Server access is an interesting scenario to explore. If we're considering an attacker gaining server access, what's to stop that attacker from shipping a modified EnvKey binary that steals your customers' secrets and their encryption keys? If the security of your binary is predicated on GitHub repo access, what happens in the event of GitHub account takeover? At some point, no system is infallible, and I think our Threat Mode adequately addresses this. I appreciate your point of view on this though.
The private certificates that sign our binaries are tightly controlled and not accessible to our servers or our GitHub accounts, so the scenario you're describing could only happen if an attacker compromised our Github account and our private signing certs (gaining access to our back end servers wouldn't help an attacker at all).
Of course, no system is invulnerable to any attack. But in practice, Doppler's architecture implies a much larger degree of trust (any server breach = secrets compromised) than EnvKey's (servers can be fully breached and secrets still aren't compromised). Doppler looks like a great product in many other ways, but I do think it's important for users to fully understand the risks they're taking.
Although the approaches are different, they both address a security need for all developers. For EnvKey it would be nice if you address the freelancer/single user Marketing tin some way - $20 a month for 5 users is a bit pricey for 1 user. Is that something you are considering?
