Skip to main content

Exporting Secrets

CloudKeep gives you full ownership of your data. Export your secrets at any time in multiple formats for backups, migration, or integration with other tools.

Export Formats

JSON

The default export format. Produces a JSON file containing an array of secret objects with full metadata (key, value, type, notes, timestamps):

{
  "vault": "Production",
  "exportedAt": "2025-06-11T10:00:00Z",
  "secrets": [
    {
      "key": "DATABASE_URL",
      "value": "postgres://user:pass@host:5432/db",
      "type": "credential",
      "notes": "Primary database",
      "createdAt": "2025-03-01T12:00:00Z",
      "updatedAt": "2025-06-10T14:22:00Z"
    }
  ]
}

JSON exports are best for full backups or importing into another CloudKeep account because they preserve all metadata.

CSV

A tabular format compatible with spreadsheets and other tools. Columns include key, value, type, and notes:

key,value,type,notes
DATABASE_URL,postgres://user:pass@host:5432/db,credential,Primary database
STRIPE_KEY,sk_live_abc123,api_key,Production Stripe key

.env

Exports secrets in standard .env format, ready to drop into your project:

# Exported from CloudKeep — Production vault
# 2025-06-11T10:00:00Z

DATABASE_URL="postgres://user:pass@host:5432/db"
STRIPE_KEY="sk_live_abc123"
REDIS_URL="redis://localhost:6379"

Values containing special characters are automatically quoted. Comments at the top identify the vault and export timestamp.

Encrypted Backups

For maximum security, export an encrypted backup. The exported file is encrypted with your master password using AES-256-GCM before it is downloaded. The server never sees the unencrypted export.

  1. Navigate to Settings → Export or open a vault and click Export.
  2. Toggle Encrypt backup on.
  3. Enter your master password when prompted.
  4. The browser encrypts the data locally, then downloads the .ckbackup file.

To restore from an encrypted backup, use the Import page and select “CloudKeep Encrypted Backup” as the source. You will be prompted for the master password that was used to create the backup.

Exporting Specific Vaults

You can export individual vaults or your entire account:

  • Single vault — open the vault, click the overflow menu (...), and select Export. Only secrets in that vault are included.
  • All vaults — go to Settings → Export and click Export All Vaults. Each vault is exported as a separate section in the output file.

Where to Find the Export Option

There are two places to trigger an export:

  1. From a vault page — open any vault and use the overflow menu or toolbar button labelled Export.
  2. From Settings — navigate to Settings → Export for account-wide export options including encrypted backups and bulk vault export.

Data Portability

CloudKeep is committed to data portability. You can export 100% of your data at any time without restrictions, regardless of your subscription plan. Exported files are standard formats that can be imported into any compatible tool or service.

If you decide to leave CloudKeep, export your data first using the JSON format to preserve all metadata, then import it into your new provider. We do not hold your data hostage.

Security Considerations

  • Exported files contain decrypted secret values. Store them securely and delete them when no longer needed.
  • Use encrypted backups for any export that will be stored long-term or transmitted over a network.
  • Never commit exported files to version control. Add *.ckbackup, .env, and *-export.json to your .gitignore.

Next Steps

  • Import — restore from a backup or bring secrets from another provider.
  • Account Recovery — understand how recovery keys protect your access.