sq config export

sq config export dumps the active config to YAML for backups. The export covers the source collection, config options, and active source/group state: the same content sq reads from its config file.

By default, the export is a faithful copy of the live config: ${scheme:path} placeholders are written verbatim and inline values are dumped as they appear in the file.

# Export to stdout (placeholders preserved)
$ sq config export

# Export to a file. The output file is created with mode 0600.
$ sq config export -o sq.bak.yml

--expand

--expand resolves every ${scheme:path} placeholder (keyring, env, file) and splices the fetched value into the exported location. The result is a fully self-contained snapshot suitable for moving between machines, at the cost of writing every referenced secret in plaintext (which is the intent of --expand anyway).

Because the exported file is itself a config, its locations are templates: any $ in a resolved value is written as $$, so that the export connects byte-identically when used as sq.yml. To see resolved values in raw literal form, use the display commands, e.g. sq ls -v --expand.

$ sq config export --expand -o sq.bak.yml

If a referenced keyring entry, environment variable, or file is missing, the export errors with the failing source’s handle.

For the broader picture (how --expand differs from --reveal, the placeholder grammar, the threat model), see Secrets.

See the config section for an overview of sq configuration.

Reference 

Export the active sq config as YAML, including the source collection,
config options, and active source/group state. Intended for backups.

By default, output is a faithful copy of the live config: ${scheme:path}
placeholders (keyring, env, file) are written verbatim. Inline values
already present in source Locations (such as plaintext credentials in a
conn string) are dumped as-is — exactly as they appear in your config file.

With --expand, every ${scheme:path} placeholder is fetched from its
resolver (keyring, env var, or file) and the resolved value is spliced
into the exported Location. This produces a fully self-contained
snapshot suitable for transferring between machines, at the cost of
writing every referenced secret in plaintext. Resolution may fail
per-source if a keyring entry, env var, or file is missing.

When --output is used, the output file is created with mode 0600 (the
same permission sq uses for the live config file), since the export
may contain credentials regardless of whether --expand was set.

Usage:
  sq config export

Examples:
  # Export to stdout (placeholders preserved)
  $ sq config export

  # Export to a file (backup)
  $ sq config export -o sq.bak.yml

  # Self-contained export with placeholders expanded in-line
  $ sq config export --expand -o sq.bak.yml

Flags:
  -o, --output string   Write output to <file> instead of stdout
      --help            help for export

Global Flags:
      --config string         Load config from here
      --debug.pprof string    pprof profiling mode (default "off")
      --error.format string   Error output format (default "text")
  -E, --error.stack           Print error stack trace to stderr
      --expand                Resolve ${scheme:path} placeholders to their underlying values
      --log                   Enable logging
      --log.file string       Log file path (default "$HOME/Library/Logs/sq/sq.log")
      --log.format string     Log output format (text or json) (default "text")
      --log.level string      Log level, one of: DEBUG, INFO, WARN, ERROR (default "DEBUG")
  -M, --monochrome            Don't print color output
      --no-progress           Don't show progress bar
      --no-redact             Don't redact passwords in output (deprecated, use --reveal)
      --reveal                Show secret values in output (don't redact passwords; print keyring values)
  -v, --verbose               Print verbose output
Edit this page on GitHub
← sq config edit
sq config get →