Security

Axion employs a client-side zero-knowledge architecture with industry-standard cryptography.

Encryption

Component	Implementation
Encryption	AES-256-GCM (authenticated encryption)
Key Derivation	Argon2id (64 MiB memory, 3 iterations, 4 parallelism)
Project Key	128-bit random key
Salt	256-bit random salt per encryption
IV	128-bit random IV per encryption
Format	Versioned for future algorithm upgrades

How It Works

Key Storage

Your project key is stored at:

.dotset/axion/key

This file contains your encryption key. Add it to .gitignore and back it up securely.

Protected Keys

Configure write-only secrets in axion.config.yaml:

protected_keys:
  - STRIPE_SECRET_KEY
  - DATABASE_PASSWORD

Protected keys:

Can be set but not revealed
Cannot be exported
Cannot be viewed with --reveal

Validation Patterns

Enforce secret formats:

validation:
  DATABASE_URL: "^postgres://"
  API_KEY: "^sk-[a-z0-9]{32}$"

Key Rotation

Rotate your encryption key:

axn rotate

This:

Generates a new key
Re-encrypts all secrets
Invalidates the old key

Key Recovery

Set up recovery before you need it:

# Create recovery blob
axn recovery setup

# Restore if key is lost
axn recovery restore

Audit Logs

Track all secret access (Pro/Business):

axn audit

Shows:

Who accessed secrets
When and from where
What operations were performed

Best Practices

Gitignore

Add .dotset/axion/key to .gitignore

Backup

Back up your key to a password manager

Rotate

Rotate keys periodically or after team changes

Protect

Mark sensitive keys as protected

Axion

​Security

​Encryption

​How It Works

​Key Storage

​Protected Keys

​Validation Patterns

​Key Rotation

​Key Recovery

​Audit Logs

​Best Practices

Gitignore

Backup

Rotate

Protect

Security

Encryption

How It Works

Key Storage

Protected Keys

Validation Patterns

Key Rotation

Key Recovery

Audit Logs

Best Practices