How to Use ASD Vault for Encrypted Secret Management
ASD Vault provides encrypted secret storage powered by
Supabase Vault
and
pgsodium. Instead of keeping secrets in plain-text .env files, store them
encrypted and inject them into your processes on demand using the ASD CLI.
How encryption works
Every secret is encrypted with XChaCha20-Poly1305 AEAD (Authenticated Encryption with Associated Data) via pgsodium, the PostgreSQL extension that wraps libsodium. The encryption root key is managed by Supabase KMS and never stored in the database. Access is enforced via Row Level Security per user/organisation.
Prerequisites
- ASD CLI installed and authenticated (
asd login) - A Developer plan or higher (free plan does not include vault access)
Step 1: Store a secret
Use asd vault set to store a secret. The value is encrypted before
it reaches the database:
# From argument
asd vault set API_KEY "sk-abc123"
# With category and description
asd vault set db/PASSWORD "s3cret" \
--category database \
--description "Production DB password"
Secret names support slashes for organizing by category, like
db/PASSWORD, api/stripe-key, or
tls/cert.
Step 2: Store from files or stdin
Store file contents directly, or pipe from stdin for multiline values:
# Store from a file
asd vault set tls/cert --file ./cert.pem
# Store from stdin (piped value)
cat ~/.kube/config | asd vault set kubeconfig --stdinStep 3: List your secrets
View all stored secrets. The list shows metadata only — values are never displayed:
asd vault listOutput:
Vault Secrets (3)
database
db/PASSWORD [user] — Production DB password
api
api/stripe-key [org] — Stripe production key
ssh
ssh/github-ci [user] — GitHub Actions SSH keyFilter by category or scope:
asd vault list --category database
asd vault list --scope orgStep 4: Retrieve a secret
Get the decrypted value:
asd vault get db/PASSWORDThe value is printed to stdout with no prefix, so you can pipe it:
asd vault get ssh/github-ci > ~/.ssh/ci_keyStep 5: Inject secrets into a process
Create an environment template that references vault secrets using
asd:// URIs:
# .env.tpl
DATABASE_URL=asd://db/PASSWORD
API_KEY=asd://API_KEYRun any command with those secrets injected as environment variables:
asd vault run --env-file .env.tpl -- node server.jsSecrets are decrypted at runtime and injected into the process environment. They exist only in process memory — never written to disk.
You can also substitute references in a config file directly:
asd vault inject config.tpl config.jsonStep 6: Bulk import and export
Import all files from a directory (file names become secret names):
asd vault import ./secrets/ --scope user --yesOutput:
Import preview (12 secrets from 5 files):
Name Category Source
─────────────────────────────────────────────────────
k8s/kubeconfig kubernetes k8s/kubeconfig.yaml
porkbun/PORKBUN_API_KEY dns porkbun/.env
ssh/id_rsa ssh ssh-keys/id_rsa
Import complete: 12 created, 0 failedExport all secrets back to files (round-trip faithful):
asd vault export ./backup/Scopes: personal vs organisation
By default, secrets are stored in your personal scope. To share with your organisation:
# Personal secret (only you)
asd vault set my-token "value"
# Organisation secret (shared with org admins)
asd vault set shared-api-key "value" --scope orgWeb dashboard
The vault also has a web interface at /workspace/vault in your
ASD dashboard. From there you can view secret metadata, create and delete
secrets, and see your plan limits. Decrypted values are only available through
the CLI using asd vault get.
CLI command reference
| Command | Description |
|---|---|
asd vault list | List secrets (metadata only, no values) |
asd vault get <name> | Print decrypted value to stdout |
asd vault set <name> [value] | Create or update a secret |
asd vault delete <name> | Soft-delete a secret |
asd vault import <dir> | Bulk import secrets from directory |
asd vault export <dir> | Export secrets to files |
asd vault inject <tpl> [out] | Substitute asd:// references in template |
asd vault run --env-file <tpl> -- <cmd> | Run command with injected secrets |
Plan limits
| Plan | Secrets |
|---|---|
| Free | Not available |
| Developer | 10 |
| Pro | 50 |
| Scale | 200 |
| Enterprise | Unlimited |
Need more? The Vault Addon gives you +50 secrets per unit for €5/month.
Security details
- Algorithm: XChaCha20-Poly1305 AEAD via pgsodium
- Key management: Root key managed by Supabase KMS, never stored in the database
- Access control: Row Level Security per user/organisation. SECURITY DEFINER RPC functions handle encryption and decryption
- Transport: All API calls over HTTPS with TLS
-
At rest: Encrypted before storage in
vault.secrets
For more details, see the Supabase Vault documentation and the pgsodium GitHub repository.
Summary
ASD Vault replaces plain-text .env files with encrypted,
server-managed secrets. asd vault set to store,
asd vault get to retrieve, asd vault run to inject into
any process. All powered by pgsodium encryption, managed through the ASD CLI.
Kelvin Wuite
Kelvin Wuite is the founder of Accelerated Software Development B.V. With over eighteen years of development experience, he has witnessed the same patterns repeat across every software team: endless documentation, manual preparation, environment mismatches, and fragmented collaboration. His drive is to remove these barriers, enabling engineers to work together in unified environments with shorter feedback loops and hands-on collaboration. Since 2015 he has been refining these ideas, leading to ASD — a platform designed to create a faster, more integrated way for development teams to collaborate in an age where AI is thriving.
