Encrypted sync without server-side secrets.

Register once, then sync when you want.

Sync is optional. Local aliases work without an account. When you register, Aliaz creates a recovery phrase locally and stores it in the operating system credential store.

$ aliaz register --username ada
Password: 
Registered ada
Recovery phrase: ...

$ aliaz sync
Synced: pulled 0, pushed 3, latest version 3

Use password plus recovery phrase.

The password authenticates your account with the sync server. The recovery phrase decrypts aliases locally after encrypted records are downloaded.

$ aliaz login --username ada
Password: 
Recovery phrase: 

$ aliaz sync
$ aliaz init zsh

Remove sync state from the current machine.

aliaz logout removes the local sync configuration and recovery phrase for this device. It does not delete aliases from the local database or remove the sync account on the server.

$ aliaz logout
Logged out ada

The server should not be able to read aliases.

Metadata is visible; alias contents are not.

The sync service needs operational metadata to authenticate accounts and order records. It can see usernames, user IDs, password hashes, session token hashes, record IDs, record type, versions, timestamps, rate-limit counters, and encrypted blobs.

This can reveal that an account exists, how many records it has, and roughly when records changed. It should not reveal plaintext alias names or commands.

Point sync at another compatible server.

A custom server changes who operates the metadata and encrypted blob storage. It does not change the client-side encryption model.

The GitHub repository includes the Cloudflare Worker source and D1 migrations for the hosted sync API.

$ aliaz register --username ada --sync-url https://sync.example.com
$ aliaz login --username ada --sync-url https://sync.example.com

Community support helps keep the open-source sync service, releases, and documentation maintained.