FyVault

Encryption Modes

FyVault supports two encryption modes. Both are production-ready — choose based on your access pattern.

Server-Side Encryption (KMS)

Secrets are encrypted on our servers using envelope encryption with AES-256-GCM and a KMS-managed data encryption key (DEK). The plaintext value is available via the API and SDK.

How it works

  1. 1You create a secret through the dashboard, API, or SDK
  2. 2FyVault generates a unique DEK, encrypts the value with AES-256-GCM
  3. 3The DEK is wrapped with the org's KMS master key and stored alongside the ciphertext
  4. 4On read, the DEK is unwrapped and the value is decrypted server-side
  5. 5The plaintext is returned over TLS to the caller

When to use

  • Your backend fetches secrets via the SDK or API (getValueByName)
  • CI/CD pipelines that need secrets at build time
  • Serverless functions (Lambda, Vercel, Cloudflare Workers)
  • Any environment where the agent cannot be installed
sdk-example.tstypescript
import { FyVault } from "@fyvault/sdk";

const fv = new FyVault({ accessToken: process.env.FYVAULT_TOKEN });

// Server-encrypted secrets are returned as plaintext
const dbUrl = await fv.secrets.getValueByName("db-url");

Zero-Knowledge Encryption (Client-Side)

Secrets are encrypted in your browser with a vault passphrase before leaving your device. FyVault servers store opaque ciphertext they cannot decrypt. The plaintext is only available on devices with the passphrase.

How it works

  1. 1You set a vault passphrase when configuring your organization's vault
  2. 2Your browser derives an AES-256 key using PBKDF2-SHA256 (600k rounds)
  3. 3Each secret is encrypted with AES-256-GCM in the browser
  4. 4Only the ciphertext is sent to the server
  5. 5The server stores opaque blobs — it cannot decrypt them

When to use

  • Maximum privacy — the cloud must never see plaintext
  • Secrets delivered only to registered devices via the agent
  • Dashboard-only reveal (enter passphrase in browser to view)
  • Compliance environments that prohibit server-side plaintext

Note: Zero-knowledge secrets cannot be accessed via the SDK or API because the server does not have the decryption key. They can only be delivered to devices via the agent, or revealed in the dashboard with your vault passphrase.

Which mode should I use?

Server-Side (KMS)Zero-Knowledge
Key managementFyVault KMSYour vault passphrase
Who can decryptFyVault servers + youOnly you (passphrase holders)
SDK / API accessYesNo (agent or dashboard only)
Agent deliveryYesYes
RecoveryKMS key recoveryPassphrase only (no recovery if lost)
Best forBackend apps, SDK, CI/CDMax privacy, compliance

Can I switch modes?

No. Encryption mode is set when a secret is created and cannot be changed afterward because the ciphertext format is different. To change modes, create a new secret with the desired encryption and delete the old one.