Security at SlickEnv

Your environment variables contain some of the most sensitive data in your stack. We treat that responsibility seriously.

Our commitment

SlickEnv is built with a security-first architecture. Encryption is not an optional feature. It is the foundation. Every variable you store is encrypted at rest and in transit, and we have designed the system so that even we cannot read your secrets.

What we protect

  • Encryption at rest. All stored variables are encrypted with AES-256-GCM. Encryption keys are managed per-project and never stored alongside encrypted data.
  • Encryption in transit. Every API call uses TLS 1.3. No data leaves your machine unencrypted.
  • No plaintext storage. Secrets are never written to disk, logs, or caches in plaintext. Not on our servers, and not by the CLI.
  • CLI output masking. Variables marked as sensitive are automatically masked in all CLI output. You will never accidentally leak a secret in a terminal screenshot.
  • Authentication. OAuth 2.0 via GitHub or Google. Credentials are stored in your system keychain, not in a config file.
  • Access control. Per-project, per-environment role-based access. You control who can read, write, or admin each environment.
  • Audit trail. Every push, pull, share, and rollback is logged with a timestamp and user identity.

What we don't do

  • We do not read, analyse, or process your environment variables.
  • We do not sell, share, or monetise your data in any way.
  • We do not store your authentication credentials on our servers.
  • We do not log the contents of your .env files. We only log metadata like variable count and version number.
  • We do not require broad permissions. The CLI only accesses the files and directories you explicitly initialise.

Responsible disclosure

If you discover a security vulnerability in SlickEnv, please report it responsibly. We take all reports seriously and will respond within 48 hours.

Email: security@slickenv.dev

Please include a detailed description of the vulnerability, steps to reproduce, and any relevant logs or screenshots. We will acknowledge receipt within 48 hours, provide an initial assessment within 5 business days, and keep you informed of our progress toward a fix.

Want the full technical details?