-
Notifications
You must be signed in to change notification settings - Fork 0
Vault Management
The vault is the heart of rsenv - a project-associated directory that stores sensitive files, environment configurations, and development overrides outside your git repository.
~/.rsenv/vaults/myproject-a1b2c3d4/
├── dot.envrc # The "real" .envrc (your project symlinks to this)
├── envs/ # Environment hierarchy files
│ ├── local.env
│ ├── test.env
│ ├── int.env
│ └── prod.env
├── guarded/ # Sensitive files moved from project
│ └── config/
│ └── secrets.yaml
└── swap/ # Development override files
└── application.yml
PROJECT VAULT
.envrc ──────── symlink ───────────► dot.envrc
│ │
│ ├── export RSENV_VAULT=...
│ │
└── RSENV_VAULT points to ──────────►│
-
Project → Vault:
.envrcis a symlink to vault'sdot.envrc -
Vault → Project:
RSENV_VAULTvariable provides path back
cd /path/to/myproject
rsenv init vaultWhat this does:
- Creates vault directory:
~/.rsenv/vaults/myproject-{id}/ - Creates subdirectories:
envs/,guarded/,swap/ - Moves existing
.envrcto vault asdot.envrc(preserving content) - Creates default env files:
local.env,test.env,int.env,prod.env - Injects rsenv section into
dot.envrc - Creates symlink:
.envrc→dot.envrc
# Use absolute paths for symlinks (default: relative)
rsenv init vault --absolute
# Initialize specific directory
rsenv init vault /path/to/projectrsenv infoOutput:
Project: /home/user/myproject
Vault: /home/user/.rsenv/vaults/myproject-a1b2c3d4
Sentinel ID: myproject-a1b2c3d4
Guarded files: 2
Swap files: 1
rsenv init resetWhat this does:
- Restores all guarded files from vault back to project
- Removes
.envrcsymlink - Restores original
.envrccontent (removes rsenv section)
Note: The vault directory is NOT deleted. Remove manually if needed:
rm -rf ~/.rsenv/vaults/myproject-a1b2c3d4Guarding moves sensitive files to the vault and creates symlinks in their place.
rsenv guard add path/to/sensitive/file.yamlBefore:
project/
└── config/
└── secrets.yaml # actual file with secrets
After:
project/ vault/guarded/
└── config/ └── config/
└── secrets.yaml → symlink ──────────► secrets.yaml
# Use absolute symlink paths
rsenv guard add --absolute secrets.yaml
# Guard from project root with -C
rsenv -C /path/to/project guard add config/secrets.yamlrsenv guard listOutput:
Guarded files:
config/secrets.yaml → vault/guarded/config/secrets.yaml
.credentials/api-key → vault/guarded/.credentials/api-key
rsenv guard restore config/secrets.yamlThis moves the file back from vault to project, removing the symlink.
Any file within your project directory:
- Configuration files (
secrets.yaml,credentials.json) - Certificate files (
.pem,.key,.p12) - Database configs
- API keys and tokens
- Anything you don't want in git
Note: You cannot guard files outside the project directory.
The dot.envrc in your vault is the "real" envrc file that your project's .envrc symlinks to. It contains:
# Your original .envrc content preserved here
export EXISTING_VAR=value
#------------------------------- rsenv start --------------------------------
# config.relative = true
# config.version = 2
# state.sentinel = 'myproject-a1b2c3d4'
# state.timestamp = '2024-01-15T10:30:00Z'
# state.sourceDir = '$HOME/myproject'
export RSENV_VAULT=$HOME/.rsenv/vaults/myproject-a1b2c3d4
#-------------------------------- rsenv vars --------------------------------
export RUN_ENV=local
#-------------------------------- rsenv end ---------------------------------The rsenv section has three markers:
| Marker | Purpose |
|---|---|
rsenv start |
Beginning of rsenv-managed content |
rsenv vars |
Divider between header and variables |
rsenv end |
End of rsenv-managed content |
Header (start → vars):
- Managed by
rsenv init vaultandrsenv init reconnect - Contains metadata comments (
config.*,state.*) - Exports
RSENV_VAULTpath -
Never modified by
rsenv env envrc
Variables (vars → end):
- Managed by
rsenv env envrc - Contains environment exports from your hierarchy
-
Replaced entirely on each
rsenv env envrccall
You can add your own content outside the rsenv section:
# Before the section - always preserved
export PATH="$HOME/bin:$PATH"
source ~/.secrets
#------------------------------- rsenv start --------------------------------
# ... rsenv managed - don't edit manually ...
#-------------------------------- rsenv end ---------------------------------
# After the section - always preserved
echo "Environment loaded"Use rsenv env envrc to update the vars section:
# Build hierarchy and write to .envrc
rsenv env envrc path/to/leaf.env
# This only modifies the vars section, preserving:
# - Content before rsenv start
# - Header metadata (start → vars)
# - Content after rsenv end~/.rsenv/vaults/{project-name}-{short-id}/
Set in configuration:
# ~/.config/rsenv/rsenv.toml
base_dir = "~/my-rsenv" # Vaults stored in base_dir/vaultsOr via environment variable:
export RSENV_BASE_DIR=~/my-rsenv# From within project
echo $RSENV_VAULT
# Or
rsenv infoEach project has its own vault:
~/.rsenv/vaults/
├── project-a-12345678/
├── project-b-87654321/
└── project-c-abcdef01/
ls ~/.rsenv/vaults/Vaults are not automatically deleted when you rsenv init reset. Manual cleanup:
# List vaults
ls -la ~/.rsenv/vaults/
# Remove specific vault (after resetting project)
rm -rf ~/.rsenv/vaults/old-project-12345678Guard sensitive files immediately when creating a project:
rsenv init vault
rsenv guard add .credentials/api-key
rsenv guard add config/secrets.yamlThe vault contains your sensitive files. Back it up securely:
# Encrypt first
rsenv sops encrypt
# Then backup the vault directoryRelative symlinks (default) work better if you move your home directory or use different machines:
# Default behavior - relative
rsenv init vault
rsenv guard add secrets.yaml
# Explicit relative
rsenv init vault # default is relativeCreate a README in your vault:
cat > $RSENV_VAULT/README.md << 'EOF'
# Vault for myproject
## Environment Hierarchy
- base.env: Shared settings
- local.env: Local development (inherits base)
- prod.env: Production (inherits base)
## Guarded Files
- config/secrets.yaml: API keys and credentials
- .credentials/db-password: Database password
## Encryption
Encrypted with GPG key: ABC123...
EOF# Initialize the vault
rsenv init vault# Check if vault exists
ls -la $RSENV_VAULT
# Reinitialize if needed
rsenv init vault# Check current vault
rsenv info
# Verify symlink target
ls -la .envrc# File must be within project directory
# File must not already be a symlink
# Check file status
ls -la path/to/file
# Check project root detection
rsenv info- Core Concepts - Understanding vaults conceptually
- Environment Variables - Using the envs/ directory
- SOPS Encryption - Encrypting vault contents
- File Swapping - Using the swap/ directory
rsenv Documentation