LogoLogo
  • Welcome
  • Getting Started
    • What's Warp?
    • Quickstart
      • Install the Prerequisites
      • Create and Configure Your Project
      • Gather Your Credentials
        • Get Your Azure DevOps Credentials
        • Get Your GitHub Credentials
        • Confirm That You’ve Gathered Your Credentials
      • Set Up Your Vault
      • Scan Your Sources for Repositories
      • Migrate a Repository
  • Product
    • Core Concepts
    • Roadmap
  • Migrations
    • Azure DevOps
      • Service Connections
      • Limitations
  • Using Warp
    • Projects
      • Dashboard
      • Team
      • Capacity
      • Settings
    • Migration HQ
      • Issues
        • Issue Page
      • Labels
      • Warpspaces
    • Slash Commands
      • Global
        • /help
      • Migration
        • /migrate
        • /rename-destination
      • Backlog Issue
        • /refresh
      • Azure DevOps
        • /rewire-pipeline
        • /rewire-all-pipelines
        • /integrate-boards
        • /autolink-work-items
        • /lock-ado-repo
        • /disable-ado-repo
      • GitHub
        • /add-team
    • Support
      • Copilot for Warp
      • Partners
      • Knowledge Base
  • Security
    • Security at Packfiles
    • Warp's Security Model
      • Credential Management
      • Private Compute
      • Data Privacy
  • Billing & Licensing
    • Overview
    • Trial Mode
Powered by GitBook
LogoLogo

Helpful Links

  • Get Warp
  • Terms of Service
  • Privacy Policy

© 2025 Packfiles Inc

On this page
  • Objective
  • Create the Vault File
  • Check the Vault File
  • Confirm That the Vault Was Pushed to Migration HQ
  • Store the Vault Key in Migration HQ’s Secrets
  • Confirm that that Vault and Key are in Migration HQ

Was this helpful?

Edit on GitHub
Export as PDF
  1. Getting Started
  2. Quickstart

Set Up Your Vault

How to create the Vault file, a secure place for your source and destination credentials.

PreviousConfirm That You’ve Gathered Your CredentialsNextScan Your Sources for Repositories

Last updated 22 days ago

Was this helpful?

Objective

Now that you’ve gathered your source and destination credentials, you need to make them available to Warp so that it can perform migrations.

You also need to ensure that these credentials are secured so that only Warp can use them. You’ll do this by setting up a Vault — an encrypted file containing the credentials. To decrypt these credentials, you’ll provide Warp with the Vault key, the decryption key for the Vault file.

In this section, you’ll set up the Vault by creating the Vault file, creating a Vault key, pushing the Vault file to Migration HQ, and installing the Vault key as a secret in Migration HQ. You’ll do all this by using the GitHub CLI application with the Warp command-line extension and confirm it was done by looking at the updates to Migration HQ.

At the end of this section, you will have a Vault file uploaded to Migration HQ, which will provide Warp with the credentials necessary for performing your migrations.

Create the Vault File

🛠️ Open a command-line terminal on your computer, using the Terminal application on macOS or Linux, or Command Prompt or PowerShell on Windows and change to the directory containing the cloned Migration HQ repository.

🛠️ Run the following command, which starts the Warp command-line application that sets up the Vault:

gh warp vault setup

You will see the “Welcome” text pictured below:

🛠️ Press the Enter or Return key to continue.

You will see the Configure Providers menu, which lets you add, update, and delete tokens for various source control providers:

🛠️ The default option, Add a New Provider, is the one you want. Press the Enter or Return key to select this option.

You will be taken to the Add Provider Credentials menu:

🛠️ Let’s add the personal access token for Azure DevOps first. Since Azure DevOps is the default option, simply press the Enter or Return key to select it.

You’ll see this text, which explains that you’re about to configure an Azure DevOps provider:

🛠️ Press the Enter or Return key to continue.

You will now be prompted to enter the personal access token you created in Azure DevOps:

🛠️ Paste your Azure DevOps personal access token into the text area marked Your PAT...

