Configuration
Zero uses a YAML configuration file located at /etc/zero/config.yaml.
This guide covers all configuration options.
Configuration File
Default configuration location:
- Linux:
/etc/zero/config.yaml - Windows:
C:\ProgramData\Zero\config.yaml - User override:
~/.config/zero/config.yaml
Full Configuration Example
# Zero Configuration
# /etc/zero/config.yaml
# Agent settings
agent:
log_level: info # debug, info, warn, error
log_file: /var/log/zero/agent.log
telemetry: true # Send anonymous usage stats
# Management server connection
server:
url: https://manage.zero.io
api_key: wv_api_xxxxxxxxxxxxx
verify_ssl: true
timeout: 30s
# Container settings
container:
runtime: lxc # lxc, podman, docker
storage_path: /var/lib/zero/containers
default_memory: 2GB
default_cpu: 1
unprivileged: true # Always use unprivileged containers
# Encryption settings
encryption:
enabled: true
algorithm: aes-256-xts # AES-256-XTS for disk encryption
key_derivation: argon2id # Memory-hard KDF
key_file: /etc/zero/keys/master.key
# Network settings
network:
vpn:
enabled: true
provider: wireguard
server: vpn.zero.io:51820
dns:
- 1.1.1.1
- 8.8.8.8
kill_switch: true # Block traffic if VPN disconnects
firewall:
enabled: true
default_policy: deny
allow_local: false
# GUI settings
gui:
provider: xpra
display: :100
visual_boundary:
enabled: true
color: "#3b82f6" # Blue border for work windows
width: 3
# DLP (Data Loss Prevention)
dlp:
clipboard:
enabled: true
block_paste_out: true # Block pasting work data to personal apps
sensitive_patterns:
- credit_card
- ssn
- api_key
screenshot:
prevention: true
watermark: false
usb:
enabled: true
allow_keyboards: true
allow_mice: true
block_storage: true # Block USB storage devices
# Compliance
compliance:
audit_log:
enabled: true
path: /var/log/zero/audit.log
retention_days: 90
gdpr:
data_export: true
deletion_request: trueConfiguration Sections
Agent Settings
| Option | Type | Default | Description |
|---|---|---|---|
log_level | string | info | Logging verbosity |
log_file | string | /var/log/zero/agent.log | Log file path |
telemetry | bool | true | Anonymous usage statistics |
Container Settings
| Option | Type | Default | Description |
|---|---|---|---|
runtime | string | lxc | Container runtime (lxc, podman, docker) |
default_memory | string | 2GB | Memory limit for work profile |
unprivileged | bool | true | Use unprivileged containers (recommended) |
Network Settings
VPN Kill Switch: When enabled, all network traffic is blocked if the VPN
connection drops, preventing data leaks.
DLP Settings
Data Loss Prevention controls what data can leave the work profile:
- Clipboard: Controls copy/paste between work and personal
- Screenshot: Prevents screen capture of work content
- USB: Controls which USB devices can access work data
Environment Variables
Configuration can also be set via environment variables:
export ZERO_LOG_LEVEL=debug
export ZERO_SERVER_URL=https://manage.example.com
export ZERO_VPN_ENABLED=trueCLI Configuration
# View current configuration
zero config show
# Set a configuration value
zero config set agent.log_level debug
# Reset to defaults
zero config reset