Configuration

1 Recipient resolution

nimvault resolves the GPG recipient through a 3-tier chain. The first non-empty value wins:

  1. CLI flag: --recipient KEY (or -r KEY)

  2. Environment variable: NIMVAULT_GPG_RECIPIENT

  3. Config file: .vault/config in the git repository root

If none are set, nimvault exits with an error.

../_images/recipient_resolution.svg

2 Config file format

.vault/config uses a simple key-value format:

# Lines starting with # are comments
recipient = 9CCCE36402CB49A6
root = repo

Whitespace around the = is ignored. Recognized keys:

recipient

GPG key ID for encryption (required).

root

Base directory for path resolution. When set to repo, paths are stored relative to the repository root. When set to a relative path, it is resolved against the repository root. When absent, paths use ~/ prefix for portability.

3 GPG key ID

The recipient value is any string GPG accepts as a recipient identifier:

  • Long key ID: 9CCCE36402CB49A6

  • Fingerprint: ABCD1234...

  • Email: user@example.com

Long key IDs are recommended for unambiguous matching.

3.1 Finding your key ID

gpg --list-keys --keyid-format long
# pub   rsa4096/9CCCE36402CB49A6 2024-01-01 [SC]
#                ^^^^^^^^^^^^^^^^ this is the key ID