Open Source & Transparent

Security Architecture

Don't trust us, verify the code. Complete transparency into how Tether protects your dotfiles.

Security Philosophy

Your dotfiles contain sensitive information about your development environment. Tether is built on the principle that you own your data and should have complete control over it. We achieve this through:

  • End-to-end encryption - Files encrypted locally before syncing
  • Open source code - Every line of code is auditable
  • Your infrastructure - Uses your Git repo, keys protected by passphrase
  • Zero trust - Tether never sees your data or keys

Encryption Implementation

AES-256-GCM

Tether uses AES-256-GCM (Galois/Counter Mode), an industry-standard authenticated encryption algorithm that provides both confidentiality and integrity.

  • Algorithm: AES-256-GCM (Advanced Encryption Standard)
  • Key Size: 256 bits (32 bytes)
  • Nonce Size: 96 bits (12 bytes), randomly generated per operation
  • Authentication: Built-in tamper detection via authentication tag
Source code will be available when repository is open sourced

Encryption Flow

  1. Dotfile changes detected (e.g., ~/.zshrc)
  2. Generate random 96-bit nonce for this operation
  3. Read file contents as plaintext
  4. Encrypt using AES-256-GCM with cached key + nonce
  5. Prepend nonce to ciphertext (needed for decryption)
  6. Save as .zshrc.enc in Git repo
  7. Commit and push to remote Git repository
rust 
// Simplified encryption pseudocode
$ fn encrypt_file(path: &Path, key: &[u8; 32]) -> Result<()> {
    // Generate fresh random nonce
$     let nonce = random_nonce(); // 96 bits

    // Read plaintext
$     let plaintext = read_file(path)?;

    // Encrypt with AES-256-GCM
$     let ciphertext = aes_gcm_encrypt(&plaintext, key, &nonce)?;

    // Prepend nonce (needed for decryption)
$     let encrypted_data = [nonce, ciphertext].concat();

    // Write to .enc file in Git repo
$     write_encrypted(path, &encrypted_data)?;

$     Ok(())
}
$
Source code will be available when repository is open sourced

Key Management

Passphrase-Based Key Encryption

Encryption keys are protected using age encryption with your passphrase. The encrypted key syncs via Git, allowing cross-platform access from any machine.

First Machine (Key Generation)

  1. Run tether init
  2. Generate cryptographically random 256-bit key
  3. Prompt for passphrase (min 8 characters)
  4. Encrypt key with passphrase using age
  5. Store encrypted key in sync repo as encryption.key.age
  6. Cache decrypted key locally for session

Additional Machines (Key Retrieval)

  1. Clone sync repo (contains encryption.key.age)
  2. Run tether unlock
  3. Enter passphrase to decrypt key
  4. Key cached locally for future operations
  5. Decrypt dotfiles from Git using key
rust 
// Passphrase-based key management
$ fn unlock_with_passphrase(passphrase: &str) -> Result<Vec<u8>> {
    // Read encrypted key from sync repo
$     let encrypted = fs::read("encryption.key.age")?;

    // Decrypt using age with passphrase
$     let decryptor = age::Decryptor::new(&encrypted)?;
$     let key = decryptor.decrypt(passphrase)?;

    // Cache locally for session
$     cache_key(&key)?;

$     Ok(key)
}
$
Source code will be available when repository is open sourced

Cross-Platform Compatible

The passphrase-based approach works on any platform — macOS, Linux, or Windows. Your encrypted key travels with your sync repo, protected by your passphrase.

Secret Detection

Preventing Credential Leaks

Before syncing dotfiles, Tether scans for accidentally committed secrets using pattern matching. If detected, it warns you and shows redacted versions of the secrets found.

Detected Secret Types

  • • AWS Access Keys (AKIA...)
  • • GitHub Personal Access Tokens (ghp_..., gho_...)
  • • Generic API keys (patterns like API_KEY=...)
  • • SSH/RSA private keys (-----BEGIN ... PRIVATE KEY-----)
  • • Passwords in configs (password=...)
  • • Database URLs with credentials
  • • Bearer tokens
  • • High-entropy strings (potential secrets)
⚠ Warning: Potential secrets detected in .zshrc
Line 42: AWS_ACCESS_KEY_ID="AKIA****************ABCD"
Line 43: AWS_SECRET_ACCESS_KEY="************************************"
Line 67: GITHUB_TOKEN="ghp_****************************"
Continue syncing? (y/N)
Source code will be available when repository is open sourced

Privacy Model

You Own

  • • Your Git repository (GitHub/GitLab/self-hosted)
  • • Your passphrase (never stored)
  • • Your encryption keys
  • • Your dotfiles (plaintext local, encrypted remote)

What's Private

  • • Dotfile contents (encrypted in Git)
  • • Encryption keys (passphrase-protected)
  • • No telemetry or tracking
  • • No external services used

Zero Knowledge Architecture

Tether operates on a zero-knowledge principle. The application itself never transmits your data to any servers we control. Everything stays between your devices and your Git repository. We literally cannot access your data even if we wanted to.

Threat Model

✓ What Tether Protects Against

  • • Unauthorized access to your Git repository (encrypted data)
  • • Man-in-the-middle attacks during Git sync
  • • Accidental credential exposure (secret detection)
  • • Data tampering (authenticated encryption)

⚠ What Tether Doesn't Protect Against

  • • Compromised local machine (dotfiles are plaintext locally)
  • • Weak passphrase (brute-force attack on encrypted key)
  • • Malicious Git server (could serve wrong encrypted data)
  • • Physical access to unlocked Mac

Security Best Practices

1. Use a Private Git Repository

Always use a private repository. Even though dotfiles are encrypted, there's no reason to make the encrypted data publicly accessible.

2. Enable 2FA on GitHub/GitLab

Protect your Git repository with two-factor authentication to prevent unauthorized access.

3. Use a Strong Passphrase

Choose a strong, unique passphrase for your encryption key. This protects your dotfiles even if your Git repository is compromised.

4. Review Secret Warnings

When Tether detects potential secrets, review them carefully. Consider using environment variables or a dedicated secrets manager for sensitive credentials.

5. Enable FileVault

Enable full-disk encryption on your Mac. This protects your local plaintext dotfiles if your device is stolen.

Verify the Code

Don't Trust, Verify

Tether is fully open source. You can (and should!) review the security-critical code yourself:

encryption.rs
AES-256-GCM implementation
keychain.rs
iCloud Keychain integration
secret_detection.rs
Secret scanning patterns
Cargo.toml
Dependencies and versions

Repository will be open sourced soon

Security Vulnerability Reporting

If you discover a security vulnerability in Tether CLI, please report it responsibly:

  1. DO NOT open a public GitHub issue
  2. Email security concerns to: security@tether-cli.com
  3. Provide details: affected versions, reproduction steps, potential impact
  4. Allow reasonable time for a fix before public disclosure

We take security seriously and will respond to legitimate reports within 48 hours.

Security through transparency

Every line of Tether's security code is open for review. Because your dotfiles deserve the best protection.

Review the Code (Coming Soon) Read Documentation