EnvVaultWorkflows
Encrypted Backups
Passphrase-encrypted metadata-only and explicit full-secret backup modes.
Modes
| Mode | Includes raw secrets |
|---|---|
| Metadata | No. Includes project metadata, notes, excluded paths, snapshots, profile/import sync metadata, and audit entries. |
| Full | Yes. Explicit mode that resolves current env-file and runtime-profile secrets, encrypts them in the backup file, and restores them into Keychain on import. |
Encryption
Backups are passphrase-encrypted with PBKDF2 and AES-GCM before being written to disk.
Restore behavior
- Metadata backups restore metadata without raw secret values.
- Full backups restore included secrets into the target Mac Keychain with fresh references.
- Restored projects are normalized to the current runtime data model.