<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Serge Zhuravel</title>
    <description>The latest articles on DEV Community by Serge Zhuravel (@sergezh).</description>
    <link>https://dev.to/sergezh</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3925765%2Fdc3f364f-c056-4f44-a9dc-53d13823d5a0.png</url>
      <title>DEV Community: Serge Zhuravel</title>
      <link>https://dev.to/sergezh</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/sergezh"/>
    <language>en</language>
    <item>
      <title>Introducing the Ennote CLI: Next-Generation, Zero-Persistence Secret Management</title>
      <dc:creator>Serge Zhuravel</dc:creator>
      <pubDate>Wed, 24 Jun 2026 17:50:12 +0000</pubDate>
      <link>https://dev.to/ennote/introducing-the-ennote-cli-next-generation-zero-persistence-secret-management-2lcb</link>
      <guid>https://dev.to/ennote/introducing-the-ennote-cli-next-generation-zero-persistence-secret-management-2lcb</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fh4eza1fajix9g5a3dmp1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fh4eza1fajix9g5a3dmp1.png" alt=" " width="800" height="420"&gt;&lt;/a&gt;&lt;br&gt;
&lt;em&gt;(This is a technical deep dive into the Ennote CLI's architecture. You can read the original full-length post on &lt;a href="https://ennote.io/blog/ennote-cli-next-generation-zero-persistence-secret-management" rel="noopener noreferrer"&gt;our engineering blog&lt;/a&gt;.)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;For years, developers and security teams have been locked in a tug-of-war over how to handle application secrets. The traditional workflow - copying and pasting sensitive API keys into plaintext &lt;code&gt;.env&lt;/code&gt; files - has always been a massive security liability. Hardcoded secrets leak into version control, linger on developer laptops indefinitely, and create a sprawling attack surface.&lt;/p&gt;

&lt;p&gt;Today, we are thrilled to announce the &lt;strong&gt;Ennote Security CLI&lt;/strong&gt;: an identity-driven, zero-persistence secret manager built from the ground up for modern developers and CI/CD environments.&lt;/p&gt;

&lt;p&gt;The Ennote CLI bridges the gap between human identity (SSO) and your infrastructure, allowing you to fetch, inject, and manage enterprise secrets without ever writing a plaintext &lt;code&gt;.env&lt;/code&gt; file to disk.&lt;/p&gt;

&lt;p&gt;Here is a look at what makes the Ennote CLI the most secure way to manage your environment variables.&lt;/p&gt;
&lt;h3&gt;
  
  
  🚀 The Magic of Process Injection (Zero-Persistence)
&lt;/h3&gt;

&lt;p&gt;The core philosophy of the Ennote CLI is &lt;strong&gt;Zero-Persistence&lt;/strong&gt;. Secrets belong in memory, not on your hard drive.&lt;/p&gt;

&lt;p&gt;Instead of piping variables or writing out configuration files, the CLI securely injects your secrets directly into the memory space of a child process.&lt;/p&gt;

&lt;p&gt;For example, to run your local Node server with your production Stripe keys, you simply run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ennote secret get &lt;span class="s2"&gt;"stripe-keys"&lt;/span&gt; &lt;span class="nt"&gt;--&lt;/span&gt; npm run dev
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;What happens under the hood?&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The CLI authenticates your identity.&lt;/li&gt;
&lt;li&gt;It fetches the &lt;code&gt;stripe-keys&lt;/code&gt; payload via a secure, TLS 1.3 encrypted gRPC tunnel.&lt;/li&gt;
&lt;li&gt;It resolves your &lt;code&gt;$PATH&lt;/code&gt; and executes &lt;code&gt;npm run dev&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;The secrets are injected directly into the execution environment (&lt;code&gt;cmd.Env&lt;/code&gt;) of that specific process tree.&lt;/li&gt;
&lt;li&gt;When the process terminates, the secrets vanish. Nothing is ever written to disk.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Architectural Security &amp;amp; Post-Quantum Cryptography
&lt;/h3&gt;

