Personal fleet
Use trusted-owner-ssh. Your laptop, desktop, server, NUC — all behind SSH trust you already manage.
Three modes, one CLI
env-sync gives you explicit control over how secrets are stored, transported, and who gets access. Pick the security model that fits your scenario.
Mode comparison at a glance
| Dimension | dev-plaintext-http | trusted-owner-ssh | secure-peer |
|---|---|---|---|
| Storage | Plaintext | Plaintext (optional AGE) | AGE encrypted (mandatory) |
| Transport | HTTP | SCP / SSH | HTTPS + mTLS |
| Onboarding | Open — any peer on the network | Zero-touch if SSH access exists | Invitation + explicit approval |
| Authorization | None | Implicit via SSH trust | Explicit approved / revoked states |
| Best for | Local debugging only | All your own machines | Multiple owners sharing secrets |
Mode A: dev-plaintext-http
Debug-only mode with no encryption at rest or in transit and no authentication. Use this exclusively for isolated local testing — never for real secrets.
env-sync mode set dev-plaintext-httpMode B: trusted-owner-ssh default
Ideal when every machine belongs to you. SSH provides encrypted transport and authentication automatically. Storage is plaintext by default because trust is already broad in this model; optional AGE encryption can be enabled for defense-in-depth.
How sync works
- Discover peers with mDNS, filter by SSH reachability.
- Fetch secrets from peers via SCP/SSH.
- Compare metadata versions and timestamps.
- Merge changes and write locally with automatic backup.
env-sync mode set trusted-owner-sshMode C: secure-peer
Designed for cross-owner collaboration. No shell access is shared between peers — mTLS handles authentication and AGE handles encryption at rest. Access requires an explicit invitation and approval step.
How sync works
- Discover peers over mDNS.
- Establish mTLS connection and verify authorization.
- Fetch encrypted secrets and decrypt locally with your AGE key.
- Merge using per-key timestamps for granular conflict resolution.
- Re-encrypt to all known recipients and save with backup.
- Replay signed membership events for offline catch-up.
env-sync mode set secure-peerChoosing the right mode
Team collaboration
Use secure-peer. Team members get secrets without SSH access to each other's machines.
Quick debugging
Use dev-plaintext-http. Fast setup for throwaway testing — never store real credentials here.