← Back to home

Secret Versioning

Every secret update creates a new version. View history, compare changes, and rollback — per secret, not per file.

How It Works

Every time you update a secret with mp set, the previous encrypted value is saved to a version history table. MeowPass keeps the last 10 versions per secret.

Version increment
$ mp set DB_PASSWORD new_password_123 --vault <id> Secret 'DB_PASSWORD' set (version 4)

View History

Terminal
$ mp history DB_PASSWORD --vault <id> History for DB_PASSWORD: VERSION DATE v4 2026-05-05 14:22 (current) v3 2026-04-28 09:11 v2 2026-04-15 16:45 v1 2026-04-01 10:30

Rollback

Restore any previous version. Rollback creates a new version (it doesn't destructively rewind):

Terminal
$ mp rollback DB_PASSWORD --vault <id> --version 2 Rolled back 'DB_PASSWORD' from v4 to v2 (now at v5)

After rollback, the secret is at v5 with the same value as v2. The full history is preserved.

Drift Detection

Compare your local .env with the vault to catch drift before it causes issues:

Terminal
$ mp diff --vault <id> + NEW_API_KEY (local only) - OLD_TOKEN (vault only) ~ DATABASE_URL (value differs) = STRIPE_KEY (unchanged) Comparing .env ↔ vault: 1 added, 1 removed, 1 changed

Use --exit-on-drift in CI to fail builds when drift is detected.

Key Rotation

Rotate the vault encryption key and re-encrypt all secrets in one command. Client-side only — zero-knowledge maintained.

Terminal
$ mp rotate --vault <id> Generated new vault key Re-encrypted 12 secrets Rotated vault key. All secrets re-encrypted.

Rotation pulls all secrets, decrypts with the old key, generates a new vault key, re-encrypts everything, and pushes. The server never sees plaintext.

Secret TTL

Set temporary secrets that auto-expire:

Terminal
$ mp set DEPLOY_TOKEN xyz123 --vault <id> --ttl 24h Secret 'DEPLOY_TOKEN' set (version 1) [expires in 24h]

Expired secrets are automatically deleted when accessed. Supports any Go duration format: 30m, 24h, 168h (7 days).