Quick Reference

dsec Commands (Wrappers - Recommended)

Command Description

Command	Description
`dsource d000 dev/network`	Load secrets (safe wrapper)
`dsunsource`	Clear ALL loaded secrets
`ds d000 dev`	Short alias for dsource
`dsu`	Short alias for dsunsource

dsource d000 dev/network

Load secrets (safe wrapper)

dsunsource

Clear ALL loaded secrets

ds d000 dev

Short alias for dsource

dsu

Short alias for dsunsource

Domain Access Control (Who Can Access What)

Domain Access Restrict

Domain	Access	Restrict
d000 (yours)	FULL access to everything	N/A
d001+ (clients)	All standard tiers (lab, dev, staging, prod)	`DSEC_ALLOWED_TIERS="lab"`

d000 (yours)

FULL access to everything

N/A

d001+ (clients)

All standard tiers (lab, dev, staging, prod)

DSEC_ALLOWED_TIERS="lab"

# Your stuff - always works
dsec show d000 dev/network      # ✓

# Client stuff - all standard tiers allowed
dsec show d001 dev/network      # ✓
dsec show d001 prod             # ✓

# Restrict to lab-only if needed
DSEC_ALLOWED_TIERS="lab" dsec show d001 prod   # ✗ BLOCKED

dsec Commands (Direct)

Command Description

Command	Description
`dsec list`	List all domains and tiers
`dsec init d002 "Client"`	Initialize new domain
`dsec add d001 prod file.env`	Add secrets from file
`dsec edit d000 dev/network`	Edit encrypted file
`dsec show d000 dev/network`	Display decrypted content
`dsec load d001 prod ~/project/`	Load to project directory
`dsec unload ~/project/`	Securely remove .env
`dsec shell-init >> ~/.zshrc`	Install shell wrappers
`dsec set-passphrase`	Enable passphrase protection

dsec list

List all domains and tiers

dsec init d002 "Client"

Initialize new domain

dsec add d001 prod file.env

Add secrets from file

dsec edit d000 dev/network

Edit encrypted file

dsec show d000 dev/network

Display decrypted content

dsec load d001 prod ~/project/

Load to project directory

dsec unload ~/project/

Securely remove .env

dsec shell-init >> ~/.zshrc

Install shell wrappers

dsec set-passphrase

Enable passphrase protection

dsec Utility Commands (v2.0.0+)

Command Description

Command	Description
`dsec status`	Show secrets status (domains, loaded env)
`dsec verify`	Verify all files decrypt correctly
`dsec tree`	Display domain/environment tree
`dsec count`	Count secrets across domains
`dsec backup ~/backup/`	Backup entire secrets directory
`dsec version`	Show version and codename

dsec status

Show secrets status (domains, loaded env)

dsec verify

Verify all files decrypt correctly

dsec tree

Display domain/environment tree

dsec count

Count secrets across domains

dsec backup ~/backup/

Backup entire secrets directory

dsec version

Show version and codename

Vault Commands

Command Description

Command	Description
`vault-manager mount NAME`	Mount gocryptfs vault
`vault-manager unmount NAME`	Unmount vault
`vault-manager status`	Show vault status
`vault-manager unmount-all`	Unmount all vaults

vault-manager mount NAME

Mount gocryptfs vault

vault-manager unmount NAME

Unmount vault

vault-manager status

Show vault status

vault-manager unmount-all

Unmount all vaults

LUKS Commands

Command Description

Command	Description
`luks-mount`	Open and mount LUKS drive
`luks-umount`	Unmount and close LUKS
`luks-backup`	Backup to cold storage

luks-mount

Open and mount LUKS drive

luks-umount

Unmount and close LUKS

luks-backup

Backup to cold storage

SSH Commands

Command Description

Command	Description
`ssh hostname`	Connect to host
`ssh -v hostname`	Verbose connection
`ssh-keygen -K`	Export YubiKey resident keys
`ssh-keygen -lf key.pub`	Show key fingerprint
`ssh-copy-id -i key.pub host`	Deploy key to host

ssh hostname

Connect to host

ssh -v hostname

Verbose connection

ssh-keygen -K

Export YubiKey resident keys

ssh-keygen -lf key.pub

Show key fingerprint

ssh-copy-id -i key.pub host

Deploy key to host

YubiKey Commands

Command Description

Command	Description
`ykman info`	Show YubiKey status
`ykman fido info`	FIDO2 status
`ykman fido credentials list`	List FIDO2 credentials
`ykman fido access change-pin`	Change FIDO2 PIN

ykman info

Show YubiKey status

ykman fido info

FIDO2 status

ykman fido credentials list

List FIDO2 credentials

ykman fido access change-pin

Change FIDO2 PIN

gopass Commands

Command Description

Command	Description
`gopass show path`	Display password
`gopass -c path`	Copy to clipboard
`gopass generate path 32`	Generate new password
`gopass edit path`	Edit password entry
`gopass ls`	List all entries
`gopass sync`	Sync with git remote

gopass show path

Display password

gopass -c path

Copy to clipboard

gopass generate path 32

Generate new password

gopass edit path

Edit password entry

gopass ls

List all entries

gopass sync

Sync with git remote

Age Commands

Command Description

Command	Description
`age -e -r PUBKEY -o out.age in`	Encrypt file
`age -d -i key.txt -o out in.age`	Decrypt file
`age-keygen -o key.txt`	Generate new identity

age -e -r PUBKEY -o out.age in

Encrypt file

age -d -i key.txt -o out in.age

Decrypt file

age-keygen -o key.txt

Generate new identity

SSL/TLS Certificate Extraction

Extract self-signed certificates from services for verification:

