Syncing Secrets
Safely sync sensitive files like SSH configs, API tokens, and credentials using age encryption.
Some config files contain sensitive data — SSH keys, API tokens, or credentials — that you don’t want to store in plaintext in your git repository. Devsync handles these with secret mode, which encrypts files using age before storing them.
When to Use Secret Mode
Section titled “When to Use Secret Mode”Use --mode secret for any file that contains data you wouldn’t want exposed if your repository became public:
~/.ssh/config— SSH host configuration~/.aws/credentials— AWS access keys~/.config/gh/hosts.yml— GitHub CLI token~/.npmrcwith auth tokens.envfiles with real credentials- Any file containing API keys, passwords, or private tokens
Files that contain no secrets (editor configs, shell aliases, .gitconfig without tokens) can use the default normal mode.
How Age Encryption Works
Section titled “How Age Encryption Works”Devsync uses age for public-key encryption.
- You have a private key (
AGE-SECRET-KEY-...) stored in~/.config/devsync/age/keys.txt - You have one or more recipients (public keys,
AGE1...) used to encrypt files - During
push, secret files are encrypted with all registered recipients’ public keys - During
pull, the encrypted file is decrypted with your private key
This means:
- Anyone without your private key cannot read secret files from the repository
- You can add multiple recipients to share secrets with other trusted devices
Setting Up Your Age Key
Section titled “Setting Up Your Age Key”Your age key is created during devsync init. Press Enter when prompted to generate a new key pair.
devsync init# → Press Enter to generate a new age keyThe private key is saved to ~/.config/devsync/age/keys.txt.
You can also provide an existing key at init time:
devsync init --key AGE-SECRET-KEY-1...Or store a key file path:
devsync init --identity ~/path/to/key.txtTracking a Secret File
Section titled “Tracking a Secret File”devsync track ~/.ssh/config --mode secretdevsync track ~/.aws/credentials --mode secretThen push to encrypt and write to the repository:
devsync pushIn the sync directory, the file is stored with a .devsync.secret extension:
Directory~/.config/devsync/sync/default/
Directory.ssh/
- config.devsync.secret
Directory.aws/
- credentials.devsync.secret
Pulling Secret Files on Another Machine
Section titled “Pulling Secret Files on Another Machine”-
Initialize devsync on the new machine with the existing repository and your backed-up private key:
Terminal window devsync init https://github.com/yourname/dotfiles.git --key AGE-SECRET-KEY-1... -
Pull the files:
Terminal window devsync pullDevsync automatically decrypts secret files and writes them to their local paths.
Adding Recipients for Multiple Devices
Section titled “Adding Recipients for Multiple Devices”If you use multiple machines that each have their own age key pair, you can add additional recipients so that secret files can be decrypted on any of them.
# On the new machine, get its public key (recipient)cat ~/.config/devsync/age/keys.txt# AGE-SECRET-KEY-... (private)# The public key (recipient) is printed during init, or derivable from the key
# On the original machine, add the new device as a recipientdevsync init --recipient AGE1xyz...newdevicepublickey...After adding the recipient and re-pushing, the secret files are encrypted for both keys:
devsync pushSecurity Considerations
Section titled “Security Considerations”- The file content is encrypted, but the filename and path are visible in the repository
- The
.devsync.secretextension reveals that a file is a tracked secret, though not its content - Secret files in the repository are safe to store in a public repository from a content perspective, but be aware that path visibility may leak information about your setup