SecurityOctober 28, 20257 min read

How to Encrypt Your AWS Credentials, SSH Keys, and API Tokens

A hands-on guide to encrypting and syncing the three most commonly leaked credential types across your development machines.

The Three Credentials That Leak Most Often

AWS access keys, SSH private keys, and API tokens (npm, Docker, GitHub) are the three credential types most frequently found in public repositories and data breaches. They share a common trait: they live in dotfiles on developer machines, and developers need them on every machine they work on.

This guide walks through encrypting and syncing each one with ConfigSync. By the end, you will have a single workflow that keeps all three credential types encrypted at rest, encrypted in transit, and available on every machine you use.

AWS Credentials

AWS credentials live in two files: ~/.aws/config (region and profile settings) and ~/.aws/credentials (access keys and secret keys). The config file is generally safe to leave unencrypted — it contains region names and output format preferences. The credentials file contains the keys that grant access to your AWS account.

Add the AWS module
$ configsync add module aws Detected AWS assets: ~/.aws/config (profile settings, will be encrypted) ~/.aws/credentials (access keys, will be encrypted) Added aws module with 2 files.
What gets synced
# ~/.aws/config — encrypted (may contain SSO URLs, account IDs) [default] region = us-east-1 output = json [profile production] region = us-west-2 role_arn = arn:aws:iam::123456789:role/admin source_profile = default # ~/.aws/credentials — encrypted (contains secret keys) [default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCY

After pushing, both files are AES-256-GCM encrypted in ConfigSync's vault. On a new machine, pulling restores them with 0600 permissions. Your AWS CLI, SDKs, and tools like Terraform pick them up automatically from the standard path.

SSH Keys

The SSH module auto-detects all key pairs in ~/.ssh by scanning for id_* files. Private keys are encrypted; public keys are synced in plaintext since they are designed to be shared. The SSH config and known_hosts files are also included.

Add the SSH module
$ configsync add module ssh Detected SSH assets: ~/.ssh/id_ed25519 (private key, will be encrypted) ~/.ssh/id_ed25519.pub (public key, unencrypted) ~/.ssh/id_rsa (private key, will be encrypted) ~/.ssh/id_rsa.pub (public key, unencrypted) ~/.ssh/config (will be encrypted) ~/.ssh/known_hosts (unencrypted) Added ssh module with 6 files.

ConfigSync restores private keys with 0600 permissions, which OpenSSH requires. Without correct permissions, SSH refuses to use the key. ConfigSync handles this automatically so keys work immediately after pulling.

If you use different key types (ed25519, RSA, ECDSA), ConfigSync detects all of them. It scans for any file matching the id_* pattern and classifies each as public or private based on the file content.

npm and Docker Tokens

npm stores authentication tokens in ~/.npmrc, used for publishing packages and accessing private registries. Docker stores credentials in ~/.docker/config.json, used for pulling and pushing images to private registries. Both are frequently committed to dotfile repos by mistake.

Add npm and Docker modules
# npm module — tracks .npmrc $ configsync add module npm Detected npm assets: ~/.npmrc (auth tokens, will be encrypted) Added npm module with 1 file. # Docker module — tracks docker config $ configsync add module docker Detected Docker assets: ~/.docker/config.json (registry credentials, will be encrypted) Added docker module with 1 file.
What these files contain
# ~/.npmrc — registry auth tokens //registry.npmjs.org/:_authToken=npm_a1b2c3d4e5f6g7h8i9 //npm.pkg.github.com/:_authToken=ghp_xxxxxxxxxxxx @company:registry=https://npm.company.com/ # ~/.docker/config.json — registry credentials { "auths": { "https://index.docker.io/v1/": { "auth": "dXNlcm5hbWU6cGFzc3dvcmQ=" }, "123456789.dkr.ecr.us-east-1.amazonaws.com": { "auth": "QVdTOmV5SmtZWFJo..." } } }

Both files are encrypted with AES-256-GCM before upload. On a new machine, pulling restores them so npm install and docker pull work immediately with your private registries.

