Documentation
Security Model
Zero-knowledge encryption — the server never sees your data
Zero-Knowledge Architecture
All encryption and decryption happens on your machine. The server stores only encrypted blobs in R2 and metadata in D1. Your master password never leaves your device.
Key Derivation
Your master password is transformed into an encryption key using PBKDF2:
- Algorithm: PBKDF2-SHA256
- Iterations: 100,000
- Salt: 32-byte random (generated once during
init) - Output: 32-byte derived key
Encryption
Data is encrypted using AES-256-GCM with a fresh random IV for every encryption operation.
| Component | Size |
|---|---|
| IV (nonce) | 12 bytes, random |
| Auth tag | 16 bytes |
| Ciphertext | Variable length |
Wire format: [IV 12 bytes][authTag 16 bytes][ciphertext]
Secret Double-Encryption
Secrets receive an additional layer of protection. Each secret has a per-key salt derived from the SHA-256 hash of its key name, combined with the master-derived key. Two secrets with identical values produce different ciphertexts.
File Permissions
All sensitive local files are stored with mode 0600 (owner read/write only). This includes:
~/.configsync/secrets.enc~/.configsync/key.salt- Encrypted module files (SSH keys, credentials)
Secret Providers
For additional security, you can store secrets in external vaults instead of the built-in encrypted file:
- Built-in vault — default, encrypted local file
- OS keychain — macOS Keychain, GNOME Keyring, Windows Credential Manager
- 1Password — via the
opCLI - Bitwarden — via the
bwCLI
Transport Security
All communication with the ConfigSync cloud uses TLS 1.3. Since data is encrypted before transmission, even a compromised TLS connection would only expose encrypted blobs.
Environment Protection
Environment protection tiers add a human-verification layer to prevent accidental operations against sensitive environments. See the Environments page for details.