, unique passphrase
- Keep your USB drive physically secure
- Use a dedicated computer for sensitive operations
- Consider a hardware security key for the passphrase
- Regularly backup your vault
Audit
Lenver is open source. You can review the code yourself or hire an independent security auditor. The repository is available on GitHub.