Project Configuration
Every Kānuka project has a configuration file that tracks the project identity and all registered users. Unlike your user configuration, this file is shared with your team via version control.
Location
Section titled “Location”The project configuration is stored at:
your-project/└── .kanuka/ └── config.tomlFile Structure
Section titled “File Structure”[project]uuid = "550e8400-e29b-41d4-a716-446655440000"name = "my-awesome-project"
[users]
[devices][devices."6ba7b810-9dad-11d1-80b4-00c04fd430c8"]name = "workstation"created_at = 2025-01-06T10:00:00Z
[devices."8ba7b810-9dad-11d1-80b4-00c04fd430c9"]name = "macbook"created_at = 2025-01-05T09:00:00ZSections Explained
Section titled “Sections Explained”Project Section
Section titled “Project Section”| Field | Description |
|---|---|
uuid | A unique identifier for this project, generated when you run kanuka secrets init. |
name | The project name, defaulting to the directory name. |
The project UUID is used to:
- Organize your local keys by project
- Link your user configuration to specific projects
- Ensure uniqueness across all Kānuka projects
Users Section
Section titled “Users Section”Maps user UUIDs to their email addresses:
[users]This provides a human-readable way to identify who has access, while the actual key files use UUIDs for naming.
Devices Section
Section titled “Devices Section”Tracks metadata for each registered device:
| Field | Description |
|---|---|
email | The user’s email address (for display purposes). |
name | The device name chosen by the user. |
created_at | When this device was registered. |
Note that each user UUID represents a single device. If a user has multiple devices, they have multiple UUIDs in the project config.
How Users Are Represented
Section titled “How Users Are Represented”Each device a user registers gets its own UUID. For example, if Alice has two devices:
[users]
[devices."uuid-alice-workstation"]name = "workstation"created_at = 2025-01-06T10:00:00Z
[devices."uuid-alice-laptop"]name = "laptop"created_at = 2025-01-07T14:30:00ZThis design allows:
- Per-device key management
- Revoking a single device without affecting others
- Clear audit trail of when devices were added
How It’s Created
Section titled “How It’s Created”The project configuration is created when you run:
kanuka secrets initThis command:
- Creates the
.kanuka/directory structure - Generates a project UUID
- Creates the
config.tomlwith your user as the first registered member
Viewing Project Configuration
Section titled “Viewing Project Configuration”# Show project configurationkanuka config show --project
# List all devices in the projectkanuka config list-devices
# Show as JSON (for scripts)kanuka config show --project --jsonWhat Gets Committed
Section titled “What Gets Committed”The entire .kanuka/ directory should be committed to version control,
including:
config.toml- The project configurationpublic_keys/- Public keys for all registered userssecrets/- Encrypted symmetric keys for all registered users
This allows your team to:
- See who has access to the project
- Grant access to new team members
- Revoke access when needed
Relationship to User Configuration
Section titled “Relationship to User Configuration”The project and user configurations work together:
| Action | Project Config | User Config |
|---|---|---|
secrets init | Created with your user entry | Updated with project entry |
secrets create | Updated with new device | Updated with project entry |
secrets register | Updated with new user/device | (Their config, not yours) |
secrets revoke | User/device removed | (Their config, not yours) |
config set-project-device | Device name updated | Your entry updated |
config set-default-device | Not affected | Default device name updated |
Security Considerations
Section titled “Security Considerations”The project configuration contains:
- User email addresses (visible to anyone with repo access)
- Device names and creation dates
- UUIDs linking to encryption key files
It does not contain:
- Private keys (stored locally on each user’s machine)
- Actual secrets (stored in encrypted
.env.kanukafiles) - Symmetric keys (encrypted per-user in
.kanuka/secrets/)
Related Configuration
Section titled “Related Configuration”- User Configuration - Your personal config
- Configuration Commands - All available config commands
- File Structure - Where all Kānuka files are stored