Syncing Docker, AWS CLI, and Cloud Tool Credentials
Cloud CLI tools store credentials in dotfiles scattered across your home directory. Here's how to sync them securely across machines without exposing secrets.
The Problem: Credentials Everywhere
Modern development involves a constellation of cloud tools, each storing authentication in its own dotfile. AWS CLI writes to ~/.aws/credentials. Docker stores registry auth in ~/.docker/config.json. npm keeps tokens in ~/.npmrc. Cloudflare Wrangler stores OAuth tokens in its own config directory.
Every new machine means re-authenticating with every service. For a developer using AWS, Docker Hub, a private npm registry, and Cloudflare, that is four separate login flows before you can even start working. And these credentials must never end up in a git repository or unencrypted backup.
AWS CLI: Config and Credentials
AWS CLI stores two files: ~/.aws/config (regions, output format, profiles) and ~/.aws/credentials (access keys and secrets). ConfigSync handles both with appropriate security:
This tracks both files. The config file is stored as plain text since it contains no secrets. The credentials file is automatically encrypted because it contains access keys and secret keys.
Docker: Registry Authentication
Docker stores registry credentials in ~/.docker/config.json. If you use Docker Hub, GitHub Container Registry, AWS ECR, or any private registry, your auth tokens live in this file.
The entire config.json is encrypted because it contains registry authentication tokens. On restore, ConfigSync writes it with restricted permissions:
Cloudflare Wrangler: OAuth Tokens
If you deploy to Cloudflare Workers, Wrangler stores OAuth tokens after you run wrangler login. These tokens let you deploy, manage D1 databases, and access R2 storage without re-authenticating.
ConfigSync encrypts the Wrangler auth tokens and restores them on any new machine. No need to run wrangler login again, no need to open a browser for OAuth flow, no need to reconfigure your Cloudflare account.
npm: Registry Auth Tokens
If you publish packages or use a private registry, ~/.npmrc contains authentication tokens. These are essential for CI workflows and local development:
The entire .npmrc is encrypted since it typically contains one or more auth tokens. On restore, you can immediately npm install from private registries without re-authenticating.
Security: How ConfigSync Protects Credentials
Syncing credentials demands strong security. Here is how ConfigSync handles it:
| Security Feature | How It Works |
|---|---|
| Encryption | AES-128 via Fernet, derived from your master password with PBKDF2 |
| Per-file salts | Each encrypted file uses a unique salt, preventing correlation attacks |
| File permissions | Sensitive files restored with 0600 (owner read/write only) |
| Zero plaintext | Credentials are encrypted before leaving your machine |
| Master password | Never stored or transmitted — only you know it |
Your credentials are never stored in plaintext on ConfigSync servers. Even if someone accessed your ConfigSync account, they could not read your AWS keys, Docker tokens, or npm credentials without your master password.
Syncing All Cloud Credentials at Once
The complete setup for syncing all your cloud tool credentials:
One push, one pull. Every cloud CLI tool authenticated and ready to use. No browser windows, no login flows, no copying tokens from password managers. Just start working.
Ready to try ConfigSync?
Sync your entire dev environment across machines in minutes. Free forever for up to 3 devices.