# Credential Management ### Overview To facilitate the secure storage and retrieval of credentials required for migrations, Packfiles has designed a credential management application specifically for Warp known as the **Vault**, which protects your key material with end-to-end encryption. **When you use Warp, your credentials, along with the key used to encrypt the Vault that contains them, are never known to Packfiles.** Your key material is encrypted and maintained exclusively in your GitHub environment, on infrastructure you control, and is never stored or processed on Packfiles' infrastructure or in a form accessible by our staff. Packfiles expects customers to designate a trusted administrator in their organization with the responsibility of populating and maintaining the Vault's contents. Management of the contents of the Vault occurs on an administrator's local machine via a native application, and internet connectivity is not required or used for this process. When the individual responsible for maintaining a Vault creates or modifies its contents, encryption is performed on their local machine with a randomly generated **Master Key**. This key is generated on the local machine of the individual managing the vault, is unique to each Project, and is never shared with Packfiles. A Vault's contents, and the **Master Key** used for encryption, are maintained in custody of the customer. Customers are expected to maintain their Master Key in a secure location, such as a password manager, and in their Migration HQ repository's GitHub Actions secrets. Packfiles does not store or manage the Master Key of the Vault at any time. ### Technical Description The encrypted contents of the Vault are stored in a file located in your Migration HQ repository on GitHub. This follows GitHub's [published best practice](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#storing-large-secrets) for storing large secrets on their platform. The Vault uses the [age](https://github.com/FiloSottile/age) encryption library to provide its underlying cryptography. A detailed specification outlining the cryptographic primitives used by age is available [here](https://age-encryption.org/v1). #### Architecture Diagram {% @mermaid/diagram content="architecture-beta group github(cloud)\[Your GitHub Environment] ``` service repo(disk)[Migration HQ Contains Vault] in github service actions_secrets(database)[Actions Secrets Contains Key] in github repo:R -- L:vault_manager actions_secrets:R -- B:vault_manager group customer_manager(internet)[Your Local Machine] service vault_manager(server)[Vault Manager] in customer_manager " %} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kb.packfiles.io/security/warp-security-model/credential-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.