---
title: Safe Storage Modes
description: Compare local vaults, inline encrypted text, Persist-backed Safes, and 1Password pass-through.
section: Safe
order: 3
updatedAt: 2026-06-09
slug: safe/storage-modes
---
# Safe Storage Modes

Each Safe chooses one source of truth. The reference path stays stable even when the backing provider changes.

| Mode | Source of truth | Best fit |
| --- | --- | --- |
| Local vault | Encrypted local Safe database | First-run development, locked workstations, local CI workers |
| Inline encrypted text | Ciphertext in the referencing file | Portable fixtures and small local-only handoffs |
| Persist adapter | Cuitty Persist `secret` storage class with E2EE | Local or remote sync experiments that accept alpha guardrails |
| 1Password | 1Password vault/item/field | Team production credentials and headless CI service accounts |

## Local vault

Local vaults are the default for first-run development.

```text
~/.cuitty/safe/vaults/<account>/<safe>/safe.db
~/.cuitty/safe/vaults/<account>/<safe>/safe.audit.jsonl
```

Key material should live in the OS credential store when available: macOS Keychain, Windows Credential Manager, or Linux Secret Service. Headless passphrase-derived keys require explicit opt-in.

## Inline encrypted text

Inline mode stores authenticated ciphertext next to the config that needs it:

```dotenv
STRIPE_SECRET=csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext
```

Inline values must use authenticated encryption, include versioned envelope metadata, and keep decryption keys outside the file.

## Persist adapter

Persist mode stores Safe records as E2EE payloads in Cuitty Persist.

```ts
import { createSafePersistAdapter } from "@cuitty/safe/server";

const adapter = createSafePersistAdapter({
  profile: "local-first-laptop",
  account: "acme",
  safe: "dev",
  namespace: "safe/acme/dev",
  storageClass: "secret",
  syncMode: "manual",
  alpha: true,
  acknowledgeE2eeRisk: true,
});
```

The Persist adapter is alpha until Persist's E2EE profile runtime reaches GA security review, recovery testing, and multi-device revocation testing. For high-value production CI/CD credentials, prefer 1Password service accounts or a locked local vault until that review is complete.

## 1Password pass-through

1Password mode keeps 1Password as the source of truth. Cuitty Safe stores metadata that maps a Cuitty ref to a 1Password object.

```text
acme/dev/database-url -> op://Development/Database/url
```

Users do not need to commit `op://...` references unless they choose the advanced escape hatch.