Your key, your data.
DevSafe uses zero-knowledge encryption. Your key is generated on your machine, stays on your machine, and never touches our servers. If you lose the key, we cannot recover your data. That is the point.
Zero-knowledge means zero recovery. DevSafe never sees, stores, or transmits your encryption key. If you lose both the key and the recovery phrase, your backups are permanently unreadable. No support ticket, no override, no backdoor. Store your recovery phrase safely before you need it.
Key generation
When you run devsafe keygen, DevSafe creates an AES-256 master key entirely on your local machine. Nothing leaves your computer during this process. The key is generated using your operating system's cryptographically secure random number generator.
At creation time, DevSafe also generates a recovery phrase. This is the only time you will see it. Once the command finishes, the recovery phrase is not stored anywhere that DevSafe can retrieve it for you later.
$ devsafe keygen --name "prod-2026" ✓ generated AES-256 master key (id: prod-2026) ✓ recovery phrase (24 words): abandon bicycle canvas dolphin eagle fabric guitar hollow island jungle kitchen liberty monkey notable ocean pyramid quarter rocket shelter timber umbrella venture whisper yellow # Write this down NOW. You will not see it again.
DevSafe derives per-repo and per-bundle keys from this single master key using HKDF-SHA256. You manage one key. DevSafe handles the rest of the hierarchy automatically.
Key storage
Your master key is stored locally in ~/.devsafe/ with strict filesystem permissions (0600, readable only by your user account). DevSafe sets these permissions automatically during key generation.
macOS Keychain (optional)
On macOS, you can optionally store the key in the system Keychain instead of the filesystem. This adds hardware-backed protection and integrates with Touch ID or your login password.
$ devsafe keygen --name "prod-2026" --keychain ✓ generated AES-256 master key (id: prod-2026) ✓ stored in macOS Keychain (service: com.devsafe.keys)
Whether you use the filesystem or the Keychain, the key never leaves your machine. DevSafe reads it locally when encrypting or decrypting git bundles. No network request is involved.
Recovery phrase
The recovery phrase is a 24-word BIP39-style mnemonic. It encodes your master key in a human-readable format that you can write on paper, store in a password manager, or print.
You see the recovery phrase exactly once, when you run devsafe keygen. DevSafe does not store it. If you skip this step, there is no way to get the phrase later.
What to do with your recovery phrase
- Print it and store the paper in a safe or lockbox.
- Save it in a password manager (1Password, Bitwarden, or similar).
- Write it on paper and keep it somewhere separate from your computer.
- Do at least two of the above. Redundancy matters.
To restore a key from the recovery phrase on a new machine:
$ devsafe key recover --name "prod-2026" Enter your 24-word recovery phrase: > abandon bicycle canvas dolphin eagle fabric ... ✓ master key restored (id: prod-2026) ✓ saved to ~/.devsafe/keys/prod-2026
Team access
For teams, DevSafe provides two commands to manage who can decrypt backups: devsafe grant-access and devsafe revoke-access.
When you grant access, DevSafe encrypts a copy of the repo key for the new team member's public key. The master key is never shared. Each person holds their own key pair, and DevSafe handles the per-repo key exchange.
$ devsafe grant-access --repo api-server --to alex@team.com ✓ repo key encrypted for alex@team.com ✓ alex can now decrypt api-server backups
Revocation
When you revoke access, DevSafe triggers a full re-encryption of the affected repository's backups by default. This ensures the revoked team member cannot decrypt any future (or past) backups, even if they retained a copy of the old key material.
$ devsafe revoke-access --repo api-server --from alex@team.com ✓ access revoked for alex@team.com → re-encrypting api-server backups with new key... ✓ re-encryption complete (47 bundles, 3.8 GB)
Re-encryption runs in the background and does not interrupt your workflow. You can skip re-encryption with --no-reencrypt, but this means the revoked user could still read older backups if they have a copy.
Key rotation
NIST SP 800-57 recommends rotating encryption keys on a regular schedule. DevSafe makes this straightforward with the devsafe rotate-key command, which generates a new master key and re-encrypts all existing backups automatically.
$ devsafe rotate-key --name "prod-2026-q3" ✓ new AES-256 master key generated (id: prod-2026-q3) ✓ new recovery phrase (24 words): arrow bridge canyon delta engine frost garden harbor inlet jungle kettle lantern marble novel orbit pebble quartz river summit tower unity valley window zenith → re-encrypting 14 repositories... ✓ re-encryption complete (312 bundles, 28.1 GB) ✓ old key prod-2026 marked inactive # Save the new recovery phrase. The old one still works for old backups.
During rotation, DevSafe keeps the old key available for reading existing backups, then re-encrypts everything with the new key. Once re-encryption finishes, new backups use only the new key.
Recommended rotation schedule
- Every 90 days for teams with elevated compliance requirements (SOC 2, HIPAA).
- Every 180 days for most teams.
- Immediately after revoking a team member's access.
- Immediately if you suspect key compromise.
DevSafe tracks which key encrypted each git bundle. When you restore a backup that was created before a rotation, DevSafe automatically uses the correct key. You do not need to manage key versions manually.
Summary
The key custody model is simple on purpose:
- Keys are generated and stored locally. They never touch a server.
- Recovery phrases are shown once. Store them safely.
- Team access uses per-repo key encryption. Revocation triggers re-encryption.
- Key rotation is a single command. Re-encryption happens automatically.
- If you lose the key and the recovery phrase, your data is gone. That is what zero-knowledge means.