{"id":50474675,"url":"https://github.com/niteshdangi/vault","last_synced_at":"2026-06-01T12:30:35.216Z","repository":{"id":355171475,"uuid":"1206409255","full_name":"niteshdangi/vault","owner":"niteshdangi","description":"Local-first CLI secrets vault. AES-256-GCM envelope encryption, multi-backend auth (passphrase, kernel keyring, TPM 2.0, Keychain, DPAPI).","archived":false,"fork":false,"pushed_at":"2026-05-02T07:06:13.000Z","size":65,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-02T09:15:16.628Z","etag":null,"topics":["aes-256-gcm","cli","dpapi","encryption","keychain","rust","secrets","secrets-manager","security","tpm","vault"],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/niteshdangi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE-MIT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-09T22:16:14.000Z","updated_at":"2026-05-02T07:06:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/niteshdangi/vault","commit_stats":null,"previous_names":["niteshdangi/vault"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/niteshdangi/vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niteshdangi%2Fvault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niteshdangi%2Fvault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niteshdangi%2Fvault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niteshdangi%2Fvault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/niteshdangi","download_url":"https://codeload.github.com/niteshdangi/vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niteshdangi%2Fvault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33775855,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-01T02:00:06.963Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes-256-gcm","cli","dpapi","encryption","keychain","rust","secrets","secrets-manager","security","tpm","vault"],"created_at":"2026-06-01T12:30:33.643Z","updated_at":"2026-06-01T12:30:35.211Z","avatar_url":"https://github.com/niteshdangi.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault\n\nLocal-first CLI secrets vault with envelope encryption and flexible authentication.\n\n[![Version](https://img.shields.io/badge/version-0.1.0-blue.svg)](Cargo.toml)\n[![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE-MIT)\n[![Platform](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20windows-lightgrey.svg)]()\n\n## Why vault?\n\n- **Flexible authentication** — passphrase (default), kernel keyring, TPM 2.0, macOS Keychain, or Windows DPAPI\n- **Envelope encryption** — per-secret keys (RDEKs) wrapped by a vault master key (VKEK)\n- **Encrypted at rest** — secret names, values, and keys are all AES-256-GCM encrypted\n- **Memory hardened** — zeroize-on-drop, no core dumps for key material\n\n## Installation\n\n### Quick install (Linux / macOS)\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/niteshdangi/vault/main/install.sh | sh\n```\n\nThe installer auto-detects your OS and architecture, downloads the latest release, verifies the SHA-256 checksum, and installs to `~/.local/bin` (or `/usr/local/bin` with sudo). Set `VAULT_INSTALL_DIR` to override.\n\n### Windows (PowerShell)\n\n```powershell\nirm https://raw.githubusercontent.com/niteshdangi/vault/main/install.ps1 | iex\n```\n\nDownloads the latest release, verifies the SHA-256 checksum, and installs to `%LOCALAPPDATA%\\vault\\`. The install directory is added to your user PATH automatically. Set `VAULT_INSTALL_DIR` to override.\n\n### Build from source\n\n```bash\n# Requires Rust 1.78+ (SQLite is bundled — no system headers needed)\ncargo install --path .\n```\n\n### Manual download\n\nGrab the binary for your platform from [GitHub Releases](https://github.com/niteshdangi/vault/releases) and place it on your `PATH`.