Tools Overview

dsec - Domain Secrets Manager

The primary tool for managing Age-encrypted secrets across multiple domains.

Location: ~/.secrets/bin/dsec

Quick Start

# First-time setup: install shell wrappers
dsec shell-init >> ~/.zshrc && source ~/.zshrc

# Load secrets (recommended method)
dsource d000 dev/network

# Clear secrets when done
dsunsource

Key Features

Domain isolation - d000 for personal, d001+ for clients
Nested tiers - dev/network, prod/app for fine-grained control
Shell wrappers - dsource/dsunsource for safe loading
Security modes - Strict (default) prevents accidental exposure
Passphrase protection - Optional extra authentication layer

See dsec - Full Documentation for complete reference.

age-edit

Interactive editor for Age-encrypted files.

# Edit in $EDITOR
age-edit ~/.secrets/d000/credentials.age

age-sync-meta

Extract YAML frontmatter from .age files to .meta.md sidecars for Obsidian/tool indexing. Maintains a .bases index file tracking all encrypted files.

Why Use This

Obsidian integration - Metadata visible without decryption
Search/indexing - Tags, titles, dates searchable in plaintext
Audit trail - .bases tracks all encrypted files with timestamps

Usage

# Sync current directory
age-sync-meta .

# Sync recursively
age-sync-meta -r /path/to/docs

# Single file
age-sync-meta document.md.age

# Only update .bases (skip meta extraction)
age-sync-meta -b

# Clean orphaned .meta.md files (no matching .age)
age-sync-meta -c

Output Files

File Purpose

File	Purpose
`*.meta.md`	YAML frontmatter + `encrypted_source` reference
`.bases`	YAML index of all `.age` files with sizes/timestamps

*.meta.md

YAML frontmatter + encrypted_source reference

.bases

YAML index of all .age files with sizes/timestamps

Example

$ age-sync-meta .
✓ Synced: CNV-2026-01-22-001.meta.md
✓ Updated: ./.bases (5 files)

$ cat CNV-2026-01-22-001.meta.md
---
title: "My Document"
tags: [linux, security]
encrypted_source: "CNV-2026-01-22-001.md.age"
---

vault-manager

Manages gocryptfs vault lifecycle.

# Mount vault
vault-manager mount credentials

# Unmount vault
vault-manager unmount credentials

# List mounted vaults
vault-manager status

See Vault Manager for details.

LUKS Scripts

Automation for cold storage operations.

luks-mount - Open and mount LUKS container
luks-umount - Unmount and close LUKS container
luks-backup - Perform backup to cold storage

See LUKS Scripts for details.

gopass Integration

Password store with GPG encryption. Using gopass at ~/.password-store/.

# Get a password
gopass show ADMINISTRATIO/servers/synology

# Generate new password
gopass generate ADMINISTRATIO/servers/newservice 32

# Edit password
gopass edit ARCANA/api/cloudflare

# List all entries
gopass ls

Store Structure

~/.password-store/
├── ADMINISTRATIO/    # Servers, devices, network
├── ARCANA/           # SSH keys, API tokens, crypto
├── COMMERCIA/        # Banking, licenses, vendors
└── PERSONAE/         # Email, identity documents