Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Vault

The vault is your local encrypted secrets store. Each cred project has its own vault containing all secrets with rich metadata.

Structure

When you run cred init, cred creates:

.cred/
├── project.toml    # Project metadata
└── vault.enc       # Encrypted secrets

Global configuration lives at:

~/.config/cred/global.toml

Secret Metadata

Each secret in the vault includes:

FieldDescription
keyThe secret name (e.g., DATABASE_URL)
valueThe encrypted secret value
formatContent format (raw, json, pem, etc.)
created_atWhen the secret was first added
updated_atWhen the secret was last modified
descriptionOptional human-readable description
sourceWhere it came from (manual or a source name)

Secret Formats

cred auto-detects the format of your secrets:

FormatDetectionExample
pemStarts with -----BEGINCertificates, private keys
jsonValid JSON object or array{"key": "value"}
base64Single-line base64 contentSGVsbG8gV29ybGQ=
multilineContains newlinesMulti-line text
rawEverything else (default)super-secret-value

You can also specify format explicitly:

cred secret set MY_KEY "value" --format json

Viewing the Vault

List all secrets:

cred secret list

Output:

Vault content:
  API_KEY = ***** (OpenAI production key)
  DATABASE_URL = *****
  JWT_SECRET = ***** [modified]

Get a specific secret:

cred secret get JWT_SECRET

With full metadata (JSON):

cred secret get JWT_SECRET --json
{
    "data": {
        "key": "JWT_SECRET",
        "value": "super-secret",
        "format": "raw",
        "created_at": "2025-12-11T12:00:00Z",
        "updated_at": "2025-12-11T12:00:00Z",
        "description": null
    }
}

Hub-and-Spoke Status

For a complete overview of your project:

cred status
Vault: 3 secrets

  RESEND_API_KEY       [resend]
  DATABASE_URL         [manual]
  JWT_SECRET           [manual] [modified]

Sources: resend ✓
Targets: github ✓

Encryption

The vault is encrypted at rest using ChaCha20-Poly1305. The encryption key is derived from your project and stored securely. See Security Model for details.

Best Practices

  1. Add .cred/ to .gitignore — Never commit your vault
  2. Use descriptions — Document what each secret is for
  3. Keep backups — Export periodically with cred export
  4. Use sources when possible — Generated keys have better audit trails