Intro

Portunus is a tool designed to help software teams simplify their management of shared environment variables and secrets. Portunus gives convenient access to environment updates instantly (no pulling required), while securely storing everything on its platform.

The TLDR Portunus workflow (see here for a more thorough look):

• update your environment variables on the web app
• copy your access token and desired scope (team + project + stage) into a local .env file
• run print-env to receive real-time updates to remote values

How It Works

Portunus has 4 functional parts:

• the secure Cloudflare and Deta backend which stores your data

  • We use Cloudflare Workers KV to store the actual key-values of the environment variables, which are encrypted at rest and only decrypted upon request through its accessing worker process

    All values are encrypted at rest with 256-bit AES-GCM, and only decrypted by the process executing your Worker scripts or responding to your API requests. — https://developers.cloudflare.com/workers/learning/how-kv-works/

  • We use Deta Base to store environment variable keys and their associated metadata, without the values, while Cloudflare KV stores the full set*

• the Portunus web app for management, making updates easy for everyone
• the print-env CLI to seamlessly pull in the values when and where you need them
• an api on Cloudflare workers to facilitate

A note on security:

• The auth layer of Portunus is implemented passwordlessly — login is through Magic-Link or OTP (one-time password) which are received through user’s email. There is no password exploitation and the OTP secrets are periodically rotated.
• The data storage locations all offer strongly encrypted at-rest encryption.
• *The separation of data storage location adds an additional layer of protection, while balancing performance for two distinct workflows:
  • The Deta Base storage allows fast access through the Portunus UI, with indexing across associated teams, projects, and stages of all accessible environment variable sets.
  • Cloudflare Workers KV is only ever accessed when entering editing mode or reads by print-env. This store is optimized toward an O(1) lookup by the reading API with known team-project-stage association.
• GPG encryption is available if you supply a local public key to Portunus.

History of development