Makes reviewing configs and debugging much easier than tools that encrypt everything.

Think sops, but simpler.

Multiple key types as recipients:

- Native age keys (X25519)

- SSH keys (ed25519, RSA) – use your existing keys

- FIDO2 devices (YubiKey 5, SoloKey, etc.) via hmac-secret

- YubiKey OTP via HMAC challenge-response

Hardware keys derive the private key on-demand with a touch – never stored on disk.

How it works:

- Pattern-based: only keys matching /password$/, /api_key$/, etc. (configurable) get encrypted

- Values encrypted with AES-256-GCM, key wrapped per recipient

- `confcrypt check` for CI – exits 1 if unencrypted secrets found