Documentation

Secrets

Securely store and sync sensitive values across machines

Managing Secrets

Terminal

# Set a secret (prompts for value securely)

configsync secret set API_KEY

# Retrieve a secret (masked by default)

configsync secret get API_KEY

# Retrieve and show plaintext

configsync secret get API_KEY --show

# List all secrets

configsync secret list

Encryption Model

Secrets are double-encrypted. Each secret gets its own salt derived from the SHA-256 hash of the key name, combined with your master key. This means that even two secrets with the same value produce different ciphertexts.

  • Per-secret salt — SHA-256 of the key name
  • Master key — derived from your master password via PBKDF2
  • Encryption — AES-256-GCM with random IV

Storage

Secrets are stored locally in ~/.configsync/secrets.enc with file permissions set to 0600 (owner read/write only). The server only ever receives encrypted blobs.

i
The server cannot decrypt your secrets. Your master password never leaves your machine.

Providers

ConfigSync supports multiple secret storage backends:

ProviderDescription
built-inDefault encrypted vault in ~/.configsync/secrets.enc
keychainOS keychain (macOS Keychain, GNOME Keyring, Windows Credential Manager)
1password1Password via the op CLI
bitwardenBitwarden via the bw CLI

Environment Files

When you add a project, any .env and .env.local files are detected and encrypted by default. They follow the same encryption model as secrets.

~
Env files are always encrypted during push, even if the rest of your configs are stored in plaintext.