&lt;p&gt;Enterprise security isn't just a feature; it's our foundational principle. The Ennote CLI operates on a strict Zero-Persistence threat model, heavily fortified against modern attack vectors:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Hardware-Backed Cryptography:&lt;/strong&gt; We implement Ephemeral Elliptic-Curve Diffie-Hellman (X25519) combined with Post-Quantum CRYSTALS-Kyber (Kyber-1024) encapsulation.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;RAM-Only Decapsulation:&lt;/strong&gt; Secrets are decapsulated strictly in volatile memory. Plaintext Data Encryption Keys (DEKs) are explicitly destroyed using compiler-safe memory wiping routines &lt;em&gt;before&lt;/em&gt; functions exit to defeat memory scraping.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OS-Native Keyrings:&lt;/strong&gt; Authentication tokens are never stored in plaintext config files. We utilize the native OS Keyring (macOS Keychain, Windows Credential Manager, Linux Secret Service).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Strict Transport Security:&lt;/strong&gt; All remote gRPC connections require TLS 1.3, complete with hardcoded downgrade prevention.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Seamless Developer Experience &amp;amp; CI/CD Ready
&lt;/h3&gt;

&lt;p&gt;Security shouldn't come at the cost of developer velocity.&lt;/p&gt;

&lt;p&gt;For local development, getting started is as easy as running &lt;code&gt;ennote auth login&lt;/code&gt;. This opens your system browser, authenticates you via your organization's SSO (Google, Microsoft, GitHub), and securely stores a session token in your OS keyring.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What about automated pipelines?&lt;/strong&gt; The Ennote CLI is fully equipped for headless CI/CD environments (GitHub Actions, GitLab CI, Jenkins). Simply provision a Machine Identity Token and inject it via the environment:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Example: GitHub Actions&lt;/span&gt;
&lt;span class="na"&gt;steps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Run Database Migrations&lt;/span&gt;
    &lt;span class="na"&gt;env&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;ENNOTE_TOKEN&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;${{ secrets.ENNOTE_MACHINE_TOKEN }}&lt;/span&gt;
      &lt;span class="na"&gt;ENNOTE_ORGANIZATION_ID&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;org_123&lt;/span&gt;
      &lt;span class="na"&gt;ENNOTE_WORKSPACE_ID&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wrk_prod&lt;/span&gt;
      &lt;span class="na"&gt;ENNOTE_DO_NOT_TRACK&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;
    &lt;span class="na"&gt;run&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;|&lt;/span&gt;
      &lt;span class="s"&gt;ennote secret get "db-credentials" -- npm run migrate&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;em&gt;(Note: Ennote automatically handles complex JSON serialization, injecting primitives directly as strings to ensure compatibility with standard application parsers).&lt;/em&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Verifiable Provenance &amp;amp; Supply Chain Security
&lt;/h3&gt;

&lt;p&gt;You shouldn't have to blindly trust the binaries you install. Every Ennote CLI release is entirely automated and cryptographically verifiable:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;SBOMs:&lt;/strong&gt; We attach a standard SPDX/CycloneDX SBOM (&lt;code&gt;.sbom.json&lt;/code&gt;) to every compiled artifact.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Keyless Signatures:&lt;/strong&gt; All release checksums are signed using Sigstore Cosign via GitHub OIDC tokens.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Zero Human Intervention:&lt;/strong&gt; No human developer possesses the cryptographic keys to publish or sign a release.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Get Started Today
&lt;/h3&gt;

&lt;p&gt;The Ennote CLI is available today with pre-compiled binaries for all major operating systems.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;macOS &amp;amp; Linux (Homebrew):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew &lt;span class="nb"&gt;install &lt;/span&gt;ennote-io/tap/ennote
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Windows (Scoop):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;scoop bucket add ennote-io &lt;span class="o"&gt;[&lt;/span&gt;https://github.com/ennote-io/scoop-bucket]&lt;span class="o"&gt;(&lt;/span&gt;https://github.com/ennote-io/scoop-bucket&lt;span class="o"&gt;)&lt;/span&gt;
scoop &lt;span class="nb"&gt;install &lt;/span&gt;ennote
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Universal Shell Script (CI/CD):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-sSfL&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;https://get.ennote.io/get-cli.sh]&lt;span class="o"&gt;(&lt;/span&gt;https://get.ennote.io/get-cli.sh&lt;span class="o"&gt;)&lt;/span&gt; | sh
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Say goodbye to leaked &lt;code&gt;.env&lt;/code&gt; files and hello to identity-driven secret management.&lt;/p&gt;

&lt;p&gt;Ready to dive deeper? Check out the &lt;a href="https://github.com/ennote-io/ennote-cli" rel="noopener noreferrer"&gt;official GitHub repository&lt;/a&gt; and read through our comprehensive &lt;a href="https://docs.ennote.io/cli/overview" rel="noopener noreferrer"&gt;CLI Reference Documentation&lt;/a&gt; to start securing your workflow today.&lt;/p&gt;




