Audit Log
Kānuka maintains an audit log of all secrets operations, providing visibility into who did what and when. This is valuable for teams who need accountability and a paper trail for security auditing.
What gets logged
Section titled “What gets logged”Every secrets operation is recorded:
- Encrypt and decrypt - Which files were processed
- User registration and revocation - Who was added or removed
- Key rotation - When
syncorrotatewas run - Initialization - When a project was set up
- Device creation - When new devices were added
- Cleanup operations - When orphaned keys were removed
- Import and export - Backup and restore operations
Log location
Section titled “Log location”The audit log is stored at .kanuka/audit.jsonl and is committed to your
repository alongside other Kānuka files. This means:
- The log is versioned with git
- All team members can see the history
- No external dependencies required
Viewing the log
Section titled “Viewing the log”Use the log command to view operation history:
kanuka secrets logThis displays entries in a human-readable format:
2024-01-15 10:30:00 [email protected] encrypt .env, .env.local2024-01-15 10:35:00 [email protected] register [email protected]2024-01-15 11:00:00 [email protected] revoke [email protected]See the log command guide for filtering and formatting options.
Log format
Section titled “Log format”The log uses JSON Lines format (one JSON object per line), which is easy to parse programmatically while remaining human-readable:
{"ts":"2024-01-15T10:30:00.123456Z","user":"[email protected]","uuid":"a1b2c3d4","op":"encrypt","files":[".env"]}Each entry contains:
| Field | Description |
|---|---|
ts | Timestamp in RFC3339 format with microsecond precision |
user | Email of the user who performed the operation |
uuid | UUID of the user |
op | Operation name (encrypt, decrypt, register, etc.) |
Additional fields vary by operation type (e.g., files for encrypt/decrypt,
target_user for register/revoke).
Privacy considerations
Section titled “Privacy considerations”The audit log contains:
- Timestamps of operations
- Email addresses of users
- File paths that were encrypted/decrypted
- User emails for register/revoke operations
It does NOT contain:
- Secret values
- Private keys
- Encryption keys
- File contents
Handling merge conflicts
Section titled “Handling merge conflicts”Since multiple team members may perform operations simultaneously, git merge conflicts can occur in the audit log. These are easy to resolve:
- Keep both sets of lines (the log is append-only)
- Sort by timestamp if desired
- Commit the resolved file
The audit log uses microsecond-precision timestamps to minimize the chance of conflicts.
Next steps
Section titled “Next steps”- Learn how to filter and format the log
- See the command reference for all log options