Secrets Vault

Project Summary

Field Value

Field	Value
PRJ ID	PRJ-INFRA-012
Owner	Evan Rosado
Priority	P0 (Critical)
Status	Active
Repository	`~/.secrets` (git-tracked, Age-encrypted, 4 remotes)
Category	Infrastructure / Security
2026 Commits	153
Encryption	Age (ChaCha20-Poly1305) + LUKS full-disk
Encrypted Files	177 `.age` files across 6 categories
Tooling	`dsec` CLI, shell-security integration (zsh/bash/fish)
Remotes	GitHub (primary), GitLab, Gitea, Codeberg
Offline Backups	M2 SSD, 2x Seagate offsite, Borg

PRJ ID

PRJ-INFRA-012

Owner

Evan Rosado

Priority

P0 (Critical)

Status

Active

Repository

~/.secrets (git-tracked, Age-encrypted, 4 remotes)

The secrets vault (~/.secrets) is the centralized encrypted credential store for all personal and client infrastructure. It holds Age-encrypted environment files, SSH key backups, GPG key backups, LUKS volume headers, PKI certificates, and sensitive documents — 177 encrypted files organized by opaque domain IDs (d000, d001+) with multi-tier separation (dev, lab, staging, production).

This project tracks the vault’s architecture, security posture, and operational improvements. The companion project domus-secrets-ops documents the tooling and procedures; this project tracks the vault itself.

Scope

In Scope

Vault architecture: domain/tier/category hierarchy, opaque ID scheme
Encryption posture: Age file encryption, LUKS full-disk, key management
Credential inventory: 177 .age files across environments, SSH, GPG, certs, LUKS headers, documents
Backup strategy: 4 git remotes + M2 SSD + 2x Seagate offsite + Borg
Master key lifecycle: generation, storage, offline backup, recovery testing
Security reviews and architecture audits
Shell integration: history protection, dsec-load, dsec unsource
Leak prevention: gitleaks scanning, .gitignore coverage
Operational hygiene: commit conventions, rotation tracking, retention

Out of Scope

dsec CLI development and documentation (covered by domus-secrets-ops)
HashiCorp Vault server deployment (covered by infra-ops)
gopass store architecture (covered by domus-secrets-ops)

Status

Indicator	Detail
Activity Level	Active — 153 commits in 2026, daily use
Maturity	Production — Age + LUKS + 4-remote + offline backups operational
Last Activity	2026-04-06
Key Milestone	Architecture review completed (April 2026)
Deployment Status	Operational across 2 workstations (Razer primary, P16g secondary)

Indicator

Detail

Activity Level

Active — 153 commits in 2026, daily use

Maturity

Production — Age + LUKS + 4-remote + offline backups operational

Last Activity

2026-04-06

Key Milestone

Architecture review completed (April 2026)

Deployment Status

Operational across 2 workstations (Razer primary, P16g secondary)

Metadata

Field	Value
PRJ ID	PRJ-INFRA-012
Author	Evan Rosado
Date Created	2025-12-01
Last Updated	2026-04-06
Status	Active
Category	Infrastructure / Security
Priority	P0 (Critical)
Next Review	2026-05-01

Field

Value

PRJ ID

PRJ-INFRA-012

Author

Evan Rosado

Date Created

2025-12-01

Last Updated

2026-04-06

Status

Active