-
Notifications
You must be signed in to change notification settings - Fork 0
Vault Encryption
PenumbraForge edited this page Mar 29, 2026
·
1 revision
Gate includes a local encryption vault for securing secret values using AES-256-GCM.
gate vault keygen # Generate a new vault key
gate vault keygen --force # Overwrite existing key
gate vault encrypt <value> # Encrypt a string
gate vault decrypt <blob> # Decrypt a vault blob
gate vault encrypt-env # Encrypt all values in .env- Algorithm: AES-256-GCM (authenticated encryption)
- IV: 12 bytes (NIST SP 800-38D recommended size)
-
Key: 256-bit random key stored in
~/.gate/vault.key - Blob format: Base64-encoded JSON with version, algorithm, IV, ciphertext, and auth tag
{
"v": 1,
"algo": "aes-256-gcm",
"iv": "hex-encoded-12-bytes",
"ct": "hex-encoded-ciphertext",
"authTag": "hex-encoded-auth-tag"
}The version field (v: 1) ensures forward compatibility -- future versions can introduce new algorithms or key derivation without breaking existing blobs.
- Confidentiality: AES-256 encryption
- Integrity: GCM authentication tag detects tampering
-
Key storage:
~/.gate/vault.keycreated with0600permissions -
Directory:
~/.gate/created with0700permissions - No password derivation: The key is pure random bytes, not derived from a password. The key file IS the master secret -- back it up.
gate vault encrypt-envThis reads your .env file and replaces each value with its encrypted vault blob. The original values can be recovered with gate vault decrypt.