&lt;h3&gt;
  
  
  Ready to Upgrade Your Secret Management?
&lt;/h3&gt;

&lt;p&gt;Stop compromising between security and developer velocity. &lt;strong&gt;&lt;a href="https://app.ennote.io" rel="noopener noreferrer"&gt;Get started with Ennote today&lt;/a&gt;&lt;/strong&gt; to see our Zero-Persistence architecture in action, or &lt;strong&gt;book a demo&lt;/strong&gt; with our engineering team to learn how we can secure your infrastructure.&lt;/p&gt;

</description>
      <category>cicd</category>
      <category>devops</category>
      <category>infrastructure</category>
      <category>automation</category>
    </item>
    <item>
      <title>The Identity-Driven Cryptography Behind Ennote's Zero-Persistence Vault</title>
      <dc:creator>Serge Zhuravel</dc:creator>
      <pubDate>Tue, 23 Jun 2026 05:39:44 +0000</pubDate>
      <link>https://dev.to/ennote/the-identity-driven-cryptography-behind-ennotes-zero-persistence-vault-49a</link>
      <guid>https://dev.to/ennote/the-identity-driven-cryptography-behind-ennotes-zero-persistence-vault-49a</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F0m999kbmvpz0ytxou2is.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F0m999kbmvpz0ytxou2is.png" alt="Ennote Security" width="800" height="420"&gt;&lt;/a&gt;&lt;br&gt;
&lt;em&gt;(This is a technical deep dive into the cryptography behind Ennote's enterprise architecture. You can read the original full-length post on &lt;a href="https://ennote.io/blog/the-identity-driven-cryptography-behind-ennote-s-zero-persistence-vault" rel="noopener noreferrer"&gt;our engineering blog&lt;/a&gt;.)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;When evaluating an enterprise secrets manager, the fundamental security question is not just how data is encrypted, but where and for how long the plaintext keys exist. As "The Identity-Driven Secret Manager", Ennote answers this by bridging the gap between infrastructure and identity.&lt;/p&gt;

&lt;p&gt;Whether you are a developer logging into our clean, lightning-fast Web UI, a script utilizing our CLI, or a native Kubernetes agent, the cryptographic process is exactly the same. We deliver secure team sharing, enforced SSO, and a sub-1-second sync to infrastructure with zero code changes required and absolute Zero Persistence. To achieve this without compromising security, Ennote employs a verifiable Transient Envelope Encryption model. We do not claim "magic"; we rely on transparent, peer-reviewed cryptographic primitives. Here is exactly how Ennote works, what we use, and why.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Zero Persistence vs. Zero Trust (Why We Reject Buzzwords)
&lt;/h3&gt;

&lt;p&gt;Many platforms market themselves as "Zero Trust" (implying strict End-to-End Encryption where the server infrastructure knows absolutely nothing and cannot mediate access). We do not make this claim, because true Zero Trust fundamentally breaks enterprise secret management workflows.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The Flaw of Zero Trust in Secret Sharing:&lt;/strong&gt; In a mathematically strict Zero Trust (E2EE) model, there is no centralized authority. If Developer A creates a database password and the company later hires Developer B, the server cannot grant Developer B access. Developer A must manually come online, decrypt the payload locally, and re-encrypt it specifically with Developer B's public key. This approach destroys automated onboarding, makes central Role-Based Access Control (RBAC) impossible, and turns machine-to-machine syncing into a highly fragile, operational nightmare.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Ennote Reality - Zero Persistence:&lt;/strong&gt; Enterprise organizations require centralized governance. We built Ennote to provide seamless onboarding via built-in SSO (Google/Microsoft), full Role-Based Access Control (RBAC), and immutable Audit Logs to track every user action, creating a complete chain of custody for your data. To enable this secure team sharing, the Ennote internal KMS does mediate the cryptographic handshake to securely route access. However, plaintext keys exist only in volatile memory (RAM) for the duration of a cryptographic operation (milliseconds). At no point are plaintext DEKs written to disk, logs, databases, or persistent storage.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We reject the "Zero Trust" buzzword because we prioritize workable, highly-governed enterprise security. We guarantee Zero Persistence.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. The Foundation: Hybrid Cryptography &amp;amp; Envelope Encryption
&lt;/h3&gt;

&lt;p&gt;To achieve this Zero Persistence safely, we utilize Hybrid Cryptography via Envelope Encryption - the practice of locking a fast symmetric key inside of a highly secure asymmetric key.&lt;/p&gt;

