Skip to content
Dotweave Dotweave v0.39.7
Docs
Syncing Secrets

Syncing Secrets

Encrypt sensitive files with age so they stay safe in your Git repository.

Some config files contain sensitive data — SSH keys, API tokens, credentials — that you definitely don’t want sitting in plaintext in a Git repository. Dotweave handles this with secret mode, which encrypts files using age before storing them in the sync directory.

What Is age?

Section titled “What Is age?”

age is a simple, modern file encryption tool. Dotweave uses it under the hood so you don’t need to install anything separately — it’s built right in.

Here’s how it works in dotweave:

  • Recipients are public keys (age1...) used to encrypt files. You can have multiple recipients so different machines can decrypt the same files.
  • Identity is your private key (AGE-SECRET-KEY-...), stored at ~/.config/dotweave/age-identity.txt. This is what decrypts your files during pull.

The key idea: anyone with a recipient (public key) can encrypt data for you, but only the holder of the identity (private key) can decrypt it.

Setting Up Your Key

Section titled “Setting Up Your Key”

When you run dotweave init, dotweave generates an age key pair for you automatically:

dotweave init

Your private key is saved to ~/.config/dotweave/age-identity.txt, and the corresponding public key is registered as a recipient in your sync config.

Using an Existing Key

Section titled “Using an Existing Key”

Already have an age key from another machine? You can provide it during init:

# Pass the key directly
dotweave init --key AGE-SECRET-KEY-1ABCDEF...


# Or let dotweave prompt you to paste it
dotweave init --promptKey

This way all your machines share the same identity and can decrypt each other’s secrets.

When connecting to an existing sync repository with dotweave init <repo>, providing that private key is required.

Tracking Files as Secrets

Section titled “Tracking Files as Secrets”

Use --mode secret when tracking sensitive files:

dotweave track ~/.ssh/config --mode secret
dotweave track ~/.aws/credentials --mode secret
dotweave track ~/.config/gh/hosts.yml --mode secret

Then push to encrypt and store them:

dotweave push

In the sync directory, encrypted files get an .age suffix:

sync-directory/
├── default/
│   ├── .ssh/
│   │   └── config.age
│   └── .aws/
│       └── credentials.age

Pulling Secrets on Another Machine

Section titled “Pulling Secrets on Another Machine”

  1. Initialize dotweave on the new machine with your existing repository and private key:

    dotweave init https://github.com/you/dotfiles.git --key AGE-SECRET-KEY-1ABCDEF...

  2. Pull your files:

    dotweave pull

    Dotweave automatically decrypts secret files and writes them to their original paths. Done!

Adding Recipients for Multiple Machines

Section titled “Adding Recipients for Multiple Machines”

If each of your machines has its own age key pair, you can add additional recipients so secret files are encrypted for all of them.

# On the original machine, add the new device's public key as a recipient
dotweave recipient add age1newdevicepublickey...

After adding the recipient, re-push so files get re-encrypted for all recipients:

dotweave push

Important Things to Know

Section titled “Important Things to Know”
  • The file content is encrypted, but the filename and path remain visible in the sync directory. The .age extension also reveals that it’s an encrypted file.
  • Your age identity (private key) is not synced by dotweave. You need to transfer it manually — via a password manager, secure copy, or some other trusted channel.
  • If you lose your private key and have no other recipients configured, your encrypted files are unrecoverable. Seriously, back it up.
Dotweave · MIT License · GitHub
Home

Overview

Dotweave Getting Started

Guides

Directory Structure Tracking Files Sync Modes Syncing Secrets Profiles Platform-Specific Paths Multi-Device Workflow How It Works Shell Autocomplete

Command Reference

dotweave init dotweave track dotweave push dotweave pull dotweave status dotweave untrack dotweave cd dotweave profile dotweave doctor dotweave autocomplete