Tools Overview

dsec - Domain Secrets Manager

The primary tool for managing Age-encrypted secrets across multiple domains.

Location: ~/.secrets/bin/dsec

Quick Start

# First-time setup: install shell wrappers
dsec shell-init >> ~/.zshrc && source ~/.zshrc

# Load secrets (recommended method)
dsource d000 dev/network

# Clear secrets when done
dsunsource

Key Features

  • Domain isolation - d000 for personal, d001+ for clients

  • Nested tiers - dev/network, prod/app for fine-grained control

  • Shell wrappers - dsource/dsunsource for safe loading

  • Security modes - Strict (default) prevents accidental exposure

  • Passphrase protection - Optional extra authentication layer

See dsec - Full Documentation for complete reference.

age-edit

Interactive editor for Age-encrypted files.

# Edit in $EDITOR
age-edit ~/.secrets/d000/credentials.age

age-sync-meta

Extract YAML frontmatter from .age files to .meta.md sidecars for Obsidian/tool indexing. Maintains a .bases index file tracking all encrypted files.

Why Use This

  • Obsidian integration - Metadata visible without decryption

  • Search/indexing - Tags, titles, dates searchable in plaintext

  • Audit trail - .bases tracks all encrypted files with timestamps

Usage

# Sync current directory
age-sync-meta .

# Sync recursively
age-sync-meta -r /path/to/docs

# Single file
age-sync-meta document.md.age

# Only update .bases (skip meta extraction)
age-sync-meta -b

# Clean orphaned .meta.md files (no matching .age)
age-sync-meta -c

Output Files

File Purpose

*.meta.md

YAML frontmatter + encrypted_source reference

.bases

YAML index of all .age files with sizes/timestamps

Example

$ age-sync-meta .
✓ Synced: CNV-2026-01-22-001.meta.md
✓ Updated: ./.bases (5 files)

$ cat CNV-2026-01-22-001.meta.md
---
title: "My Document"
tags: [linux, security]
encrypted_source: "CNV-2026-01-22-001.md.age"
---

vault-manager

Manages gocryptfs vault lifecycle.

# Mount vault
vault-manager mount credentials

# Unmount vault
vault-manager unmount credentials

# List mounted vaults
vault-manager status

See Vault Manager for details.

LUKS Scripts

Automation for cold storage operations.

  • luks-mount - Open and mount LUKS container

  • luks-umount - Unmount and close LUKS container

  • luks-backup - Perform backup to cold storage

See LUKS Scripts for details.

gopass - Password Store

GPG-encrypted password management for infrastructure credentials, API keys, and service accounts.

Location: ~/.password-store/

Quick Start

# Get password only
gopass show -o v2/DOMUS/servers/ise-01

# Get password with metadata
gopass show v2/DOMUS/servers/ise-01

# Generate new password
gopass generate -p v2/DOMUS/servers/newserver 24

# Insert multiline with heredoc
cat << 'EOF' | gopass insert -f -m v2/DOMUS/servers/myserver
<PASSWORD>
---
type: service-type
connection:
  host: myserver.inside.domusdigitalis.dev
  ip: 10.50.1.X
credentials:
  username: admin
EOF

Store Structure (v2)

v2/DOMUS/servers/<hostname>/
├── (main)        # GUI/Web admin
├── cli           # CLI/SSH admin
├── dataconnect   # API: DataConnect
└── ers           # API: ERS/REST

See gopass - Full Documentation for complete reference including templates and migration patterns.

Related Pages