🛠️ ...then press the Enter or Return key to continue.

The next step is to specify the access scope for the Azure DevOps personal access token:

🛠️ Select Single organization access using the ⬆️ and ⬇️ keys, then press the Enter or Return key.

You’ll be asked to enter the Azure Devops organization slug, which you copied when you were creating the personal access token for your Azure DevOps organization. In this example, the slug is joey-ado-testing:

🛠️ Paste or enter the organization slug into the text area marked ado-organization-slug...

🛠️ ...then press the Enter or Return key to continue.

You’ll then be asked to specify the number of days until the token expires:

🛠️ Enter 30, then press the Enter or Return key.

Finally, you’ll be asked to confirm the information you’ve entered:

🛠️ Press y to confirm that the information is correct.

It’s time to add the personal access token for GitHub. You’ll see the Configure Providers menu again:

🛠️ Once again, the default option, Add a New Provider, is the one you want. Press the Enter or Return key to select this option.

🛠️ Select GitHub [Destination] using the ⬆️ and ⬇️ keys, then press the Enter or Return key.

You’ll see this text, which explains that you’re about to configure a GitHub destination:

🛠️ Press the Enter or Return key to continue.

You will now be prompted to enter the personal access token you created in GitHub:

🛠️ Paste your GitHub personal access token into the text area marked Your PAT...

🛠️ ...then press the Enter or Return key to continue.

You’ll be asked to enter the GitHub organization slug, which you copied when you were creating the personal access token for your GitHub organization.

In this example, the slug is Hypotheticorp01:

🛠️ Paste or enter the organization slug into the text area marked destination-organization-slug, then press the Enter or Return key to continue.

You’ll then be asked to specify the number of days until the token expires:

🛠️ Enter 30, then press the Enter or Return key.

Finally, you’ll be asked to confirm the information you’ve entered:

🛠️ Press y to confirm that the information is correct.

You will return to the Configure Providers menu:

🛠️ Select Exit and Save Changes using the ⬆️ and ⬇️ keys, then press the Enter or Return key.

This will create the Vault file, which needs to be committed and pushed to the Migration HQ repository. You will see this prompt:

🛠️ Use the default option, Yes, then press the Enter or Return key.

You will see the Save Your Vault Key prompt:

🛠️ Just as you did with the personal access token in Azure DevOps and GitHub, copy the Vault key and save it in a safe place — preferably a password manager. You will need it to unlock the personal access tokens that were encrypted into the vault.

🛠️ After you have copied and saved the Vault key, press the Enter or Return key to continue.

You’ll see the final message:

At this point:

  • The Azure DevOps and GitHub personal access tokens have been encrypted into the Vault file (config/vault.age on macOS and Linux, config\vault.age on Windows)

  • The Vault file has been committed and pushed to the Migration HQ repository.

Check the Vault File

To ensure that your Vault File contains the correct credentials, we’ve included a utility to check it. Let’s use it now.

🛠️ Run the following command, which starts the Warp command-line application that checks the Vault file:

gh warp vault check

You’ll be greeting with this text asking for your Vault key:

🛠️ Paste the Vault key into the text area...

🛠️ ...then press the Enter or Return key to continue.

The utility will check the credentials in your Vault file. If the credentials are valid, you’ll see this display with the text All credentials are valid, as shown below:

🛠️ If you see the All credentials are valid message, proceed to the next step. Otherwise, repate the Create the Vault File step.

Confirm That the Vault Was Pushed to Migration HQ

Just to be certain, let’s take a look at Migration HQ to make sure that the Vault was actually pushed there.

🛠️ Open Migration HQ in a browser tab or panel and select the Code tab:

🛠️ Look at the files in the directory and look at the config directory’s last commit message: “Update Vault.”

Also, take note that its commit time is more recent than any of the other items in the repository.