GPG Keys

GPG keys are used for signing git commits, encrypting files, and authenticating with some package managers. The GPG module tracks your configuration and agent settings.

Add GPG module
$ configsync add module gpg Detected GPG assets: ~/.gnupg/gpg.conf (GPG configuration, will be encrypted) ~/.gnupg/gpg-agent.conf (agent settings, will be encrypted) Added gpg module with 2 files. # Note: GPG private keys should be exported separately # using gpg --export-secret-keys and added as a config file $ gpg --export-secret-keys --armor > ~/.gnupg/private-keys-backup.asc $ configsync add config ~/.gnupg/private-keys-backup.asc

The Complete Workflow

Here is how to add all credential modules, push, verify, and pull on a new machine — the entire setup takes under two minutes:

Add all credential modules at once
# Add all credential modules $ configsync add module aws $ configsync add module ssh $ configsync add module npm $ configsync add module docker $ configsync add module gpg # Push everything $ configsync push Encrypting modules... ✓ aws: 2 files (AES-256-GCM) ✓ ssh: 6 files (4 encrypted, 2 unencrypted) ✓ npm: 1 file (AES-256-GCM) ✓ docker: 1 file (AES-256-GCM) ✓ gpg: 2 files (AES-256-GCM) Pushed 5 modules (12 files total).
Verify what is tracked
$ configsync list Modules: aws 2 files (last pushed: 2 minutes ago) ssh 6 files (last pushed: 2 minutes ago) npm 1 file (last pushed: 2 minutes ago) docker 1 file (last pushed: 2 minutes ago) gpg 2 files (last pushed: 2 minutes ago) Total: 5 modules, 12 files Encrypted: 10 files | Unencrypted: 2 files (public keys, known_hosts)
Pull on a new machine
# On your new machine $ configsync pull Restoring modules... ✓ aws: 2 files restored (permissions: 0600) ✓ ssh: 6 files restored (private keys: 0600, public: 0644) ✓ npm: 1 file restored (permissions: 0600) ✓ docker: 1 file restored (permissions: 0600) ✓ gpg: 2 files restored (permissions: 0600) Restored 12 files across 5 modules. # Everything works immediately: $ aws s3 ls # AWS credentials in place $ ssh git@github.com # SSH keys ready $ npm install @company/pkg # npm tokens active $ docker pull company/image # Docker auth configured

File Permissions: The Detail That Matters

Credential files require strict permissions. If ~/.ssh/id_ed25519 is readable by other users, SSH refuses to use it. If ~/.aws/credentials is world-readable, any process on the machine can harvest your keys. ConfigSync restores all sensitive files with 0600 permissions (owner read/write only).

FilePermissionsEncryptedReason
~/.aws/credentials0600YesContains secret access keys
~/.aws/config0600YesMay contain account IDs, SSO URLs
~/.ssh/id_ed255190600YesSSH private key
~/.ssh/id_ed25519.pub0644NoPublic key (safe to share)
~/.ssh/config0600YesMay contain hostnames, users
~/.ssh/known_hosts0644NoServer fingerprints (not secret)
~/.npmrc0600YesContains auth tokens
~/.docker/config.json0600YesContains registry credentials
~/.gnupg/gpg.conf0600YesGPG configuration

You do not need to remember or configure these permissions. ConfigSync applies them automatically based on the file type and module. Every pull restores the correct permissions so your tools work without manual fixes.

Stop Leaving Credentials Unprotected

AWS keys, SSH keys, and API tokens are the most valuable files on your development machine. They grant access to cloud infrastructure, source code repositories, package registries, and production systems. Leaving them unencrypted in dotfile repos, cloud drives, or scattered across machines is a liability.

Encrypt everything in under a minute
$ npm install -g configsync $ configsync login $ configsync add module aws ssh npm docker gpg $ configsync push Done. All credentials encrypted and synced.

Ready to try ConfigSync?

Sync your entire dev environment across machines in minutes. Free forever for up to 3 devices.

Get StartedRead the Docs