Loading...
private.meDocs
Get xEnv
PRIVATE.ME PLATFORM

xEnv: Secure Environment Secrets

XorIDA threshold splitting for .env files, API keys, and secrets. A stolen repo or compromised vault yields only a useless share — never a complete secret.

Developer COMING SOON XorIDA Powered
Section 01

The Problem

GitHub's secret scanning detected over 10 million leaked secrets in repositories in 2024 alone. Developers store secrets in plaintext .env files, share them via Slack, and commit them accidentally. The problem is structural — secrets exist as complete values in single locations.

Traditional secret managers (Vault, AWS Secrets Manager) centralize secrets behind access control. But the secrets themselves are stored intact — if the vault is breached, every secret is exposed in one place.

Reactive scanning tools like GitHub Advanced Security find leaks after they happen. The secret was already complete, in a single location, waiting to be stolen.

The pattern is always the same: one file, one vault, one environment variable contains the complete secret. Any single compromise = full exposure.

The Old Way

.env File Plaintext secrets Git Push REPOSITORY Full secret in repo Single point of failure EXPOSED Full secret leaked
Section 02

The PRIVATE.ME Solution

xEnv splits every secret into K-of-N threshold shares using XorIDA over GF(2). Shares are stored in separate locations — git, vault, local device. No single location holds a complete secret. Theft of one location yields cryptographic noise.

Each secret is split at write time. The developer runs xenv split .env and shares are distributed to configured backends. The original .env is replaced with share references.

At runtime, xenv reconstruct gathers K shares from available backends and reconstructs the secrets in memory. Secrets never touch disk in plaintext during normal operation.

The security is information-theoretic: K-1 shares reveal zero information about the original secret, regardless of the attacker's computational power.

The New Way

.env Secrets API keys, tokens XorIDA Split K-of-N shares GitHub Secrets Share 1 HashiCorp Vault Share 2 Local Device Share 3 Reconstruct at Runtime
Section 03

How It Works

xEnv integrates into your existing development workflow with a CLI tool and SDK. Secrets are split once, stored across backends, and reconstructed on demand.

Parse .env file Split XorIDA K-of-N Distribute Multi-backend HMAC Verify Per-share Reconstruct Threshold Inject env vars
Key Security Properties
Secrets are split at rest, reconstructed only in memory, and destroyed after use. HMAC-SHA256 ensures share integrity. Rotation replaces all shares atomically.
Section 04

Use Cases

🔧
DevSecOps
Dev Team Secrets

Split .env across GitHub Secrets + Vault + local. 2-of-3 threshold. New developer onboarding just needs 2 backends configured.

2-of-3
🔑
Operations
API Key Rotation

Rotate secrets by generating new shares. Old shares expire atomically. Zero-downtime rotation without updating every deployment.

Rotation
Infrastructure
Multi-Cloud Credentials

Split cloud provider credentials across AWS, GCP, Azure secret stores. No single cloud breach exposes cross-cloud access.

Multi-Cloud
📋
Compliance
SOC 2 Compliance

SOC 2 Type II requires secrets not stored in plaintext. xEnv splits satisfy this control automatically. Auditors verify split storage, not access control quality.

Compliance
Section 05

Integration

Quick Start
import { splitEnv, reconstructEnv } from '@private.me/envsplit';

// Split .env file into 2-of-3 shares
const shares = await splitEnv('.env', {
  k: 2, n: 3,
  backends: ['github-secrets', 'vault', 'local']
});
// shares distributed to configured backends

// Reconstruct at runtime
const env = await reconstructEnv({
  backends: ['github-secrets', 'vault'],
  threshold: 2
});
console.log(env.DATABASE_URL); // Available in memory only
splitEnv(path: string, opts: SplitOpts): Promise<Result<ShareManifest, EnvError>>
Reads a .env file, splits each secret using XorIDA K-of-N threshold sharing, and distributes shares to configured backends. Returns a manifest of share locations.
reconstructEnv(opts: ReconstructOpts): Promise<Result<EnvMap, EnvError>>
Gathers K shares from available backends, verifies HMAC integrity, and reconstructs secrets into an in-memory map. Never writes plaintext to disk.
Section 06

Security Properties

PropertyMechanismGuarantee
Secret ProtectionXorIDA threshold shares Information-theoretic
IntegrityHMAC-SHA256 per share Tamper-evident
At-Rest SecuritySplit across backends No single-point exposure
RotationAtomic share replacement Zero-downtime
Quantum ResistanceGF(2) operations, no keys Unconditional security
10M+
Leaked secrets/yr
<1ms
Split latency
K-of-N
Threshold
VERIFIED BY XPROVE

Verifiable Data Protection

Every operation in this ACI produces a verifiable audit trail via xProve. HMAC-chained integrity proofs let auditors confirm that data was split, stored, and reconstructed correctly — without accessing the data itself.

XPROVE AUDIT TRAIL
Every XorIDA split generates HMAC-SHA256 integrity tags. xProve chains these into a tamper-evident audit trail that proves data was handled correctly at every step. Upgrade to zero-knowledge proofs when regulators or counterparties need public verification.

Read the xProve white paper →
GET STARTED

Ready to deploy xEnv?

Talk to Ren, our AI sales engineer, or book a live demo with our team.

Book a Demo
PRIVATE.ME · xEnv WHITE PAPER

© 2026 StandardClouds Inc. dba PRIVATE.ME. All rights reserved.

VERIFIABLE WITHOUT CODE EXPOSURE

Ship Proofs, Not Source

xEnv generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.

XPROVE CRYPTOGRAPHIC PROOF
Download proofs:

Verify proofs online →

Use Cases

🏛️
REGULATORY
FDA / SEC Submissions
Prove algorithm correctness for distributed systems without exposing trade secrets or IP.
Zero IP Exposure
🏦
FINANCIAL
Audit Without Access
External auditors verify secure operations without accessing source code or production systems.
FINRA / SOX Compliant
🛡️
DEFENSE
Classified Verification
Security clearance holders verify distributed systems correctness without clearance for source code.
CMMC / NIST Ready
🏢
ENTERPRISE
Procurement Due Diligence
Prove security + correctness during RFP evaluation without NDA or code escrow.
No NDA Required

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

  • Zero infrastructure setup
  • Automatic updates
  • 99.9% uptime SLA
  • Enterprise SLA available
View Pricing →
📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

  • npm install @private.me/envsplit
  • TypeScript/JavaScript SDK
  • Full source access
  • Enterprise support available
Get Started →
🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

  • Complete data sovereignty
  • Air-gap capable deployment
  • Custom SLA + dedicated support
  • Professional services included
Request Quote →

Enterprise On-Premise Deployment

While xEnv is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

  • Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
  • Air-gapped environments — SCIF, classified networks, offline operations
  • Data residency requirements — EU GDPR, China data laws, government mandates
  • Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →

Other Requirements? Need white-label deployment or custom integration? Contact our enterprise team →