Skip to content
[ PIER ]

Security overview

Pier’s threat model assumes:

  • The operator controls the server and the Pier binary.
  • The operator wants secrets safe even if the SQLite file leaks.
  • The dashboard is on the public internet, behind Traefik TLS.

What Pier does

Section titled “What Pier does”
  • Encryption at rest — every environment variable is encrypted with AES-256-GCM before being stored. The key is in /opt/pier/.env, separate from the database.
  • JWT sessions with bcrypt passwords — no third-party auth dependencies.
  • No secret echoing — API responses never return decrypted env vars except through an explicit GET /env endpoint.
  • Dependency detection on the backend — the Canvas view computes service relationships on the server so the browser never sees env-var values.
  • Permissions.env and pier.db are chmod 600.
  • Daily backups — the database and key are snapshotted to data/backups/system/; 7 rolling copies kept.

What the operator must do

Section titled “What the operator must do”
  • Open only ports 80, 443, and 8443 on the firewall.
  • Use a strong admin password on first setup.
  • Keep the /opt/pier/.env file out of any repository. Back it up separately.
  • Rotate PIER_SECRET only if the old key is compromised — rotation requires re-encrypting all rows.
  • Consider running the dashboard behind a VPN instead of exposing port 8443 publicly. Pier supports this (bind the dashboard to 127.0.0.1 and access it via SSH tunnel or a WireGuard/AmneziaWG link).

Reporting vulnerabilities

Section titled “Reporting vulnerabilities”

Send details to the address in /.well-known/security.txt. We respond within 72 hours and publish acknowledgements with each release.