&lt;p&gt;In cryptography, there are two primary methods for securing data:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Symmetric Cryptography:&lt;/strong&gt; Uses a single, shared key to both encrypt and decrypt data. It is highly efficient and capable of encrypting large payloads at lightning speed. However, it suffers from a distribution flaw: securely transmitting that single key over a network to the recipient creates a massive vulnerability.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Asymmetric Cryptography (Public-Key):&lt;/strong&gt; Uses a mathematically linked pair of keys - a Public Key (to encrypt) and a Private Key (kept secretly by the owner to decrypt). This solves the distribution problem entirely, but asymmetric math is computationally heavy and far too slow to encrypt large payloads efficiently.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;The Hybrid Approach:&lt;/strong&gt; Ennote combines both methods. We use the blazing speed of symmetric cryptography to encrypt your actual secrets, and the highly secure, identity-verified nature of asymmetric cryptography to protect and distribute the symmetric key itself.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. The Root of Trust &amp;amp; Organization-Level Governance
&lt;/h3&gt;

&lt;p&gt;Ennote’s architecture begins with absolute hardware security. The master seeds for our Internal KMS are protected by Cloud HSMs (AWS KMS / Google Cloud KMS) featuring FIPS 140-2 Level 3 validation. This establishes an unhackable root of trust.&lt;/p&gt;

&lt;p&gt;From this root, Ennote generates Post-Quantum asymmetric keys using CRYSTALS-Kyber (Kyber-1024), a NIST Post-Quantum standard that protects Data Encryption Keys (DEKs) against "harvest-now-decrypt-later" attacks.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Crucially, these Kyber keys are established at the Organization level.&lt;/li&gt;
&lt;li&gt;Access to individual resources within your organization is not managed by blindly decrypting the entire vault. Instead, Ennote utilizes Full Role-Based Access Control (RBAC) and immutable Audit Logs to provide granular access control to each individual resource.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  4. The Lifecycle of a Secret: High-Speed Payload Protection
&lt;/h3&gt;

&lt;p&gt;When an engineer (via Web UI/CLI) or automated agent creates a secret, the platform executes the following flow:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Local Generation:&lt;/strong&gt; The client generates a random 256-bit Data Encryption Key (DEK) locally in volatile memory (RAM).&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Symmetric Payload Encryption:&lt;/strong&gt; The data payload is encrypted with this DEK using Client-Side AES-256-GCM, ensuring authenticated encryption.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Asymmetric Encapsulation:&lt;/strong&gt; The DEK is then encapsulated (enveloped) using the Organization-level KMS Public Key (Kyber) into a secure Key Capsule.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Blind Storage:&lt;/strong&gt; We store the encrypted payload alongside the encapsulated DEK. The DEK is completely unreadable to the storage layer, and payloads remain entirely opaque to Ennote.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  5. Identity Verification: Why We Use X25519 Over RSA
&lt;/h3&gt;

&lt;p&gt;To securely transmit secrets to your developers or the lightweight Ennote Kubernetes Smart Agent, we must mathematically verify identity. Every client generates an ephemeral Curve25519 (ECC X25519) key pair for Elliptic-Curve Diffie-Hellman (ECDH) key agreement. Private keys never leave the device.&lt;/p&gt;

&lt;p&gt;Why not use legacy RSA? Legacy RSA requires massive 2048-bit or 4096-bit keys that are computationally expensive and slow to generate on the fly. X25519 (Elliptic Curve Cryptography) delivers equivalent or greater security with a fraction of the key size (256 bits). Because X25519 keys are incredibly fast to generate and require minimal bandwidth, they perfectly enable the Ennote Agent to maintain its outbound-only gRPC stream for real-time, sub-1-second updates without exhausting cluster resources.&lt;/p&gt;

&lt;h3&gt;
  
  
  6. Ultimate Enterprise Control: BYOK &amp;amp; Transient Re-Wrapping
&lt;/h3&gt;

&lt;p&gt;For enterprise customers who require absolute cryptographic sovereignty, Ennote offers Bring Your Own Key (BYOK) Support. It is strictly within this BYOK workflow that our transient "re-wrapping" operation occurs.&lt;/p&gt;

