What is DevSafe?
DevSafe is an encrypted git backup tool. It finds your repositories, creates git bundles, encrypts them with AES-256-GCM, and uploads them to storage you own. Your keys never leave your machine.
The problem with cloud sync
Cloud sync services like iCloud, Dropbox, OneDrive, and Google Drive were not built for git repositories. They corrupt .git directories through lockfile races, partial pack writes, index conflicts, and ref pointer overwrites. Git's own FAQ warns against storing repositories in synced folders.
The corruption is subtle. You might not notice for weeks. By the time you do, your backup history is damaged and the sync service has faithfully replicated the damage to every connected device.
DevSafe solves this by reading directly from git's object database (not the filesystem) and producing a single encrypted git bundle. There are no partial writes, no lock contention, and no way for a sync service to interfere.
How it works
DevSafe follows four steps for every backup:
- Discover. Walks your filesystem and finds every
.gitdirectory automatically. No per-repo configuration needed. - Bundle. Creates a git bundle using git's plumbing commands. This reads from the object database, bypasses the working tree, and captures all branches, tags, and refs in a single file.
- Encrypt. Encrypts the bundle with AES-256-GCM using nonce-unique AEAD. Keys are derived per-repo and per-bundle through HKDF-SHA256. Your master key never leaves the machine, and it is never sent to any server.
- Upload. Sends the encrypted bundle to your own S3-compatible storage (Cloudflare R2, AWS S3, MinIO, Backblaze B2). DevSafe has no servers. You own the storage, and you hold the keys.
After each backup, DevSafe verifies the bundle is restorable without trusting the storage provider.
$ brew install hxalabs/tap/devsafe $ devsafe scan ~/projects ✓ discovered 14 repositories ✓ 0 corrupted, 3 at risk (iCloud sync detected)
Free tools and paid features
DevSafe ships as a single binary. Many commands are free and require no account:
devsafe scan,devsafe diagnose,devsafe healthfor finding and checking your reposdevsafe mcp-scan,devsafe shield,devsafe sync-shieldfor detecting sync service risksdevsafe init,devsafe vault,devsafe lockboxfor local protectiondevsafe net,devsafe preflight,devsafe fixfor diagnostics and repairs
Paid features handle encrypted backup to user-owned storage:
devsafe backup,devsafe restore,devsafe verifyfor the core backup cycledevsafe rotate-key,devsafe auditfor key management and compliancedevsafe status,devsafe snapshotfor monitoring and point-in-time capture
Design principles
Every decision in DevSafe follows from these constraints:
- Local-first. DevSafe runs on your machine. There is no DevSafe server in the backup path. Your storage provider holds encrypted blobs it cannot read.
- Zero-trust. The storage provider is untrusted. Backups are verified without decrypting, using cryptographic proofs that do not require trusting the host.
- User-owned storage. You bring your own S3-compatible bucket. Cloudflare R2, AWS S3, MinIO, Backblaze B2 all work. No vendor lock-in.
- Keys never leave the machine. Your encryption key is generated locally, stored locally, and used locally. DevSafe cannot recover your key, and that is the point.
- Git bundle, not filesystem copy. DevSafe reads from git's object database. It never touches the working tree during backup. This makes it immune to the corruption that breaks cloud sync tools.
The Quickstart guide walks you through install, first backup, and verification in under five minutes.