https://github.com/deadswitch404/vault-crypt
Minimalist GPG-powered vault encryption for KeePassXC. No cloud. No traces. Just your keys, your silence, and the seal.
https://github.com/deadswitch404/vault-crypt
bash cybersecurity deadswitch encryption gpg infosec keepassxc linux local-first opsec privacy vault
Last synced: about 1 year ago
JSON representation
Minimalist GPG-powered vault encryption for KeePassXC. No cloud. No traces. Just your keys, your silence, and the seal.
- Host: GitHub
- URL: https://github.com/deadswitch404/vault-crypt
- Owner: DeadSwitch404
- Created: 2025-04-22T18:26:57.000Z (about 1 year ago)
- Default Branch: master
- Last Pushed: 2025-04-22T18:46:01.000Z (about 1 year ago)
- Last Synced: 2025-05-13T13:17:35.237Z (about 1 year ago)
- Topics: bash, cybersecurity, deadswitch, encryption, gpg, infosec, keepassxc, linux, local-first, opsec, privacy, vault
- Language: Shell
- Homepage:
- Size: 6.84 KB
- Stars: 10
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# πΆοΈ vault-crypt
> **DeadSwitch | The Cyber Ghost**
> _"In silence, we rise. In the switch, we fade."_
Minimalist encryption for those who live off the grid.
A GPG-powered vault manager for your `.kdbx` password databases.
No GUI. No cloud. Just your keys, your vault, and the silence between.
---
## π§ What is `vault-crypt`?
A bash script that:
- Encrypts and signs your KeePassXC `.kdbx` file using GPG.
- Decrypts when needed, verifies signature integrity.
- Purges unsealed vaults to eliminate traces.
- Backs up your encrypted vault with timestamped versions.
All operations are local. No 3rd-party sync.
You are the cloud. You are the guardian.
---
## π Philosophy
> *Your vault is your memory.
> Sign it with your hand.
> Seal it with your ghost.
> Let no cloud eat what you protect.*
> β DeadSwitch
---
## π Features
- β
GPG encryption + signature validation
- β
File wiping of plaintext vaults
- β
Timestamped backup creation
- β
Lightweight and auditable
- β
Config via `.env` file
---
## π File Structure
```text
.
βββ examples
βΒ Β βββ sample.env
βββ README.md
βββ vault-crypt.sh
```
---
## βοΈ Setup
### Clone the repo
```bash
git clone https://github.com/DeadSwitch404/vault-crypt.git
cd vault-crypt
```
### Copy and configure your env:
```bash
cp examples/sample.env .env.pwmanager
nano .env.pwmanager
```
### Make the script executable:
```bash
chmod +x vault-crypt.sh
```
### Test your GPG setup:
```bash
gpg --list-keys
```
## π οΈ Commands
```bash
./vault-crypt.sh encrypt # Encrypt and sign the KeePass DB
./vault-crypt.sh decrypt # Decrypt and validate the vault
./vault-crypt.sh status # Show vault state
./vault-crypt.sh backup # Create encrypted, timestamped backup
./vault-crypt.sh help # Show usage
```
## π§ͺ Example .env.pwmanager
```text
KEY_ID="deadbeef42"
PW_DIR="$HOME/vault/passwords"
CLEAR_PW_DB="secrets.kdbx"
CRYPT_PW_DB="secrets.kdbx.gpg"
BACKUP_DIR="$HOME/vault/backups"
TIMESTAMP=$(date +"%Y%m%d-%H%M")
CURRENT_DIR="$PWD"
```
### Important:
Keep this .env file outside of version control.
DeadSwitch recommends using chmod 600 and storing it on encrypted storage.
## π§Ή Bonus: Harden Your Flow
- Use shred or srm to wipe files on exit (manual or optional enhancement).
- Alias vault-crypt.sh decrypt to open-sesame for that final hacker vibe.
- Run via cron for daily encrypted backups to external storage (offline preferred).
## π³οΈ Backdoor-Free Guarantee
`grep -r curl .`
(nothing found)
`grep -r wget .`
(silence)
# Youβre home.
## πͺͺ License
MIT.
Use. Fork. Adapt. Ghost away.
But respect the silence. Credit DeadSwitch.
DeadSwitch | The Cyber Ghost
"You don't need permission to protect whatβs yours."
https://tomsitcafe.com
https://github.com/DeadSwitch404/vault-crypt