&lt;p&gt;When an organization enables BYOK, they connect their own Google or AWS KMS (which natively supports asymmetric encryption) to envelope the Ennote Internal KMS keys.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;During an access request under BYOK, the DEK is briefly decapsulated inside the secure KMS enclave in volatile memory (RAM).&lt;/li&gt;
&lt;li&gt;The server immediately performs ECDH with the Client's Public Key, wraps the DEK using the customer's BYOK control logic and derived session key, and instantly flushes memory.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Because the customer owns the ultimate Key Encryption Key via their AWS/GCP KMS, they have complete control over the encryption of the DEK. If a breach is suspected, the customer can instantly revoke access at their own cloud provider level, instantly severing Ennote's ability to re-wrap the DEKs and rendering the vault cryptographically sealed.&lt;/p&gt;

&lt;h3&gt;
  
  
  7. The Zero-Persistence Guarantee &amp;amp; Confidential Computing
&lt;/h3&gt;

&lt;p&gt;Through this precise combination of Client-Side AES-256-GCM, Organization-level Kyber-1024 encapsulation, ephemeral X25519 identity verification, and optional BYOK transient re-wrapping, Ennote achieves true Zero-Persistence.&lt;/p&gt;

&lt;p&gt;Plaintext keys exist only in volatile memory (RAM) for the duration of a cryptographic operation - measured in milliseconds. At no point are plaintext DEKs written to disk, logs, databases, or persistent storage.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Confidential Computing Protection:&lt;/strong&gt; To entirely eliminate the risk of volatile memory extraction during the transient re-wrapping phase, our KMS enclaves utilize Confidential Computing. This hardware-based isolation encrypts the data while it is in-use within RAM, completely preventing memory dumps or hypervisor-level inspection by any party - including malicious actors, host OS administrators, or our own cloud infrastructure providers. Physical theft of our disks yields absolutely no data.&lt;/p&gt;

&lt;h3&gt;
  
  
  8. Native Kubernetes Integration &amp;amp; Auto-Rollout
&lt;/h3&gt;

&lt;p&gt;Ennote is designed to replace unencrypted YAMLs and eliminate the need for developers to learn new SDKs. This is powered by our proprietary Kubernetes Smart Agent, deployed directly via Helm.&lt;/p&gt;

&lt;p&gt;The lightweight agent establishes an outbound-only gRPC stream - requiring no inbound ports or open firewall rules - to sync secrets directly to Native Kubernetes Secrets in under 1 second. Applications consume these secrets securely via standard &lt;code&gt;envFrom&lt;/code&gt; variables with zero code changes required. Furthermore, by adding the restart annotation, Ennote enables Auto-Rollout: when secrets are updated in the Ennote dashboard, the agent automatically rotates the pods depending on those secrets, ensuring immediate and seamless consistency across your entire cluster.&lt;/p&gt;




&lt;h3&gt;
  
  
  9. Executive Q&amp;amp;A
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Q: If you are faster than HashiCorp Vault, and you aren't strict Zero Trust, what security checks are you skipping?&lt;/strong&gt;&lt;br&gt;
&lt;strong&gt;A:&lt;/strong&gt; None. We are faster because we engineered the bottleneck out of the architecture. Instead of relying on heavy, centralized decryption pipelines, we distribute the workload using highly efficient X25519 Elliptic Curve cryptography and Client-Side AES-256. Ennote doesn't skip security; we modernized the cryptography to match the sub-second speed of modern Kubernetes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Can a malicious insider at Ennote dump the RAM and steal our keys during the transient re-wrapping?&lt;/strong&gt;&lt;br&gt;
&lt;strong&gt;A:&lt;/strong&gt; No. Ennote engineers have zero access to customer data keys, and all administrative actions require MFA and are heavily logged. Furthermore, the re-wrapping occurs inside a secure KMS enclave protected by Confidential Computing. Because the memory itself is hardware-encrypted while in use, RAM dumping is mathematically impossible.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: If you don't use strict "Zero Trust," how do I guarantee sovereignty over my data?&lt;/strong&gt;&lt;br&gt;
&lt;strong&gt;A:&lt;/strong&gt; By deploying our BYOK integration. This connects your own AWS or GCP KMS directly to our enclave, giving you the ultimate hardware kill-switch. You maintain total cryptographic sovereignty; Ennote merely facilitates the sub-second routing and seamless RBAC.&lt;/p&gt;




&lt;h3&gt;
  
  
  Ready to Upgrade Your Secret Management?
&lt;/h3&gt;

&lt;p&gt;Stop compromising between security and developer velocity. &lt;strong&gt;&lt;a href="https://app.ennote.io" rel="noopener noreferrer"&gt;Get started with Ennote today&lt;/a&gt;&lt;/strong&gt; to see our Zero-Persistence architecture in action, or &lt;strong&gt;&lt;a href="https://ennote.io/contact" rel="noopener noreferrer"&gt;book a demo&lt;/a&gt;&lt;/strong&gt; with our engineering team to learn how we can secure your infrastructure.&lt;/p&gt;