\n\n## Quick Start\n\n```bash\n# Initialize a new vault (prompts for passphrase)\nvault init\n\n# Or initialize with Linux kernel keyring (no passphrase)\nvault init --trust-local\n\n# Store and retrieve secrets\nvault set AWS_SECRET_KEY \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"\nvault get AWS_SECRET_KEY\n\n# List all secrets\nvault list\n\n# Use secrets in commands (NAME=secret-name format)\nvault exec -e AWS_SECRET_KEY=aws/secret-key -e AWS_ACCESS_KEY=aws/access-key -- aws s3 ls\n\n# Or inject all secrets as env vars\nvault exec --all -- env\n\n# Export vault (encrypted backup)\nvault export backup.vault\n\n# Import from backup\nvault import backup.vault\n\n# Check vault health\nvault doctor\n```\n\n## Authentication Methods\n\n| Method | Platform | Security Level | Use Case |\n|--------|----------|----------------|----------|\n| Passphrase | All | High | **Default.** Argon2id-derived key wraps VKEK |\n| Trust-local | Linux | Convenience | Machine-bound via kernel keyring. No password. |\n| TPM 2.0 | Linux | High | Hardware-bound. VKEK sealed to TPM chip. |\n| Keychain | macOS | High | macOS Keychain Services |\n| DPAPI | Windows | Medium | Windows user account-bound |\n\nMultiple auth methods can be active simultaneously.\n\n## Architecture\n\n```\n┌─────────────┐\n│  Passphrase │──┐\n│  TPM 2.0    │──┤  Auth Slots\n│  Keychain   │──┤  (each wraps VKEK differently)\n│  DPAPI      │──┤\n│  trust-local│──┘\n│             │\n│    VKEK     │  Vault Key Encryption Key (256-bit)\n│      │      │\n│   ┌──┴──┐   │\n│  RDEK  RDEK │  Per-secret Record DEKs\n│   │     │   │\n│  Secret Secret│  AES-256-GCM encrypted\n└─────────────┘\n```\n\n- **VKEK**: 256-bit master key, never stored in plaintext\n- **RDEK**: Unique 256-bit key per secret, wrapped by VKEK\n- **Blind indexes**: HMAC-SHA256 for secret lookup without exposing names\n- **AAD binding**: All ciphertexts bound to record identity (anti-splicing)\n\n## Commands\n\n| Command | Description |\n|---------|-------------|\n| `vault init` | Initialize a new vault |\n| `vault set \u003cname\u003e [value]` | Store a secret (prompts if value omitted; or `--stdin`) |\n| `vault get \u003cname\u003e` | Retrieve a secret value |\n| `vault list` | List all secret names |\n| `vault delete \u003cname\u003e` | Delete a secret |\n| `vault status` | Vault status and metadata |\n| `vault doctor` | Security diagnostics |\n| `vault lock` | Lock vault — stop agent *(Unix only)* |\n| `vault unlock` | Unlock vault — start agent daemon *(Unix only)* |\n| `vault exec -- \u003ccmd\u003e` | Run command with secrets as env vars ⚠️ |\n| `vault export [file]` | Export encrypted vault backup (stdout if file omitted) |\n| `vault import \u003cfile\u003e` | Import from encrypted backup |\n| `vault auth list` | List auth slots |\n| `vault auth add \u003ctype\u003e` | Add auth method |\n| `vault auth remove \u003cid\u003e` | Remove auth method |\n\n### Global Flags\n\n| Flag | Description |\n|------|-------------|\n| `--db \u003cpath\u003e` | Path to vault database (default: platform data dir) |\n\n### Command-Specific Flags\n\n| Command | Flag | Description |\n|---------|------|-------------|\n| `vault init` | `--trust-local` | Use Linux kernel keyring auth *(Linux only)* |\n| `vault init` | `--tpm` | Use TPM 2.0 auth *(Linux only)* |\n| `vault init` | `--keychain` | Use macOS Keychain auth *(macOS only)* |\n| `vault init` | `--dpapi` | Use Windows DPAPI auth *(Windows only)* |\n| `vault set` | `--stdin` | Read secret value from stdin |\n| `vault unlock` | `--ttl \u003cseconds\u003e` | Agent session TTL (default: 900) |\n| `vault exec` | `-e`, `--env NAME=secret` | Map env var NAME to vault secret |\n| `vault exec` | `--all` | Inject all secrets as env vars |\n| `vault exec` | `--yes` | Skip confirmation prompt for `--all` |\n| `vault export` | `--stdin` | Read export passphrase from stdin |\n| `vault import` | `--force` | Overwrite existing secrets on collision |\n| `vault import` | `--stdin` | Read export passphrase from stdin |\n| `vault auth add` | `--force` | Allow trust-local without an existing passphrase slot |\n\n\u003e **⚠️ `vault exec` warning:** Secrets injected as environment variables are visible to any same-UID process via `/proc/\u003cpid\u003e/environ` on Linux. Prefer `vault get` in subshells where possible. Requires explicit `-e NAME=secret` mappings or `--all` flag.