| I built confcrypt to encrypt sensitive values in config files – hostnames, usernames, URLs stay readable. Makes reviewing configs and debugging much easier than tools that encrypt everything. Think sops, but simpler. Multiple key types as recipients: - Native age keys (X25519) - SSH keys (ed25519, RSA) – use your existing keys - FIDO2 devices (YubiKey 5, SoloKey, etc.) via hmac-secret - YubiKey OTP via HMAC challenge-response Hardware keys derive the private key on-demand with a touch – never stored on disk. How it works: - Pattern-based: only keys matching /password$/, /api_key$/, etc. (configurable) get encrypted - Values encrypted with AES-256-GCM, key wrapped per recipient - `confcrypt check` for CI – exits 1 if unencrypted secrets found |