</description>
      <category>devsecops</category>
      <category>devops</category>
      <category>kubernetes</category>
      <category>security</category>
    </item>
    <item>
      <title>Product Update: Post-Quantum Cryptography meets &lt;1s Kubernetes Syncs</title>
      <dc:creator>Serge Zhuravel</dc:creator>
      <pubDate>Wed, 27 May 2026 06:00:53 +0000</pubDate>
      <link>https://dev.to/ennote/product-update-post-quantum-cryptography-meets-1s-kubernetes-syncs-5bpf</link>
      <guid>https://dev.to/ennote/product-update-post-quantum-cryptography-meets-1s-kubernetes-syncs-5bpf</guid>
      <description>&lt;p&gt;Engineering teams are actively seeking alternatives to the operational complexity of legacy enterprise vaults and the limitations of consumer-grade tools. We built the upgrade. Engineered to eliminate unencrypted YAMLs and legacy password managers, Ennote Security delivers a true zero-persistence architecture. Whether you are migrating from HashiCorp Vault, replacing 1Password, or securing native Kubernetes workloads, here is how &lt;strong&gt;The Identity-Driven Secret Manager&lt;/strong&gt; bridges the gap between identity and infrastructure.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fht5gx9cfcmc4kxjaucs3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fht5gx9cfcmc4kxjaucs3.png" alt="Kubernetes Smart Agent Overview" width="800" height="422"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Kubernetes Smart Agent: &amp;lt;1s Synchronization without the Overhead
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Bypass the operational overhead of HashiCorp Vault and proprietary SDKs.&lt;/strong&gt; Our lightweight, Helm-deployed agent establishes an outbound-only gRPC stream for real-time updates directly to native Kubernetes resources. &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Zero Network Friction:&lt;/strong&gt; No inbound ports, webhooks, or open firewall rules required.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Zero Code Changes:&lt;/strong&gt; Applications consume secrets via standard &lt;code&gt;envFrom&lt;/code&gt; variables.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Auto-Rollout:&lt;/strong&gt; By adding the restart annotation, the agent automatically rotates pods the millisecond secrets change in your Ennote dashboard.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://ennote.io/agent?utm_source=social&amp;amp;utm_medium=post&amp;amp;utm_campaign=product_update_may_2026" rel="noopener noreferrer"&gt;View Agent Documentation ↗&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fst7s8npiswk3sba7k9r6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fst7s8npiswk3sba7k9r6.png" alt="Zero Persistence Cryptography Architecture" width="800" height="420"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Transparent, Zero-Persistence Cryptography
&lt;/h2&gt;

&lt;p&gt;When evaluating an enterprise secrets manager, &lt;strong&gt;the fundamental security question is not just how data is encrypted, but where and for how long the plaintext keys exist&lt;/strong&gt;. &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Volatile Memory Only:&lt;/strong&gt; Plaintext keys exist only in RAM for the milliseconds a cryptographic operation occurs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Absolute Zero Persistence:&lt;/strong&gt; At no point are plaintext DEKs written to disk, logs, or persistent storage.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Post-Quantum Ready:&lt;/strong&gt; All data is encrypted via Client-Side AES-256-GCM, enveloped by NIST-standard CRYSTALS-Kyber (Kyber-1024) to protect against "harvest-now-decrypt-later" attacks.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://ennote.io/blog/the-identity-driven-cryptography-behind-ennote-s-zero-persistence-vault?utm_source=social&amp;amp;utm_medium=post&amp;amp;utm_campaign=product_update_may_2026" rel="noopener noreferrer"&gt;Read the Engineering Deep-Dive ↗&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frmz3bqd2dk52i5u95z3k.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frmz3bqd2dk52i5u95z3k.jpeg" alt="AWS KMS BYOK Integration" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Enterprise Sovereign Control: AWS KMS Integration (BYOK)
&lt;/h2&gt;

