Secrets Encryption
Encrypt secrets for secure backup and collaboration
When interacting with APIs, it’s common to work with sensitive values like API keys, tokens, or passwords. Yaak provides the secure(…) template function to help keep these sensitive values safe, even when exporting and sharing workspace data to other devices.
Yaak encrypts data using the ChaCha20-Poly1305 authenticated encryption algorithm with the extended 24-byte nonce.
## Enabling Encryption
Encryption can be enabled in Workspace Settings or by configuring the secure(…) template function for the first time.
Two encryption keys will be generated the first time encryption is enabled.
-
A 32-byte master key is stored in the host OS keychain, if it does not yet exist.
-
A 32-byte workspace key is generated for the current workspace, stored in Yaak’s primary database encrypted by the master key.
When enabled, you will be asked to backup the workspace key, which will look like YKV2DK-HT1MD0-8EB48W-PPWHVA-TYJT14-1NWBYN-V874M9-RKJ41R-W95MY0. It can be accessed at any time from Workspace Settings but should be backed up in case of system failure. It will also be required to access encrypted data on other devices.
If the workspace key is lost, attempting to access any encrypted values from a new device will fail.
## Using Encryption
Once encryption is enabled, any fields known to contain sensitive info will be encrypted by default. This helps ensure that no values are left unencrypted by accident.
Sensitive fields include header values like Authorization , authentication password, and environment variable values.
For fields not deemed to be sensitive, the secure(…) function can be used to explicitly encrypt values.
Exporting Environments
Encryption keeps values secure on your local device, but the true advantage is providing the ability to share Yaak Workspaces without exposing secrets to the public.
Environments can be marked as “sharable,” meaning they will be included in data export and directory sync by default. A warning will also appear if a sharable environment contains unencrypted values.
Was this page helpful?