dotenvar is built on a zero-knowledge model. Your secrets are encrypted on your device before they leave your browser. The server stores only ciphertext — it has no way to read your data.

Zero-knowledge encryption

Your master passphrase is the root of your encryption. It is used exclusively in your browser to derive your encryption key — it is never transmitted to our servers. We have no copy of it and no way to recover it.

Every secret value is encrypted client-side before being sent to the API. What the server receives and stores is already unreadable without your passphrase.

What dotenvar stores

•

Encrypted secret values— Ciphertext only

•

Encrypted key names— Ciphertext only

•

Your email address— For account identity (username shown in app)

✓

Your master passphrase— Never transmitted

✓

Your encryption key— Lives in your browser session only

✓

Plaintext secret values— Never leaves the client

Your session

Your encryption key is held in browser session storage — it is cleared when you close the tab or lock your session. Once locked, your data cannot be read without re-entering your passphrase.

You can lock your session manually at any time from the home screen. This immediately wipes the in-memory key and returns you to the passphrase screen.

Sharing security

When you share a secret, it is re-encrypted with a separate key specific to that share. Your master passphrase is not involved. Recipients can only access what was explicitly shared — not any other part of your account.

Passphrase recovery is not possible. Because your passphrase never reaches our servers, we cannot help you recover it if lost. Store it somewhere safe — a password manager or a secure offline note.

Security & Privacy

Zero-knowledge encryption

What dotenvar stores

Your session

Sharing security