&lt;p&gt;Take sovereign control over your organization's cryptography. Expanding on our existing Google Cloud KMS capabilities, Ennote’s Bring Your Own Key (BYOK) architecture now allows you to &lt;strong&gt;connect your own AWS KMS&lt;/strong&gt; to envelope our Internal KMS keys. By wrapping our internal infrastructure with your key, you maintain absolute cryptographic authority, allowing you to instantly revoke access to your data if a breach is suspected.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://ennote.io/security?utm_source=social&amp;amp;utm_medium=post&amp;amp;utm_campaign=product_update_may_2026" rel="noopener noreferrer"&gt;Learn about BYOK Architecture ↗&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffvwqezdn87i4v75wvnsz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffvwqezdn87i4v75wvnsz.png" alt="Ennote Identity-Driven Interface" width="799" height="264"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  A Lightning-Fast, Identity-Driven Interface
&lt;/h2&gt;

&lt;p&gt;We’ve completely refreshed the Ennote Web UI, specifically designed for engineering workflows. &lt;strong&gt;Natively integrated with your SSO and RBAC&lt;/strong&gt;, it’s easier than ever to manage team passwords, API keys, and access controls with a complete chain of custody alongside your infrastructure.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://app.ennote.io?utm_source=social&amp;amp;utm_medium=post&amp;amp;utm_campaign=product_update_may_2026" rel="noopener noreferrer"&gt;Sign In to See What's New ↗&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;a href="https://app.ennote.io?utm_source=social&amp;amp;utm_medium=post&amp;amp;utm_campaign=product_update_may_2026" rel="noopener noreferrer"&gt;Start Using&lt;/a&gt; | &lt;a href="https://www.linkedin.com/groups/17605037/" rel="noopener noreferrer"&gt;Join Community Group&lt;/a&gt; | &lt;a href="https://ennote.io/contact/?utm_source=social&amp;amp;utm_medium=post&amp;amp;utm_campaign=product_update_may_2026" rel="noopener noreferrer"&gt;Talk to an Architect&lt;/a&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>devops</category>
      <category>kubernetes</category>
      <category>aws</category>
    </item>
    <item>
      <title>Why Strict "Zero Trust" Breaks Secret Management (And How We Built a Zero-Persistence Vault Instead)</title>
      <dc:creator>Serge Zhuravel</dc:creator>
      <pubDate>Mon, 11 May 2026 20:13:43 +0000</pubDate>
      <link>https://dev.to/ennote/why-strict-zero-trust-breaks-secret-management-and-how-we-built-a-zero-persistence-vault-instead-4lcg</link>
      <guid>https://dev.to/ennote/why-strict-zero-trust-breaks-secret-management-and-how-we-built-a-zero-persistence-vault-instead-4lcg</guid>
      <description>&lt;p&gt;&lt;em&gt;This is a technical deep dive into the cryptography behind &lt;a href="https://ennote.io" rel="noopener noreferrer"&gt;Ennote's&lt;/a&gt; enterprise architecture. You can read the original full-length post on our &lt;a href="https://ennote.io/blog/the-identity-driven-cryptography-behind-ennote-s-zero-persistence-vault" rel="noopener noreferrer"&gt;engineering blog&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;




&lt;p&gt;When evaluating an enterprise secrets manager, the fundamental security question isn't just &lt;em&gt;how&lt;/em&gt; data is encrypted, but &lt;em&gt;where&lt;/em&gt; and &lt;em&gt;for how long&lt;/em&gt; the plaintext keys exist. &lt;/p&gt;

&lt;p&gt;Many platforms market themselves as strict "Zero Trust" (implying End-to-End Encryption where the server knows absolutely nothing). We don't make this claim. Why? &lt;strong&gt;Because mathematically strict E2EE fundamentally breaks enterprise secret management workflows.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;If you use strict E2EE, there is no centralized authority. If Developer A creates a database password and the company later hires Developer B, the server cannot grant Developer B access. Developer A must manually come online, decrypt the payload locally, and re-encrypt it with Developer B's public key. &lt;/p&gt;

&lt;p&gt;This destroys automated onboarding, makes central Role-Based Access Control (RBAC) impossible, and turns machine-to-machine Kubernetes syncing into a fragile nightmare. &lt;/p&gt;

&lt;p&gt;We needed a different approach. We prioritized workable, highly governed enterprise security by guaranteeing &lt;strong&gt;Zero Persistence&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Here is the cryptographic stack we built to achieve it.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Hybrid Cryptography &amp;amp; Transient Envelope Encryption
&lt;/h3&gt;

&lt;p&gt;To get the best of both worlds - centralized RBAC and absolute data security - we use &lt;strong&gt;Hybrid Cryptography&lt;/strong&gt;. &lt;/p&gt;

