Security Architecture
AltENV is designed so that API keys and portal credentials never leave your server. This page explains how.
Encryption at Rest
Every API key, portal cookie, and stored credential is encrypted before it touches disk.
- All secrets encrypted with AES-256-GCM, an authenticated encryption scheme that provides both confidentiality and tamper detection
- Master key derived from:
SHA256(master_password + SHA256(license_email))
- License-bound encryption — changing the license email makes all existing encrypted data undecryptable, preventing unauthorized database transfers between installations
- The master key exists only in memory during runtime and is never written to disk
- Each secret has a unique random nonce, so identical plaintext values produce different ciphertext
Network Architecture
AltENV runs on your internal network. Developers never connect directly to external APIs — they connect to AltENV, and AltENV connects outbound on their behalf.
Your network
Developer Machine
———>
AltENV Server
———>
External API
(no API key)
(key injected here)
(key arrives with request)
API keys travel one path only: server memory to external API. They are never sent to developer machines, never included in proxy responses, and never exposed in client-side code.
License Security
AltENV licenses use cryptographic signing to ensure authenticity without requiring network access.
- Ed25519 digital signatures — the same algorithm used by SSH keys and modern TLS certificates
- The license payload is signed, not encrypted — tamper-proof but fully inspectable by the customer
- Offline validation — no phone-home, no license server. Works in air-gapped and classified environments
- License payload contains: tier, seat count, entry limit, server limit, and expiry date
The Ed25519 public key is embedded in the binary at compile time. Licenses are validated locally on your server with zero network calls.
What AltENV Does NOT Do
- Does not store or transmit your data to us
- Does not require internet access to run (except for the external APIs you are proxying)
- Does not have a backdoor or master key that we control
- Does not log API request or response bodies — only metadata (method, status code, timestamp) for the audit log
Browser Extension Security
The AltENV browser extension follows modern security practices to minimize attack surface.
- Manifest V3 — Chrome's latest and most restrictive extension security model
- Device approval required by admin before any access is granted
- Portal cookies are stored server-side only and are never sent to the browser
- The extension communicates only with your AltENV server — it does not contact our infrastructure
Threat Model
What AltENV protects against
- Leaked
.env files — developers never have real keys to leak
- AI agent exfiltration — coding assistants cannot extract keys from proxy URLs
- Accidental git commits — no secrets in source code or config files
- Compromised developer machines — a stolen laptop has no API keys on it
- Insider threats — access control and audit logs track who used what, and access can be revoked instantly
What AltENV does NOT protect against
- A compromised AltENV server itself — if an attacker has root on the server, all bets are off (this applies to any credential store)
- Network man-in-the-middle on your internal network — use HTTPS between developer machines and AltENV if your internal network is untrusted
- Physical access to the server — standard physical security practices apply
AltENV is a single self-contained binary with no external dependencies. The smaller the footprint, the smaller the attack surface.
Questions?
If you have security questions or need details for a compliance review, reach out at security@altenv.dev