> For the complete documentation index, see [llms.txt](https://docs.revault.onepub.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.revault.onepub.dev/docs/secure_env_pages.md). # Secure environment pages Vault environment variables are stored in the encrypted env tree. Secret environment values must not be decoded into ordinary heap memory after the page is read from disk. The env tree uses internal names to separate storage classes: * `.plain/` for normal environment variables * `.secret/` for secret environment variables Leaf grouping keeps storage classes from sharing leaf pages. Env tree reads use the encrypted env tree metadata to know that the requested page is env-related before the page body is decrypted. Env pages are read from storage with `read_at_secure` into `SecureVec`, decrypted in place, and decoded through the secure single object page path. Env tree pages are inserted into the decoded page cache only when requested with the secure page policy. The cache stores one `DecodedPage` type, but each page object payload has a storage class. Normal pages use ordinary `Vec` payloads; secure env pages use `SecureVec` payloads. `PageBuffer` is the shared decoder buffer contract for in-place page-body decoding. It is intentionally narrower than `Vec`: it provides read access, mutable access, truncation, and secure range cloning. Building page payloads still uses explicit `Vec` or `SecureVec` APIs so call sites must choose the storage class deliberately. Secure env writes go through the page cache append path, which owns secure page encoding, storage append, and secure decoded-page cache insertion. Inspection and recovery scans must not decode env pages through the normal page decoder. Current env pages are single-object secure pages, so scan/inspection first attempts secure env metadata decoding and skips normal decoding for env leaf/internal pages. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.revault.onepub.dev/docs/secure_env_pages.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.