Core Concepts
ZMS is built on three fundamental pillars: Zero-Trust, Master Key Sharding, and the Bootstrap Pattern.
🛡️ Zero-Trust Security
In a Zero-Trust environment, we assume the network is already compromised. ZMS ensures that secrets are never stored in plaintext on disk or in the database.
- Encryption at Rest: All secrets are AES-256 encrypted before being persisted.
- Stateless Runtime: The ZMS Core engine is designed to be stateless, processing encrypted buffers and only decrypting when authorized via valid tokens.
🗝️ Master Key Management
ZMS uses a unique Master Key strategy to ensure that your vault remains under your absolute control.
- Automated Generation: When you run
zms initfor the first time, ZMS automatically generates a unique Master Key and stores it locally (e.g.,~/.zexio/zms.master.key). - Encryption: This key is used to encrypt your entire local database.
- Nuclear Reset: If you need to start fresh or have compromised your environment, use
zms resetto clear the keys and database, thenzms initto regenerate them.
[!IMPORTANT] Your Master Keys never leave your hardware. ZMS does not have a back-door or cloud recovery service. If you lose your Master Keys, your secrets are permanently inaccessible.
🚀 The Bootstrap Pattern
The Bootstrap Pattern is the ZMS answer to the dangerous practice of storing plaintext .env files.
The Problem
Traditional deployments copy multiple sensitive keys (DATABASE_URL, STRIPE_SECRET, etc.) into a .env.local file. If this file is leaked or accidentally committed to Git, your entire security is compromised.
The ZMS Solution
- Vault Everything: Move all secrets into the ZMS Vault.
- Tokenize: Generate a single, scoped ZMS_TOKEN.
- Bootstrap: Use that token to pull all other secrets at runtime into memory.
Implementation Example
Instead of running your app directly:
"scripts": {
"start": "node server.js"
}Use the ZMS runner:
"scripts": {
"start": "zms run -- node server.js"
}ZMS will automatically fetch all secrets tied to your token and inject them into process.env.