-
Notifications
You must be signed in to change notification settings - Fork 0
Encryption and Privacy
How Kyto keeps secrets local and optional encrypted at rest.
| Property | Kyto behavior |
|---|---|
| Network | None — compiler never connects |
| Telemetry | None |
| Cloud account | Not required |
| Secret storage | Your disk, your keys |
Kyto is designed for developers who do not want config tooling that "phones home."
.env
.kyto.config
kyto/local.kyto
kyto/local.kyto.enc
~/.config/kyto/keySafe for git:
-
.env.example(redacted) -
.kyto.config.example(no real secrets) kyto.toml
kyto.toml controls which keys get redacted in the example file:
[emit.env]
redact_keys = ["SECRET", "TOKEN", "PASSWORD", "KEY"]Any env key containing those substrings is masked in .env.example.
Store sensitive .kyto sources encrypted:
# Generate a 32-byte key (64 hex chars)
export KYTO_KEY=$(openssl rand -hex 32)
# Encrypt
kura encrypt kyto/local.kyto -o kyto/local.kyto.enc
# Decrypt when editing
kura decrypt kyto/local.kyto.enc -o kyto/local.kytoDelete plaintext local.kyto after encrypting. Commit only .enc if your workflow allows encrypted blobs (or keep .enc local too).
export KYTO_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdefGood for CI secrets and one-off scripts.
mkdir -p ~/.config/kyto
openssl rand -hex 32 > ~/.config/kyto/key
chmod 600 ~/.config/kyto/keykura reads this automatically when KYTO_KEY is unset.
| Property | Value |
|---|---|
| Cipher | ChaCha20 |
| MAC | Poly1305 |
| Standard | RFC 8439 (AEAD) |
| Implementation |
crypto.asm in NASM |
Encrypted files include a KYTO magic header for format identification.
Kyto protects against:
- Accidental secret commits (
.env.exampleredaction) - Casual disk reads (encrypted
.kytosources) - Cloud config vendor lock-in
Kyto does not protect against:
- Attacker with your
KYTO_KEYand encrypted files - Malware on your machine
- Someone with access to live
.envon a server
Use OS-level permissions (chmod 600) on key files.
Container runs as root inside the image. Mount projects read-only where possible:
docker run --rm -v "$PWD:/work:ro" -w /work ghcr.io/voidmute/kyto:latest checkDo not bake KYTO_KEY into images.