Features · Installation · Usage · Security · Dependencies

Vault

vault is a securely encrypted credential manager with a vim-style TUI, built in Rust.

Self-hosted, local-first architecture - your credentials never touch our servers.

<a name="features"></a>

✨ Features

• Secure Storage: Per-credential encryption with ChaCha20-Poly1305 AEAD
• Strong Key Derivation: Argon2id with 19 MiB memory cost
• Hierarchical Keys: Master Key wraps DEK (Data Encryption Key), DEK encrypts credentials - enables password changes without re-encrypting data
  • Master key → DEK (wrapped) → Credential keys (encrypted)
• Full-Text Search: SQLite FTS5 for fast search
• Search or filter by project/tag: Organize your credentials and keys via tagging
• Vim Keybindings: Modal editing with hjkl navigation
• TOTP Support: Generate 2FA codes with countdown timer
• Password Generator: Configurable CSPRNG password generation
• Password Strength Checker: Evaluates the security of user passwords in real-time, providing feedback on complexity, and length to help users create stronger, safer passwords.
• Audit Trail: Extensive HMAC-signed logs for tamper detection and activity records
• Auto-clear clipboard: Automatically overwrite or wipe clipboard memory with 0-bytes (Zeroization) after 15 seconds
• Auto-lock: Automatically lock vault after 3 minutes of inactivity
• Export: Flexible credential export with format and encryption options
  • Formats: JSON, Plain Text
  • Encryption: None (not recommended), GPG (AES-256), age (ChaCha20-Poly1305)
  • Supports filtered export when search or tag filters are active

<a name="installation"></a>

⚡ Installation

Prerequisites

• Requires Rust toolchain (rustc, cargo) to be installed on your system!

Quick Install

Unix (Linux/macOS):

git clone https://github.com/iamKimlong/vault.git
cd vault
cargo build --release && sudo install -m 755 target/release/vault /usr/local/bin/vault

Windows:

git clone https://github.com/iamKimlong/vault.git
cd vault
cargo build --release
Copy-Item .\target\release\vault.exe "$env:LOCALAPPDATA\Microsoft\WindowsApps\"

Alternative Methods

<details> <summary><b>Manual install (per-user)</b></summary>

cargo build --release
# Unix
mkdir -p ~/.local/bin && mv target/release/vault ~/.local/bin/
# Ensure ~/.local/bin is in your PATH

</details> <details> <summary><b>Cargo install</b></summary>

cargo install --path .
# Installs to ~/.cargo/bin (must be in PATH)

</details> <details> <summary><b>Development/testing</b></summary>

cargo run

</details>

📜 Note: whenever you update the vault, your credentials will remain unchanged unless you explicitly delete them.

<a name="usage"></a>

🚀 Usage

vault

Normal Mode

| Key | Action | |-----|--------| | j/k or ↓/↑ | Navigate up/down | | gg | Go to top | | G | Go to bottom | | Ctrl+d | Half page down | | Ctrl+u | Half page up | | Ctrl+f | Page down | | Ctrl+b | Page up | | Enter | View details | | n | New credential | | e | Edit credential | | dd/x | Delete credential | | yy/c | Copy password | | u | Copy username | | T | Copy TOTP code | | Ctrl+t | Copy TOTP secret | | Ctrl+s | Toggle password visibility | | Ctrl+p | Change master key | | Ctrl+l | Clear message | | i | View logs | | t | View tags | | L | Lock vault | | / | Search | | : | Command mode | | ? | Help | | q | Quit |

Commands

• :q - Quit
• :new - New credential
• :project - New project
• :changepw - Change master key
• :gen - Generate password
• :audit - Verify audit log integrity
• :log - View logs
• :tag - View existing tags
• :export - Export credentials with options
• :help - Show help

<a name="security"></a>

🛡️ Security

Encryption

• ChaCha20-Poly1305 AEAD encryption
• Argon2id key derivation (19 MiB, 2 iterations) - resistant to GPU/ASIC attacks
• Unique random salt per vault, embedded in PHC string

Key Architecture

• Master Key derived from your password via Argon2id
• Data Encryption Key (DEK) random 256-bit key that encrypts all credentials
• Wrapped DEK - DEK encrypted by Master Key, stored in database
• Password changes only re-wrap the DEK - no need to re-encrypt credentials

Memory Protection

• Zeroized memory for sensitive data
• mlock()/VirtualLock() to prevent key material from swapping to disk
• PR_SET_DUMPABLE=0 to prevent core dumps (Unix)

Audit Trail

• Audit Trail all sensitive actions logged (unlock, create, read, copy, update, delete)
• HMAC-SHA256 signatures on each log entry
• Tamper detection on unlock and via :audit command
• Detects if attacker modifies or deletes log entries

Miscellaneous

• Auto-lock after 3 minutes
• Auto-wipe clipboard after 15 seconds with zeroization

<a name="dependencies"></a>

⚙️ Dependencies

TUI

• ratatui
• crossterm

Database

• rusqlite Features: bundled, backup

Crypto

• argon2
• chacha20poly1305
• hkdf
• sha2
• hmac
• sha1
• rand
• secrecy
• zeroize Features: derive

TOTP

• totp-rs Features: otpauth

Clipboard

• arboard

Serialization

• serde Features: derive
• serde_json

Utilities

• libc
• chrono Features: serde
• uuid Features: v4
• hex
• base64
• dirs
• thiserror
• anyhow

Development Dependencies

• tempfile