Sovereign Security: Why Local-first RSA Encryption with 0 Dependencies is the New Standard
Cortlet is a software brand specailizing in: Lightweight, secure-first, no-bloat, problem-solving, and balance of opensource and closed source software.
Introduction
Industry standards like Doppler and AWS Secrets Manager have revolutionized secret management, but they introduce two critical vulnerabilities for the modern engineer: Cloud Dependency and Supply-Chain Bloat
This is a security failure, since restricted SSH-only/Air-gapped sovereign environments cannot rely on an outbound connection to a third-party cloud. If they did, it is not just a latency issue -- it's a security failure.
And even if you use an SSH-only RSA encryption solution, it has dependencies. Each dependency is a backdoor to a vulnerability. This leads to Supply-Chain Attacks with runtime dependencies.
The Solution
Cortlet has made a solution to fix this, called: @cortlet-org/env-vault
@cortlet-org/env-vault is an SSH-only, local RSA encryption vault. No cloud dependency, only local, no-network solution.
It has low-friction installation + setup steps, making it easy to use and easy to get started. The tool is also air-gapped and offline-first, making it a good solution for restricted SSH-only/Air-gapped environments.
Comparison
| Metric | Traditional Secret Managers | @cortlet-org/env-vault |
|---|---|---|
| Connectivity | Requires persistent WAN | Air-gapped / Offline-first |
| Dependencies | Dozens of packages, used at runtime | Zero packages, only few for the CLI. |
| Security Model | Shared Responsibility (Cloud) | Sovereign (Local Keys) |
| Architecture | Cloud-sync / SaaS | Local RSA Vault |
Under the Hood
To maintain performance parity without sacrificing security, this tool leverages native system-level RSA Handshakes. Unlike traditional secret managers which use heavy runtime libraries, ours is built for:
- Atomic Performance: We don't use runtime libraries. We use built-in NodeJS modules.
By maintaining zero runtime dependencies, we eliminate the primary vector for NodeJS supply chain attacks.
Conclusion
The industry's move toward centralized cloud secrets was a compromise for convenience that cost us our security autonomy. For engineers operating in restricted sovereign environments, SSH-only, or air-gapped environments, that compromise is no longer acceptable.
@cortlet-org/env-vault is more than a tool; it is a return to a "Local-First" engineering standard. Secure your environment today without the cloud-sync tax.
If you like this product, consider helping it (give a star, report an issue, or submit a Pull Request) on This Link.
Download: npm install @cortlet-org/env-vault. NPM page: https://npmjs.org/package/@cortlet-org/env-vault