Moving Your Dotfiles from a Bare Git Repo to ConfigSync
The bare git repo pattern got you this far. Here's how to graduate to encrypted, cloud-synced configuration management.
The Bare Git Repo Pattern
If you have been managing dotfiles for a while, you have probably seen this pattern — or you are using it right now. The idea is elegant: use a bare git repo in your home directory and an alias to manage files without turning $HOME into a git working tree.
git init --bare $HOME/.dotfiles
alias dotfiles='git --git-dir=$HOME/.dotfiles --work-tree=$HOME'
dotfiles config --local status.showUntrackedFiles no
From there, you add files one by one: dotfiles add ~/.zshrc, dotfiles commit -m "add zshrc", dotfiles push. It works. Thousands of developers use this approach because it requires no external tools — just git.
But as your setup grows, the cracks start to show.
Why the Bare Repo Falls Short
The bare git repo pattern has a fundamental problem: git was not designed for secrets. Every file you commit is stored in plaintext in the git history. That SSH private key you accidentally committed? It is in the reflog forever, even if you force-push over it.
| Concern | Bare Git Repo | ConfigSync |
|---|---|---|
| Secret encryption | None — plaintext in git history | AES-256-GCM with per-secret salts |
| Cloud sync | Manual git push/pull | Built-in encrypted cloud sync |
| Package tracking | Not supported | Tracks 10 package managers |
| Module system | Manual file tracking | Smart modules (ssh, git, vscode, etc.) |
| Watch mode | Not available | Auto-push on file change |
| New machine setup | Clone + checkout + alias | configsync pull |
Beyond security, there is the ergonomics problem. You need the alias in every shell session. You have to manually track every file. There is no concept of "modules" or "packages" — just raw file paths scattered across your home directory.
Step-by-Step Migration
The migration is straightforward because you already know exactly which files you are tracking. Let us start by listing them.
1. List your tracked files
dotfiles ls-tree -r HEAD --name-only
This gives you the full list of every file your bare repo manages. Save this output — it is your migration checklist.
2. Map files to ConfigSync modules
Many of the files in your bare repo correspond to built-in ConfigSync modules. Common mappings:
| Files | ConfigSync Module |
|---|---|
| ~/.ssh/config, ~/.ssh/id_* | ssh |
| ~/.gitconfig, ~/.gitignore_global | git |
| ~/.zshrc, ~/.zprofile, ~/.zshenv | zsh |
| ~/.config/nvim/* | neovim |
| ~/.vimrc | vim |
| VS Code settings.json, keybindings.json | vscode |
3. Add modules to ConfigSync
configsync add module ssh
configsync add module git
configsync add module zsh
configsync add module neovim
Each module knows which files to capture, so you do not need to specify paths manually.
4. Add remaining config files
For any tracked files that do not map to a module, add them individually:
configsync add config ~/.config/starship.toml
configsync add config ~/.tmux.conf
configsync add config ~/.config/alacritty/alacritty.yml
5. Check for exposed secrets in git history
.env files to your bare repo, those secrets are permanently in your git history — even after deletion. Rotate any credentials that were ever tracked in plaintext. ConfigSync encrypts all secrets with AES-256-GCM before they leave your machine.6. Push your configuration
configsync push
Your entire configuration is now encrypted and stored in the cloud. Pull it on any machine with configsync pull.
7. Optional: clean up the bare repo
# Remove the bare git repo
rm -rf ~/.dotfiles
# Remove the alias from your shell config
# (ConfigSync is now managing this file anyway)
The Security Win
This is the single biggest reason to migrate. A bare git repo stores everything in plaintext. If your repo is on GitHub — even a private one — your secrets are one leaked token away from exposure.
ConfigSync uses AES-256-GCM encryption with per-secret salts derived from your master password via PBKDF2. Your secrets are encrypted before they leave your machine. The cloud never sees plaintext. Even if someone gains access to your stored data, they cannot read it without your master password.
What You Gain
After migrating, here is what changes in your day-to-day workflow:
- No more git alias —
configsync pushandconfigsync pullreplace thedotfilesalias entirely - Encrypted secrets — SSH keys, API tokens, and env files are protected at rest and in transit
- Package tracking — ConfigSync captures your Homebrew, apt, npm global, and other package lists automatically
- Watch mode — run
configsync watchand changes are pushed automatically as you make them - Cloud sync — no need to manage a git remote; sync is built in
- Snapshot history — roll back to any previous state with
configsync rollback
The bare git repo was a clever hack. ConfigSync is purpose-built for the problem. Your dotfiles deserve the upgrade.
Ready to try ConfigSync?
Sync your entire dev environment across machines in minutes. Free forever for up to 3 devices.