Vault
The vault is your local encrypted secrets store. Each cred project has its own vault containing all secrets with rich metadata.
Structure
When you run cred init, cred creates:
.cred/
├── project.toml # Project metadata
└── vault.enc # Encrypted secrets
Global configuration lives at:
~/.config/cred/global.toml
Secret Metadata
Each secret in the vault includes:
| Field | Description |
|---|---|
key | The secret name (e.g., DATABASE_URL) |
value | The encrypted secret value |
format | Content format (raw, json, pem, etc.) |
created_at | When the secret was first added |
updated_at | When the secret was last modified |
description | Optional human-readable description |
source | Where it came from (manual or a source name) |
Secret Formats
cred auto-detects the format of your secrets:
| Format | Detection | Example |
|---|---|---|
pem | Starts with -----BEGIN | Certificates, private keys |
json | Valid JSON object or array | {"key": "value"} |
base64 | Single-line base64 content | SGVsbG8gV29ybGQ= |
multiline | Contains newlines | Multi-line text |
raw | Everything else (default) | super-secret-value |
You can also specify format explicitly:
cred secret set MY_KEY "value" --format json
Viewing the Vault
List all secrets:
cred secret list
Output:
Vault content:
API_KEY = ***** (OpenAI production key)
DATABASE_URL = *****
JWT_SECRET = ***** [modified]
Get a specific secret:
cred secret get JWT_SECRET
With full metadata (JSON):
cred secret get JWT_SECRET --json
{
"data": {
"key": "JWT_SECRET",
"value": "super-secret",
"format": "raw",
"created_at": "2025-12-11T12:00:00Z",
"updated_at": "2025-12-11T12:00:00Z",
"description": null
}
}
Hub-and-Spoke Status
For a complete overview of your project:
cred status
Vault: 3 secrets
RESEND_API_KEY [resend]
DATABASE_URL [manual]
JWT_SECRET [manual] [modified]
Sources: resend ✓
Targets: github ✓
Encryption
The vault is encrypted at rest using ChaCha20-Poly1305. The encryption key is derived from your project and stored securely. See Security Model for details.
Best Practices
- Add
.cred/to.gitignore— Never commit your vault - Use descriptions — Document what each secret is for
- Keep backups — Export periodically with
cred export - Use sources when possible — Generated keys have better audit trails