🛠️ Open the config directory:

🛠️ Look at the Vault file — once again, it’s vault.age. Its last commit message and last commit date confirm that it was pushed to Migration HQ at the end of the Vault creation process.

Store the Vault Key in Migration HQ’s Secrets

The next step is to store the key for the Vault in the Migration HQ repository. This will allow Warp’s GitHub Actions to access the personal access tokens you encrypted into the Vault, which in turn will allow them to migrate your repositories from Azure DevOps to GitHub.

You could do this manually by copying the Vault key and pasting it into the Migration HQ repository’s Secrets section. However, Warp provides a command-line application that will do this for you. Let’s use it.

🛠️ Run the following command, which starts the Warp command-line application that stores the Vault key in the Migration HQ repository:

gh warp vault place

You’ll be greeted with the following text:

🛠️ Press the Enter or Return key to continue.

You’ll be prompted to enter your Vault key:

🛠️ Paste the Vault key into the text area...

🛠️ ...then press the Enter or Return key to continue.

The app will store your Vault key into the Migration HQ repository’s secrets and display this message:

Confirm that that Vault and Key are in Migration HQ

You should confirm that your Vault key was successfully stored in Migration HQ by checking the repository’s Secrets section in GitHub.

🛠️ Open a browser tab or window to the Migration HQ repository in GitHub and click the Settings tab.

🛠️ In the menu on the left side of the page, select Secrets and variables to expand it, then select Actions:

You will be taken to the Actions secrets and variables page for Migration HQ :

🛠️ Check the Repository secrets section and confirm that it contains a secret named PKFS_MASTER_KEY.

If you see the PKFS_MASTER_KEY secret, you have successfully stored the Vault key in Migration HQ. If not, you should run the gh warp vault place command again.

With the Vault file and secret install in Migration HQ, Warp now has the credentials to access your source repositories and destination GitHub organization. You’re ready to scan your source for repositories.

Search for the 🛠️ emoji if you’d like to skim through this content while focusing on the steps you need to follow.

