Concepts
kovra is built from a small set of ideas that fit together. Learn these five and the rest of the tool follows.
- The vault — where secrets live: an encrypted local store, per-project or global, with its master key in the OS keychain.
- Coordinates — how you address a secret:
secret:<env>/<component>/<key>, never by its value. - Sensitivity tiers — how protective kovra is with
each secret:
low,medium,high, andinject-only— plus what theprodenvironment adds on top. - Agent scope — the capability boundary that lets an AI agent use secrets without seeing the sensitive ones.
- The
.env.refscontract — the committable file that maps your env-var names to coordinates, holding addresses but never values.
The one-sentence model
Section titled “The one-sentence model”You address a secret by its coordinate, the vault custodies it, its
sensitivity decides how it can be delivered, your scope decides who can
ask, and .env.refs wires it into the processes that need it — so a value is
used without ever being seen.