# Extract cert (creates dir if missing, skips if exists)
CERT=~/.secrets/certs/<domain>/ise_dataconnect.crt
[ -f "$CERT" ] || {
  mkdir -p "$(dirname "$CERT")" && \
  echo | openssl s_client -connect host:port 2>&1 | \
  sed -n '/BEGIN CERT/,/END CERT/p' > "$CERT"
}

Command Description

Command	Description
`openssl s_client -connect host:port`	Connect and show cert chain
`openssl x509 -in cert.crt -text -noout`	Display cert details
`openssl x509 -in cert.crt -noout -dates`	Check expiry dates
`openssl verify cert.crt`	Verify against system CA store

openssl s_client -connect host:port

Connect and show cert chain

openssl x509 -in cert.crt -text -noout

Display cert details

openssl x509 -in cert.crt -noout -dates

Check expiry dates

openssl verify cert.crt

Verify against system CA store

Common Ports

Service Port Example

Service	Port	Example
ISE DataConnect	2484	`smnt.ise.example.com:2484`
ISE ERS API	9060	`ise-pan.example.com:9060`
ISE Admin GUI	443	`ise-pan.example.com:443`
LDAPS	636	`dc.example.com:636`

ISE DataConnect

2484

smnt.ise.example.com:2484

ISE ERS API

9060

ise-pan.example.com:9060

ISE Admin GUI

443

ise-pan.example.com:443

LDAPS

636

dc.example.com:636

Secrets Integration

Add extracted cert to network.env:

@ISE_DATACONNECT_CA = ~/.secrets/certs/<domain>/ise_dataconnect.crt

gocryptfs Commands

Command Description

Command	Description
`gocryptfs -init DIR`	Initialize new vault
`gocryptfs CIPHER MOUNT`	Mount vault
`fusermount -u MOUNT`	Unmount vault
`mount \| grep gocryptfs`	List mounted vaults

gocryptfs -init DIR

Initialize new vault

gocryptfs CIPHER MOUNT

Mount vault

fusermount -u MOUNT

Unmount vault

mount | grep gocryptfs

List mounted vaults

LUKS Direct Commands

Command Description

Command	Description
`cryptsetup luksOpen DEV NAME`	Open LUKS container
`cryptsetup luksClose NAME`	Close LUKS container
`cryptsetup luksFormat DEV`	Create LUKS container
`cryptsetup luksHeaderBackup`	Backup LUKS header

cryptsetup luksOpen DEV NAME

Open LUKS container

cryptsetup luksClose NAME

Close LUKS container

cryptsetup luksFormat DEV

Create LUKS container

cryptsetup luksHeaderBackup

Backup LUKS header

File Locations

Path Contents

Path	Contents
`~/.secrets/`	Age-encrypted hot storage
`~/.secrets/bin/`	Custom scripts (dsec, age-edit, etc.)
`~/.secrets/.metadata/keys/`	Age identity (master.age.key)
`~/.secrets/environments/domains/`	Domain secrets (d000, d001…)
`~/.ssh/`	SSH keys and config
`~/atelier/_vaults/`	gocryptfs encrypted vaults
`~/mnt/`	Vault mount points

~/.secrets/

Age-encrypted hot storage

~/.secrets/bin/

Custom scripts (dsec, age-edit, etc.)

~/.secrets/.metadata/keys/

Age identity (master.age.key)

~/.secrets/environments/domains/

Domain secrets (d000, d001…)

~/.ssh/

SSH keys and config

~/atelier/_vaults/

gocryptfs encrypted vaults

~/mnt/

Vault mount points

Key Files

File Purpose

File	Purpose
`~/.secrets/.metadata/keys/master.age.key`	Age identity (CRITICAL - never commit)
`~/.secrets/environments/domains/.registry.age`	Domain registry mapping
`~/.ssh/id_ed25519_sk_rk_d000`	YubiKey SSH key handle
`~/atelier/_vaults/*/gocryptfs.conf`	Vault master keys (CRITICAL)
`~/.gnupg/`	GPG keyring

~/.secrets/.metadata/keys/master.age.key

Age identity (CRITICAL - never commit)

~/.secrets/environments/domains/.registry.age

Domain registry mapping

~/.ssh/id_ed25519_sk_rk_d000

YubiKey SSH key handle

~/atelier/_vaults/*/gocryptfs.conf

Vault master keys (CRITICAL)

~/.gnupg/

GPG keyring