\n\n\u003e **Note on `--all`:** Secret names are transformed to env var names by replacing `/`, `-`, `.` with `_` and uppercasing. Collisions are detected and abort execution.\n\n## Agent Daemon\n\nThe vault agent holds the unlocked VKEK in memory to avoid repeated authentication:\n\n```bash\nvault unlock          # Start agent, authenticate once\nvault set KEY value   # No re-authentication needed\nvault get KEY         # Uses cached VKEK from agent\nvault lock            # Stop agent, zeroize keys\n```\n\n- **Unix only** — agent is not available on Windows (`#[cfg(unix)]`)\n- Unix socket communication (`0600` permissions, parent directory `0700`)\n- Socket path: `$XDG_RUNTIME_DIR/vault/agent-\u003chash\u003e.sock` (or `/tmp/vault-agent-\u003cuid\u003e/` fallback)\n- Idle timeout: 15 minutes (configurable via `vault unlock --ttl` or `vault agent --ttl`)\n- Absolute max lifetime: 4 hours (hardcoded)\n- Memory hardened: `PR_SET_DUMPABLE=0`, zeroize-on-drop\n- Peer UID authentication via `SO_PEERCRED` on **Linux only**; on macOS, relies on socket file permissions\n\n\u003e **Advanced:** `vault agent --ttl \u003cseconds\u003e` runs the agent in the foreground. Normally you don't call this directly — `vault unlock` spawns it automatically.\n\n## Security Model\n\nSee [SECURITY.md](SECURITY.md) for the full threat model and cryptographic details.\n\n**Crypto primitives:**\n- AES-256-GCM (encryption, key wrapping)\n- Argon2id (passphrase key derivation, export key derivation)\n- HMAC-SHA256 (blind indexes)\n- HKDF-SHA256 (subkey derivation)\n\n**What vault protects against:**\n- Unauthorized access to secrets at rest\n- Database theft (without auth factor)\n- Memory scraping (best-effort hardening)\n- Record splicing/substitution (AAD binding)\n\n**What vault does NOT protect against:**\n- Root/kernel-level compromise\n- Same-UID process when agent is unlocked\n- Physical access with unlocked session\n\n## Platform Support\n\n| Feature | Linux | macOS | Windows |\n|---------|-------|-------|---------|\n| Core vault | ✅ | ✅ | ✅ |\n| Passphrase auth | ✅ | ✅ | ✅ |\n| Trust-local (kernel keyring) | ✅ | — | — |\n| TPM 2.0 | ✅ | — | — |\n| Keychain | — | ✅ | — |\n| DPAPI | — | — | ✅ |\n| Agent daemon | ✅ | ✅ | — |\n\n\u003e **Trust-local** is Linux's equivalent of macOS Keychain / Windows DPAPI — OS-level key storage via the kernel keyring, no passphrase required. Works headless (no desktop session needed).\n\n\u003e **Note:** Peer-UID authentication for the agent socket uses `SO_PEERCRED` and is **Linux-only**. On macOS and other Unix platforms, agent security relies on socket file permissions (`0600`) only.\n\n## Building from Source\n\n```bash\n# Prerequisites: Rust 1.78+ (SQLite is bundled — no system headers needed)\ncargo build --release\n```\n\n## Library Usage\n\nvault also ships as a library crate (`vault_lib`) for programmatic access:\n\n```toml\n[dependencies]\nvault_lib = { path = \".\" }\n```\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## License\n\nLicensed under [MIT License](LICENSE-MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fniteshdangi%2Fvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fniteshdangi%2Fvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fniteshdangi%2Fvault/lists"}