Secrets and Vaults
Secrets and Vaults
Local vault:
cnos vault create defaultcnos vault auth defaultcnos secret set app.token super-secret --vault defaultcnos vault create default initializes the local encrypted vault immediately. If CNOS cannot resolve a passphrase from env or keychain, it prompts interactively. cnos vault auth default is only for re-authenticating an existing vault and rejects wrong passphrases.
CI-backed vault:
cnos vault create github-ci --provider github-secrets --no-passphrasecnos secret set app.token APP_TOKEN --vault github-ciBy default:
- repo files store only refs
- local secret material stays outside the repo
- reads are masked unless
--revealis explicitly requested