&lt;p&gt;We use the blazing speed of symmetric cryptography to encrypt the actual secrets, and the highly secure, identity-verified nature of asymmetric cryptography to protect and distribute the symmetric key itself.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Local Generation:&lt;/strong&gt; The client generates a random 256-bit Data Encryption Key (DEK) locally in volatile memory (RAM).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Symmetric Payload Encryption:&lt;/strong&gt; The payload is encrypted with this DEK using &lt;strong&gt;Client-Side AES-256-GCM&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Asymmetric Encapsulation:&lt;/strong&gt; The DEK is then encapsulated using our Organization-level KMS Public Key.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;At no point are plaintext DEKs written to disk, logs, databases, or persistent storage. They exist only in volatile memory for the duration of a cryptographic operation (measured in milliseconds). &lt;/p&gt;

&lt;h3&gt;
  
  
  2. The Root of Trust: Post-Quantum Kyber
&lt;/h3&gt;

&lt;p&gt;Our architecture begins with absolute hardware security. The master seeds for our internal KMS are protected by Cloud HSMs (FIPS 140-2 Level 3 validation). &lt;/p&gt;

&lt;p&gt;From this root, Ennote generates Post-Quantum asymmetric keys using &lt;strong&gt;CRYSTALS-Kyber (Kyber-1024)&lt;/strong&gt;, a NIST Post-Quantum standard that protects against "harvest-now-decrypt-later" attacks. Crucially, these Kyber keys are established at the Organization level, not the individual resource level, allowing us to enforce centralized RBAC.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Identity Verification: Why We Dropped RSA for X25519
&lt;/h3&gt;

&lt;p&gt;To securely transmit secrets to your developers or our Kubernetes Smart Agent, we have to mathematically verify identity. &lt;/p&gt;

&lt;p&gt;We could have used legacy RSA, but RSA requires massive 2048-bit or 4096-bit keys that are computationally expensive to generate on the fly. Instead, every client generates an ephemeral &lt;strong&gt;Curve25519 (ECC X25519)&lt;/strong&gt; key pair for Elliptic-Curve Diffie-Hellman (ECDH) key agreement. &lt;/p&gt;

&lt;p&gt;X25519 delivers equivalent or greater security with a fraction of the key size (256 bits). Because they are incredibly fast to generate and require minimal bandwidth, they allow our Kubernetes Agent to maintain an outbound-only gRPC stream for real-time, sub-1-second updates without exhausting cluster CPU.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Enterprise Sovereignty: BYOK &amp;amp; Confidential Computing
&lt;/h3&gt;

&lt;p&gt;For teams that need an absolute "kill switch," we built a BYOK (Bring Your Own Key) integration with GCP and AWS KMS. &lt;/p&gt;

&lt;p&gt;During an access request under BYOK, the DEK is briefly decapsulated inside a secure KMS enclave. To eliminate the risk of volatile memory extraction during this transient "re-wrapping" phase, our enclaves utilize &lt;strong&gt;Confidential Computing&lt;/strong&gt;. &lt;/p&gt;

&lt;p&gt;This hardware-based isolation encrypts the data &lt;em&gt;while it is in-use within RAM&lt;/em&gt;, completely preventing memory dumps or hypervisor-level inspection by any party - including malicious actors, host OS admins, or even our cloud infrastructure providers. &lt;/p&gt;

&lt;h3&gt;
  
  
  The Result: Sub-Second K8s Sync
&lt;/h3&gt;

&lt;p&gt;We engineered the heavy, centralized decryption bottlenecks out of the architecture. By combining Client-Side AES-256, Kyber-1024 encapsulation, ephemeral X25519 identity verification, and Confidential Computing, we achieved true Zero-Persistence. &lt;/p&gt;

&lt;p&gt;This allows our lightweight Kubernetes Agent to sync secrets directly to Native K8s Secrets in under 1 second via an outbound-only gRPC stream - requiring zero code changes and zero unencrypted YAMLs.&lt;/p&gt;




&lt;h3&gt;
  
  
  Over to you! 👇
&lt;/h3&gt;

&lt;p&gt;Building security tools always involves balancing usability, speed, and strict cryptography. &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;How is your team currently handling secret delivery in Kubernetes?&lt;/strong&gt; &lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Are you still relying on polling loops, or have you moved to event-driven architectures?&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Let’s chat in the comments! If you want to see this architecture in action, check out &lt;a href="https://ennote.io" rel="noopener noreferrer"&gt;Ennote Security&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>security</category>
      <category>kubernetes</category>
      <category>devsecops</category>
      <category>cryptography</category>
    </item>
  </channel>
</rss>
