> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ghostable.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Model

> How Ghostable keeps secrets zero-knowledge across Desktop, CLI, and automation.

<Card title="Start with the platform overview" icon="circle-info" href="/fundamentals/v2/overview/what-is-ghostable">
  Read the shared Ghostable overview before diving into client-specific workflows.
</Card>

## Zero-Knowledge by Default

Ghostable stores encrypted secret material and metadata, not plaintext values. Encryption and
decryption happen on trusted clients:

* The Desktop app uses your linked Mac as a trusted device.
* The CLI uses the linked workstation or runner you authorize.
* Automation flows rely on deploy tokens instead of human device sessions.

Ghostable never needs your private keys to store, version, audit, or deliver encrypted data.

## What Ghostable Can See

* Organization, project, and environment metadata.
* Audit and activity records for actions such as create, pull, push, rotate, and revoke.
* Encrypted payload metadata such as algorithm identifiers, ciphertext sizes, and keyed integrity
  markers.
* Which actor or automation identity performed an operation.

## What Ghostable Cannot See

* Plaintext environment variable values.
* Device private keys.
* Deployment token private seeds.
* Data that would let Ghostable decrypt environments on its own.

## Trusted Identities

Ghostable uses two trusted identity types:

* **Devices** for human-operated workstations.
* **Deploy tokens** for CI, scripts, and ephemeral runners.

The identity type determines how an environment key is shared, where private material is stored, and
which workflows are appropriate.

<Note>
  Use devices for people and deploy tokens for automation. Do not run CI with a personal desktop
  session.
</Note>

## Auditability Without Plaintext Access

Activity, history, and policy enforcement still work because Ghostable tracks encrypted metadata and
action records around every change. Teams can review who changed a variable, when an identity was
rotated, and when access was revoked without exposing the secret itself.

## Continue with Your Client

<CardGroup>
  <Card title="Link a Mac device" icon="laptop" href="/desktop/v1/getting-started/link-your-device">
    Use the desktop app to register a trusted workstation and unlock decryption.
  </Card>

  <Card title="Manage CLI devices" icon="terminal" href="/cli/v2/workflows/devices">
    Use the CLI when you need terminal-based device linking or recovery steps.
  </Card>
</CardGroup>