Chamber

A secure, local-first secrets manager built with Rust, featuring encrypted storage, intuitive terminal UI, and comprehensive import/export capabilities.

<img alt="Rust" src="https://img.shields.io/badge/Rust-1.85-orange"> <img alt="License" src="https://img.shields.io/badge/License-MIT-blue">

🌟 Overview

Chamber is a modern secret management solution designed for developers and security-conscious users who need reliable, encrypted storage for sensitive information. Built entirely in Rust, Chamber provides a robust foundation for managing passwords, API keys, certificates, database credentials, and other secrets with strong cryptographic guarantees.

✨ Features

• 🔐 Strong Encryption: ChaCha20-Poly1305 authenticated encryption with Argon2 key derivation
• 💾 SQLite Backend: Reliable, ACID-compliant storage with WAL mode and foreign key constraints
• 📱 Terminal UI: Beautiful, responsive interface built with Ratatui and Crossterm
• 📊 Multiple Export Formats: JSON, CSV, and Chamber Backup formats with robust parsing
• 🔄 Backup: a comprehensive backup system that ensures your sensitive data is automatically protected
• 🔄 Import/Export: Seamless data migration and backup capabilities
• 🏷️ Flexible Item Types: Support for passwords, environment variables, API keys, SSH keys, certificates, and more
• 🛡️ Security-First Design: Zero-knowledge architecture with local-only storage

📸 Screenshots

<p align="center"> <img src="images/items.png" alt="VisualVault's Settings Page" /> <span>Chamber's Main Page with Items</span> </p> <p align="center"> <img src="images/add_item.png" alt="VisualVault's Settings Page" /> <span>Chamber's Add Item Dialog</span> </p> <p align="center"> <img src="images/main.png" alt="VisualVault's Main Page" /> <span>Chamber's Main Page</span> </p> <p align="center"> <img src="images/unlock.png" alt="VisualVault's Settings Page" /> <span>Chamber's Login Page</span> </p>

🎥 Introduction Videos

<p align="center"> <i>Click the image above to watch a quick introduction to Chamber</i> </p>

📚 Table of Contents

• Getting Started
• Development Setup
• Architecture
• Usage
• Testing
• Security
• Contributing
• License

🚀 Getting Started

Prerequisites

• Rust: Version 1.85.0 or newer
• Operating System: Windows 11, macOS, or Linux
• Terminal: Modern terminal with Unicode support (recommended)

Installation

From Source

# Clone the repository
git clone https://github.com/mikeleppane/chamber.git
cd chamber

# Build the project
cargo build --release

# Run Chamber
./target/release/chamber

Using Cargo

cargo install chamber-tui

Pre-built Binaries

We provide pre-built binaries for multiple platforms as part of each release:

Supported Platforms:

• Linux: x86_64 (Intel/AMD 64-bit), ARM64 (Apple Silicon/ARM64)
  • Standard glibc builds: chamber-linux-amd64, chamber-linux-arm64
  • Static MUSL builds: chamber-linux-amd64-static (no dependencies required)
• Windows: x86_64 (Intel/AMD 64-bit) - chamber-windows-amd64.exe
• macOS: x86_64 (Intel 64-bit) - chamber-macos-amd64

Download the latest release from GitHub Releases.

Docker Support

We provide official Docker images for containerized deployments:

Supported Architectures:

• linux/amd64 (x86_64 Intel/AMD)
• linux/arm64 (ARM64/Apple Silicon)

Quick Start

1. Initialize a new vault:

   chamber init

1. Create your first secret:

   chamber add --name "github-token" --kind apikey --value "your-token-here"

1. List your secrets:

   chamber list

1. Launch the interactive UI:

   chamber ui

CLI Commands

Quick start:
1. chamber init              # Initialize your first vault
2. chamber add -n "github-token" -k apikey -v "your-token"
3. chamber list              # View your secrets
4. chamber ui                # Launch terminal interface

Usage: chamber [COMMAND]

Commands:
  init      Initialize a new Chamber vault with master password encryption
  add       Add a new secret item to the vault
  list      List all secrets in the vault (names and types only)
  get       Retrieve and display a specific secret by name
  generate  Generate secure passwords with customizable options
  export    Export vault contents to a file for backup or migration
  import    Import secrets from a file into the vault
  stats
  backup    Backup management commands for automatic data protection
  registry  Multiple vault management commands for organizing secrets
  help      Print this message or the help of the given subcommand(s)

Chamber REST API

Chamber provides a comprehensive REST API that enables programmatic access to all vault operations. The API features JWT-based authentication, session management, and full CRUD operations for secrets and vaults.

