Skip to main content

Encryption & Security

Shield uses industry-standard cryptography to protect your secrets.

Encryption Algorithm

AES-256-GCM (Galois/Counter Mode)
  • 256-bit key length
  • Authenticated encryption
  • Prevents tampering

Key Derivation

Argon2id — Winner of the Password Hashing Competition Parameters:
  • Memory: 64 MB
  • Iterations: 3
  • Parallelism: 4
These settings are resistant to GPU and ASIC attacks.

How It Works

┌─────────────────────────────────────────────────────┐
│  Your Secret: "sk-abc123..."                        │
│                    │                                │
│                    ▼                                │
│  ┌────────────────────────────────────┐            │
│  │  Argon2id Key Derivation           │            │
│  │  (from .dotset/key)                │            │
│  └────────────────────────────────────┘            │
│                    │                                │
│                    ▼                                │
│  ┌────────────────────────────────────┐            │
│  │  AES-256-GCM Encryption            │            │
│  │  + Random IV                       │            │
│  │  + Authentication Tag              │            │
│  └────────────────────────────────────┘            │
│                    │                                │
│                    ▼                                │
│  Encrypted: "aes256-gcm:iv:ciphertext:tag"         │
└─────────────────────────────────────────────────────┘

File Security

FileContainsCommit?
.dotset/keyRandom bytesNever
.dotset/manifest.jsonEncrypted blobsYes

Zero-Knowledge Architecture

  1. Local encryption only — We never see your plaintext secrets
  2. Client-side keys — Your key never leaves your machine
  3. Encrypted sync — Cloud stores only encrypted blobs

Cloud Security

When using cloud sync:
  • TLS 1.3 in transit
  • AES-256 at rest
  • SOC 2 Type II infrastructure
  • Regular security audits

Threat Model

Shield protects against:
ThreatProtection
Log exposureReal-time redaction
Manifest theftAES-256 encryption
Brute forceArgon2id key derivation
TamperingGCM authentication

Key Rotation

To rotate your encryption key for the native provider: 
# Export current secrets (keys only)
dotset secrets list 

# Reinitialize with a fresh key
rm -rf .dotset
dotset secrets init

# Re-add secrets
dotset secrets set KEY "value"

Other Providers

Secrets pulled from external providers like AWS Secrets Manager, Environment Variables, or .env files are:
  1. Never stored in plaintext by Shield.
  2. Processed in-memory only during the execution of dotset run.
  3. Automatically tracked by the redaction engine.