Secret Files
Store sensitive non-config files — certificates, keys, credentials, keystores — alongside your repository. Each file is end-to-end encrypted and stored as a single blob. See Encryption & Security for details.
Supported File Types
Any file up to 25 MB. Common examples:
| File Type | Examples |
|---|---|
| SSL/TLS Certificates | .pem, .crt, .cer, .p12, .pfx |
| Private Keys | .key, .pem |
| Keystores | .jks, .keystore, .p12 |
| Cloud Credentials | credentials.json, serviceAccountKey.json |
| SSH/GPG Keys | id_rsa, id_ed25519, .gpg, .asc |
Both text and binary files are supported. Text files can be edited in the browser; binary files are download-only.
How Secret Files Are Stored
Each secret file is encrypted in your browser (or the CLI) and uploaded as one blob — ciphertext, IV, and auth tag. The server stores only the blob and metadata (the file’s repo-relative path, owning app, environment slug, MIME type, and size). It never decrypts the contents.
Files belong to an app and carry an environment slug (base, dev, prod, …), exactly like config files. Switch apps and environment tabs in the repository view to see each file list.
Uploading a File
The simplest path is the CLI, which discovers secret files and uploads them in one step:
depvault pushEach file’s app and environment slug are inferred from its path and name. You can also upload from the repository view in the web app, where new secret files are attached to the selected app and environment.
Editing and Downloading
- Download decrypts the blob in your browser and saves the original bytes verbatim — binary files are restored byte-for-byte.
- Edit is available for plaintext secret files via a raw text dialog. Binary files are download-only.
- Delete permanently removes the file and its version history.
| Role | Upload | Download | Edit / Delete |
|---|---|---|---|
| Owner / Editor | Yes | Yes | Yes |
| Viewer | No | No | No |
Viewers can see file names and metadata but cannot decrypt contents.
Version History
Every push or web save snapshots the full encrypted blob as a new version. Open a file’s history to browse versions and restore any one to make it current — previous versions are retained.
Restoring to Disk
Run depvault pull to restore secret files. Each file is decrypted client-side and written byte-for-byte to its original relativePath, recreating any intermediate directories:
depvault pullTo skip secret files and restore only config files, use depvault pull --include-secrets false. See the Pull & Push reference for all options.