🚀 Getting Started with the API

Starting the API Server

# Start with default settings (localhost:3000)
chamber api
# Specify custom bind address and port
chamber api --bind 0.0.0.0 --port 8080
# Bind to specific address
chamber api --bind 192.168.1.100:3000

Quick Test

# Health check
curl http://localhost:3000/api/v1/health
# Expected response:
{
  "data": {
    "status": "ok",
    "version": "0.5.0",
    "vault_status": "locked"
  }
}

🔐 Authentication & Authorization

The API uses JWT (JSON Web Token) based authentication with scope-based authorization.

Login

POST /api/v1/auth/login

Request Body

{ "master_password": "your_master_password" }

Response

{
  "data": {
    "token": "...",
    "expires_at": "2025-08-18T06:47:29.538661800Z",
    "scopes": [
      "read:items",
      "write:items",
      "reveal:values",
      "generate:passwords",
      "vault:health",
      "vault:read",
      "vault:list",
      "vault:create",
      "vault:update",
      "vault:delete",
      "vault:switch",
      "manage:vaults"
    ]
  }
}

Using the Token

Include the JWT token in the Authorization header for all protected endpoints:

curl -H "Authorization: Bearer YOUR_JWT_TOKEN" http://localhost:3000/api/v1/items

Response

{
  "data": {
    "items": [
      {
        "id": 1,
        "name": "MY_PASSWORD",
        "kind": "password",
        "created_at": "2025-08-17T06:44:26Z",
        "updated_at": "2025-08-17T06:44:26Z",
        "has_value": true,
        "value_length": 10
      }
    ],
    "total": 1
  }
}

Available Scopes

| Scope | Description | |-------|-------------| | read:items | List and view secret metadata | | write:items | Create, update, and delete secrets | | reveal:values | Access secret values and copy to clipboard | | generate:passwords | Generate secure passwords | | vault:health | Access security reports and health checks | | vault:read | View vault statistics and information | | manage:vaults | Create, switch, and manage multiple vaults |

📊 Session Management

Lock Session

Locks the vault while keeping the JWT token valid:

POST /api/v1/session/lock Authorization: Bearer YOUR_JWT_TOKEN

Response

{
  "data": "Session locked successfully"
}

Unlock Session

Unlocks the vault with master password:

POST /api/v1/session/unlock Authorization: Bearer YOUR_JWT_TOKEN
{ "master_password": "your_master_password" }

Response

{
  "data": "Session unlocked successfully"
}

Logout

Locks the vault and invalidates the session:

POST /api/v1/auth/logout Authorization: Bearer YOUR_JWT_TOKEN

🗂️ Secrets Management

List Secrets

GET /api/v1/items?limit=50&offset=0&sort=name&order=asc Authorization: Bearer YOUR_JWT_TOKEN

Response

{
  "data": {
    "items": [
      {
        "id": 1,
        "name": "MY_PASSWORD",
        "kind": "password",
        "created_at": "2025-08-17T06:44:26Z",
        "updated_at": "2025-08-17T06:44:26Z",
        "has_value": true,
        "value_length": 10
      }
    ],
    "total": 1
  }
}

Query Parameters:

• limit (default: 50) - Maximum number of items to return
• offset (default: 0) - Number of items to skip for pagination
• sort (default: name) - Sort field: name, kind, created_at, updated_at
• order (default: asc) - Sort order: asc or desc
• kind - Filter by item type (e.g., password, apikey)
• query - Search in item names

Create Secret

POST /api/v1/items Authorization: Bearer YOUR_JWT_TOKEN
{ "name": "Database Password", "kind": "password", "value": "super_secure_password_123" }

Response

{
  "data": {
    "id": 2,
    "name": "Database Password",
    "kind": "password",
    "created_at": "2025-08-17T07:02:01Z",
    "updated_at": "2025-08-17T07:02:01Z",
    "has_value": true,
    "value_length": 25
  }
}

Supported Item Types:

• password - User passwords
• apikey - API tokens and keys
• note - Secure notes
• sshkey - SSH private keys
• certificate - SSL/TLS certificates
• database - Database credentials
• envvar - Environment variables

Get Secret Details

GET /api/v1/items/{id} Authorization: Bearer YOUR_JWT_TOKEN

Response

{
  "data": {
    "id": 2,
    "name": "Datab