LogoLogo
  • Welcome
  • Getting Started
    • What's Warp?
    • Quickstart
      • Install the Prerequisites
      • Create and Configure Your Project
      • Gather Your Credentials
        • Get Your Azure DevOps Credentials
        • Get Your GitHub Credentials
        • Confirm That You’ve Gathered Your Credentials
      • Set Up Your Vault
      • Scan Your Sources for Repositories
      • Migrate a Repository
  • Product
    • Core Concepts
    • Roadmap
  • Migrations
    • Azure DevOps
      • Service Connections
      • Limitations
  • Using Warp
    • Projects
      • Dashboard
      • Team
      • Capacity
      • Settings
    • Migration HQ
      • Issues
        • Issue Page
      • Labels
      • Warpspaces
    • Slash Commands
      • Global
        • /help
      • Migration
        • /migrate
        • /rename-destination
      • Backlog Issue
        • /refresh
      • Azure DevOps
        • /rewire-pipeline
        • /rewire-all-pipelines
        • /integrate-boards
        • /autolink-work-items
        • /lock-ado-repo
        • /disable-ado-repo
      • GitHub
        • /add-team
    • Support
      • Copilot for Warp
      • Partners
      • Knowledge Base
  • Security
    • Security at Packfiles
    • Warp's Security Model
      • Credential Management
      • Private Compute
      • Data Privacy
  • Billing & Licensing
    • Overview
    • Trial Mode
Powered by GitBook
LogoLogo

Helpful Links

  • Get Warp
  • Terms of Service
  • Privacy Policy

© 2025 Packfiles Inc

On this page
  • Overview
  • Technical Description

Was this helpful?

Edit on GitHub
Export as PDF
  1. Security
  2. Warp's Security Model

Credential Management

Warp Protects Your Credentials with End-to-End Encryption

PreviousWarp's Security ModelNextPrivate Compute

Last updated 15 days ago

Was this helpful?

Overview

To facilitate the secure storage and retrieval of credentials required for migrations, Packfiles has designed a credential management application specifically for Warp known as the Vault, which protects your key material with end-to-end encryption.

When you use Warp, your credentials, along with the key used to encrypt the Vault that contains them, are never known to Packfiles. Your key material is encrypted and maintained exclusively in your GitHub environment, on infrastructure you control, and is never stored or processed on Packfiles' infrastructure or in a form accessible by our staff.

Packfiles expects customers to designate a trusted administrator in their organization with the responsibility of populating and maintaining the Vault's contents. Management of the contents of the Vault occurs on an administrator's local machine via a native application, and internet connectivity is not required or used for this process.

When the individual responsible for maintaining a Vault creates or modifies its contents, encryption is performed on their local machine with a randomly generated Master Key. This key is generated on the local machine of the individual managing the vault, is unique to each Project, and is never shared with Packfiles.

A Vault's contents, and the Master Key used for encryption, are maintained in custody of the customer. Customers are expected to maintain their Master Key in a secure location, such as a password manager, and in their Migration HQ repository's GitHub Actions secrets. Packfiles does not store or manage the Master Key of the Vault at any time.

Technical Description

The encrypted contents of the Vault are stored in a file located in your Migration HQ repository on GitHub. This follows GitHub's published best practice for storing large secrets on their platform.

The Vault uses the age encryption library to provide its underlying cryptography. A detailed specification outlining the cryptographic primitives used by age is available here.

Architecture Diagram