Config & Secret Files

Store and manage your repository’s configuration and secret files per project. Every file is stored as a single end-to-end encrypted blob — encrypted in your browser before it reaches the server, and decrypted only on your device. See Encryption & Security for details.

You’ll need to unlock your vault (enter your vault password) to view or edit encrypted file contents. The vault locks automatically after 30 minutes of inactivity.

How Files Are Organized

DepVault mirrors your repository instead of a flat list of variables. The hierarchy is:


Project (your repo)
└── App (one app/service root, identified by its repo-relative path)
    ├── Config files   (.env, appsettings.json, secrets.yaml, config.toml, …)
    └── Secret files   (.pem, .key, credentials.json, keystores, …)

Project — A single repository.
App — A folder within the repo that holds an app or service, identified by its repo-relative path (apps/backend, services/worker, or "" for the repo root). Apps are discovered automatically when you push files from the CLI — DepVault walks up from each file to the nearest project marker (.sln, *.csproj, package.json, go.mod, etc.).
Config / Secret file — Each file is stored as one client-encrypted blob (ciphertext + IV + auth tag). The server never parses files into variables and never sees plaintext.

Environments

Every file carries an environment slug — an open-set string such as base, dev, prod, staging, local, test, or any custom value you like (qa, eu-west-1, …). The slug is inferred from the filename when you push (appsettings.Production.json → prod, .env.local → local, a bare .env → base). It is a plain column on the file, not a tag and not a separate record.

Repository Browser

Open a project and go to the repository view. The layout has three regions:

Apps sidebar — Lists every app, grouped by repo path. Select one to view its files.
Environment selector — Tabs across the top: All environments plus one tab per environment slug present in the app. Filters the file lists below.
File panels — Config files (with an editor) and secret files (as a table) for the selected app and environment.

If a project has no apps yet, the view prompts you to push config and secret files with the DepVault CLI.

Editing Config Files

Select a config file to open it in the editor. Plaintext files are editable in-browser, GitHub-style, with two views:

View	What it shows
Form	A key/value table for dotenv-style files. Edit values inline without touching syntax. Available for `.env`-style formats.
Raw	A CodeMirror code editor with syntax highlighting. Available for every text file (the only view for JSON/YAML/TOML).

Edits in either view update the same underlying text. When you have unsaved changes, click Review & Save to see a git-style diff of your edit before committing it, then save. Each save snapshots a new version.

Binary files are download-only — they cannot be edited in the browser. Use the Download button to decrypt and save the file locally.

Secret Files

Secret files (certificates, keys, credentials, keystores) appear in a table below the config editor, showing path, environment, MIME type, size, and last-updated date. See the Secret Files guide for the full workflow.

Download decrypts the blob in your browser and saves the original bytes.
Plaintext secret files can be edited in a raw text dialog; binary secret files are download-only.
Deleting a file permanently removes it and its version history.

Version History & Diff

Every push or web save snapshots the full encrypted blob as a new version. Open a config file’s History tab to:

Compare any version against the current contents. DepVault decrypts both blobs in your browser and renders a git-style side-by-side diff — the server never sees plaintext.
Restore any version to make it the current file. The restored content becomes a new version; nothing is lost.

Binary files are versioned too, but show a placeholder instead of a text diff.

Role-Based Access

Role	View file list	Decrypt & download	Edit / delete files
Owner / Editor	Yes	Yes	Yes
Viewer	Yes	No	No

CLI

The CLI treats files as whole blobs — it never parses them into variables.


# Push all discovered config & secret files (interactive multi-select)
depvault push
 
# Push a single file
depvault push --file apps/backend/.env
 
# Restore every file byte-for-byte to its original path
depvault pull

push infers each file’s app (nearest project marker) and environment slug (from the filename) automatically — there are no --vault or --tag flags. pull is byte-faithful: it writes each file verbatim to its original repo-relative path, recreating directories as needed. See the Pull & Push reference for all flags.