# Credentials Encryption

### **encrypt**

Use the `util encrypt` command **to encrypt credentials** (account username / password or API token) in the configuration file `conf/xygeni.yml`.

When given a Xygeni configuration file, existing values for fields with sensitive data (`username` and `password` for both the API or proxy, `apikey`) are encrypted and stored in a `{masked:}` block.

{% hint style="info" %}
This encryption is sufficient for casual viewers 'looking above your shoulder' and is not tamper-proof against a willing bad actor. If you know that the configuration file was leaked, please renew the credentials.
{% endhint %}

The command documentation gives:

```console
Usage: xygeni util encrypt [-hV] [-o=OUTFILE] [@<filename>...] [YAML-file]

Encrypt secrets in the configuration file.

      [@<filename>...]   One or more argument files containing options.
      [YAML-file]        Path to xygeni.yml with secrets to encrypt.
                         If not given, the scanner's one will be used.
                         Use '-' or 'stdin' for reading from standard input.
  -o, --output=OUTFILE   Optional output file.
                          Defaults to the input YAML-file (or standard output).
                          Use '-' or 'stdout' for standard output.
```

Examples:

* Encrypt sensitive data in the default `xygeni.yml` configuration file:

  ```console
  xygeni util encrypt
  ```
* Encrypt a given configuration file and save under a different name:

  ```console
  xygeni util encrypt --output=xygeni_prod.yml xygeni_base.yml
  ```
* Encrypt some secret stored in a file:

  ```console
  # - at the end tells the command to read input from the standard input.
  cat my_secret.txt | xygeni util encrypt -

  {masked:TbI2wRZ1R6BCYrxQyKWkJJiLBWr0/+zqAZ8UXzQ4UTk=}
  ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/cli-utils/credentials-encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.