The opening screen.
The Configure Providers menu.
The Add Provider Credentials menu.
The opening screen for the "Configure an Azure DevOps Provider" process.
The Personal Access Token screen.
The Personal Access Token screen, with the PAT filled in.
The Access Scope menu.
The Organization Slug screen.
The Organization Slug screen, with the organization slug filled in.
The Token Expiration screen.
The Confirmation screen.
The Configure Providers screen.
The Add Provider Credentials menu.
The opening screen for the "Configure a GitHub Provider" process.
The Personal Access Token screen.
The Personal Access Token screen, with the PAT filled in.
The Organization Slug screen.
The Organization Slug screen, with the organization slug filled in.
The Token Expiration screen.
The Confirmation screen.
The Configure Providers menu.
The Commit and Push Changes menu.
The Save Your Vault Key screen.
The closing screen.
The opening screen.
The opening screen, with the vault key pasted in.
The closing screen.
Migration HQ.
Migration HQ’s config directory.
The opening screen.
The Decrypt Credentials Vault screen.
The Decrypt Credentials Vault screen, with the Vault key pasted in.
The closing screen.
Migration HQ’s Settings page.
The Secrets and variables menu.
Migration HQ’s repository secrets.
The “Credential Vault Setup” screen. Its text reads: “Welcome to credential vault setup! The next screen will walk you through the process of configuring the credential vault for providers connected to the Hypotheticorp11/Migration-HQ Project. To proceed, press Enter. When you're done, you'll be prompted to securely save the encryption key in your password manager.” The text is followed by an “Ok” button.
The “Configure Providers” menu screen. The “Add a New Provider” menu item is selected.
The “Add Provider Credentials" menu screen. The “Azure DevOps” menu item is selected.
The “Credential Vault Setup” screen. Its text reads: “To authenticate to this Azure DevOps provider, we'll need a Personal Access Token (PAT). The Personal Access Token will be used for all migration processes related to this provider. To learn more about Azure DevOps Personal Access Tokens, please visit our setup guide at https://pack.fm/ado-pat-setup.” The text is followed by a “Next” button.
The “Personal Access Token" screen. The “Your PAT” text entry area has not yet been filled in.
The “Personal Access Token" screen. The “Your PAT” text entry has been filled, with the PAT obscured by asterisks.
The “Access Scope" menu screen. The “Single organization access” menu item is selected.
The “Organization Slug" screen. The organization slug text entry area is empty.
The “Organization Slug" screen. The organization slug text entry area now contains the text “joey-ado-testing”.
The “Token Expiration” screen. The token expiration text entry area contains the text “30”.
The “Confirmation” screen. It says that the application will apply the configuration based on the Personal Access Token, token access scope (single organization), organization slug (joey-ado-testing), and days until token expiration (30). There are “Yes” and “No” buttons at the end.
The “Configure Providers” menu screen. The “Add a New Provider” menu item is selected.
The “Add Provider Credentials" menu screen. The “GitHub [Destination]” menu item is selected.
The “Configure GitHub Destination” screen. Its text reads: “To authenticate to this GitHub destination, we'll need a Personal Access Token (PAT). The Personal Access Token will be used for all migration processes related to this destination. To learn more about GitHub destination Personal Access Tokens, please visit our setup guide at https://pack.fm/gh-dest-pat-setup.” The text is followed by a “Next” button.
The “Personal Access Token" screen. The “Your PAT” text entry area is empty.
The “Personal Access Token" screen. The “Your PAT” text entry has been filled, with the PAT obscured by asterisks.
The “Organization Slug" screen. The organization slug text entry area is empty.
The “Organization Slug" screen. The organization slug text entry area now contains the text “Hypotheticorp01”.
The “Token Expiration” screen. The token expiration text entry area contains the text “0”.
The “Confirmation” screen. It says that the application will apply the configuration based on the Personal Access Token, GitHub organization slug (Hypotheticorp01), and days until token expiration (0). There are “Yes” and “No” buttons at the end.
The “Configure Providers” menu screen. The “Exit and Save Changes” menu item is selected.
The “Commit and Push Changes” menu screen. The “Yes” menu item is selected.
The “Save Your Vault Key” screen. It displays the key for the vault file and instructs the user to save this key. The user is also instructed not to skip this step, as this is the only time the key will be shown to them.
The closing screen. Its text reads: “All done! Your credentials vault has been saved to ./config/vault.age. Next, install your vault master key in your Migration HQ’s Actions secrets by running ‘gh warp vault place’.”
The opening screen, where the user is prompted to enter the key for the vault file in the current vault directory.
The opening screen. The text entry area has been filled, with the vault key obscured by asterisks.
The closing screen. It displays that the vault contains credentials for Azure DevOps and its accessible organizations (joey-ado-testing) and for GitHub, for which all required scopes are present.
The "Migration HQ" page in GitHub.
Migration HQ's "config" directory. The key item is the "vault.age" file.
The opening screen. Its text reads “Install Runner Credentials Vault Master Key — Welcome! This command will install your credential vault master key into the Hypotheticorp11/Migration-HQ repository's GitHub Actions secrets. This step is necessary for the Migration Runner to decrypt and use your Project's encrypted credential vault. You'll only need to do this once, or any time you've rotated your master key. To proceed, press Enter. You'll be prompted to provide your encryption key.” The text is followed by an “Ok” button.
The "Decrypt Credentials Vault" screen, where the user is prompted to enter the key for the Vault file in the current Vault directory.
The "Decrypt Credentials Vault" screen. The text entry area has been filled, with the Vault key obscured by asterisks.
The closing screen. Its text reads “All done! Your credentials vault for Hypotheticorp01/Migration-HQ is ready to rock.”
"Migration HQ’s" "Settings" page. The key item is the "Secrets and variables" item in the left side menu.
The "Secrets and variables" menu. The key item is the "Actions" menu item.
"Migration HQ’s" repository secrets. It contains one secret, whose name is "PKFS_MASTER_KEY".