# Credentials Encryption

### **encrypt**

Use the `util encrypt` command **to encrypt credentials** (account username / password or API token) in the configuration file `conf/xygeni.yml`.

When given a Xygeni configuration file, existing values for fields with sensitive data (`username` and `password` for both the API or proxy, `apikey`) are encrypted and stored in a `{masked:}` block.

{% hint style="info" %}
This encryption is sufficient for casual viewers 'looking above your shoulder' and is not tamper-proof against a willing bad actor. If you know that the configuration file was leaked, please renew the credentials.
{% endhint %}

The command documentation gives:

```console
Usage: xygeni util encrypt [-hV] [-o=OUTFILE] [@<filename>...] [YAML-file]

Encrypt secrets in the configuration file.

      [@<filename>...]   One or more argument files containing options.
      [YAML-file]        Path to xygeni.yml with secrets to encrypt.
                         If not given, the scanner's one will be used.
                         Use '-' or 'stdin' for reading from standard input.
  -o, --output=OUTFILE   Optional output file.
                          Defaults to the input YAML-file (or standard output).
                          Use '-' or 'stdout' for standard output.
```

Examples:

* Encrypt sensitive data in the default `xygeni.yml` configuration file:

  ```console
  xygeni util encrypt
  ```

* Encrypt a given configuration file and save under a different name:

  ```console
  xygeni util encrypt --output=xygeni_prod.yml xygeni_base.yml
  ```

* Encrypt some secret stored in a file:

  ```console
  # - at the end tells the command to read input from the standard input.
  cat my_secret.txt | xygeni util encrypt -

  {masked:TbI2wRZ1R6BCYrxQyKWkJJiLBWr0/+zqAZ8UXzQ4UTk=}
  ```