Trusted Peers setup
Set up trusted-owner-ssh mode — ideal when every device on the network belongs to you. Secrets sync over SSH, no invitation required.
Overview
trusted-owner-ssh is the default mode. It uses SCP/SSH for transport so any machine you can SSH into is automatically a sync peer. No server process is needed — env-sync calls SSH directly.
| Aspect | Detail |
|---|---|
| Transport | SCP / SSH (encrypted by default) |
| Storage | Plaintext by default, optional AGE encryption |
| Onboarding | Zero-touch — any peer reachable via SSH |
| Best for | Your laptop, desktop, NUC, home server — all yours |
Step 1 — Set up your first device
Install env-sync and initialize on the machine that already has the secrets you want to share.
# install env-sync
curl -fsSL https://envsync.arnav.tech/install.sh | sudo bash
# verify
env-sync --version
# set mode (trusted-owner-ssh is the default, but be explicit)
env-sync mode set trusted-owner-ssh --yes
# initialize the secrets file
env-sync init
# add your secrets
env-sync add OPENAI_API_KEY="sk-abc123xyz"
env-sync add DATABASE_URL="postgres://user:pass@localhost/db"
# check status
env-sync statusAt this point your first device is ready. Secrets are stored at ~/.config/env-sync/.secrets.env.
Step 2 — Add a second device
Install env-sync on the new machine and set up SSH access so both machines can reach each other.
2a — Install env-sync on the new device
# on the new machine
curl -fsSL https://envsync.arnav.tech/install.sh | sudo bash
env-sync mode set trusted-owner-ssh --yes
env-sync init2b — Set up SSH keys between the two machines
Both machines need passwordless SSH access to each other. Run from each machine:
# from the NEW machine → first device
ssh-copy-id [email protected]
# from the FIRST device → new machine
ssh-copy-id [email protected]Verify SSH works in both directions:
ssh [email protected] "echo ok"
ssh [email protected] "echo ok"2c — Discover and sync
# on the new machine — discover peers
env-sync discover
# sync secrets from the first device
env-sync syncThe new machine will discover the first device via mDNS, fetch secrets over SCP, and merge them locally. Both machines now have identical secrets.
Step 3 — Add more devices
Repeat Step 2 for every additional machine. The process is always the same:
- Install env-sync and initialize.
- Exchange SSH keys with at least one existing peer.
- Run
env-sync syncto pull secrets.
Because discovery uses mDNS, the new machine will automatically find all peers on the local network. It only needs SSH access to one of them to fetch the secrets file.
# on each new machine
curl -fsSL https://envsync.arnav.tech/install.sh | sudo bash
env-sync mode set trusted-owner-ssh --yes
env-sync init
ssh-copy-id [email protected]
env-sync syncOptional — Enable AGE encryption
By default, secrets are stored in plaintext (SSH already encrypts the transport). For defense-in-depth you can enable per-value AGE encryption:
On every device
# initialize with encryption (generates an AGE key pair)
env-sync init --encryptedExchange public keys
Each device needs the AGE public keys of all other devices so secrets can be encrypted for everyone:
# on device A — get its public key
env-sync key show
# outputs: age1xxxxxxxxxx...
# on device B — import device A's key
env-sync key import age1xxxxxxxxxx... deviceA.local
# repeat in both directions for every pairSync to re-encrypt
# trigger a sync to re-encrypt secrets for all known recipients
env-sync syncAfter sync, secrets are encrypted to all registered public keys. New devices added later will trigger automatic re-encryption when they sync.
Automate sync
# install cron job (syncs every 30 minutes)
env-sync cron --install
# or with a custom interval
env-sync cron --install --interval 10
# auto-load secrets in your shell
# add to ~/.bashrc or ~/.zshrc:
eval "$(env-sync load 2>/dev/null)"Remove a device from the network
When a machine leaves your fleet (sold, decommissioned, etc.), clean it up:
On the departing device
# stop the service and remove cron
env-sync service uninstall
env-sync cron --remove
# delete all local data
rm -rf ~/.config/env-sync
# remove the binary
sudo rm -f /usr/local/bin/env-syncOn remaining devices
# remove the departing machine's SSH key (optional)
ssh-keygen -R departed-host.localIf encryption is enabled, the departing device's public key will be automatically dropped from the recipient list on the next sync, since it no longer advertises itself via mDNS.
For extra security: rotate any secrets the departing device had access to.