Skip to main content

Read the security model

Understand how Ghostable separates human devices from automation identities.

Why Devices Exist

Ghostable links a human-operated workstation as a device so encryption keys can stay local to that machine. A linked device can then decrypt environments it has been authorized to access. Typical device examples:
  • A developer laptop.
  • A secure workstation.
  • A bastion host operated by a human.
Linking a device registers the machine with Ghostable and stores private key material locally in the operating system’s secure storage. The service only receives the public identity it needs to share environment keys with that device. If a device is new, it may still need a key re-share before it can read existing secrets.
Devices are for people, not CI runners. Use deploy tokens for automation.

Device Lifecycle

  • Link a new workstation when you set it up.
  • Use the linked device for desktop or CLI secret workflows.
  • Re-share keys when a new device needs access.
  • Unlink or revoke devices that are retired or compromised.

Continue with Your Client

Link from Desktop

Register your Mac device from the desktop onboarding flow.

Link from CLI

Use terminal commands when you need device setup or recovery without the app.