open source · MIT · macOS + Linux

Secrets that never leave your machine

Vaulted is a local-first vault encrypted at rest, a hardened Rust runner that injects secrets into your process, and an MCP server that keeps values out of your agent's context window.

curl -fsSL https://raw.githubusercontent.com/woosal1337/vaulted/main/scripts/install.sh | sh
vaulted · zsh
$ vaulted init Master password: Confirm master password: Initialized vault at ~/.config/vaulted/vaulted.db Created project "my-app" (my-app) with environments: development, staging, production Wrote ~/my-app/vaulted.toml Master password saved to the OS keychain $ vaulted import .env Imported 12 new, overwrote 0, skipped 0 (development) $ vaulted run -- npm run dev > my-app@0.1.0 dev > next dev
vaulted run · hardened injection path

Features

Every claim below maps to implemented, tested behavior documented in the security model.

Hardened Rust runner

cli

One injection path, a Rust library loaded over FFI. Core dumps are disabled, the child environment is cleared to a 10-variable allowlist plus your secrets, buffers are zeroized, and nothing is written to disk.

vaulted run
$ vaulted run -- npm run dev # child env: 10-variable allowlist + secrets # core dumps disabled, buffers zeroized > my-app@0.1.0 dev > next dev

MCP for coding agents

agents

Five tools over stdio for Claude Code, Cursor, Codex, Zed, OpenCode, and Claude Desktop. Read tools return names and metadata only, and run output is redacted before it reaches the model.

vaulted mcp
$ claude mcp add vaulted -- vaulted mcp # tool call chosen by the agent run-with-secrets { "command": ["node", "scripts/charge-test.js"], "environment": "development" } # tool result, redacted before it reaches the model { "exitCode": 0, "stdout": "created test charge with [REDACTED:STRIPE_KEY]\n", "stderr": "", "timedOut": false }
run

One injection path

vaulted run executes through the hardened Rust runner with a cleaned environment, so your .env file can be deleted.

import

Dotenv in and out

vaulted import moves your .env into the vault. vaulted export reconstructs it when you need it back, audited.

organize

Projects, envs, folders

Projects with development, staging, and production environments, pinned per directory by vaulted.toml, discovered like git.

encrypt

Encrypted at rest

AES-256-GCM under a key hierarchy rooted in your master password via Argon2id. Only ciphertext ever touches disk.

redact

Output redaction

Captured run output is scanned in plain, base64, and URL-encoded forms. Matches come back as [REDACTED:KEY_NAME].

audit

Append-only log

Reveals, exports, runs, and MCP access all leave a local record, written in the same transaction as the mutation.

rotate

Key rotation

vaulted rotate generates a new project key and re-encrypts every secret in the project in one command.

lock

Lock and unlock

vaulted lock clears the keychain entry and the password file. Unlock once, the MCP server never prompts.

security model

One key hierarchy, no recovery

master passwordArgon2idAES-256-GCMRSA-OAEPproject keyssecrets
vaulted.db · ciphertext only · mode 0600

Your master password derives the master key via Argon2id with 64 MiB of memory, 3 iterations, and 4 lanes. That key encrypts an RSA-2048 private key, which unwraps a random AES-256-GCM key per project, which encrypts every secret value. Only ciphertext ever touches disk, the database and password file are 0600, and there is no password recovery of any kind. No reset flow, no escrow, no security questions. A lost master password means an unreadable vault, by design.

Read the full security model →

Questions

Short answers from the security model and the MCP reference.

No. There is no server. Secrets live in an encrypted SQLite vault on your machine, values are AES-256-GCM ciphertext under a key hierarchy rooted in your master password, and decryption happens locally.

Everything sits under ~/.config/vaulted, an SQLite database and an optional password file, both mode 0600. Each project directory gets a vaulted.toml that pins the project and default environment and holds no secret material.

The vault becomes unreadable, by design. There is no reset flow, no escrow, and no security questions. Export what you need while you can still decrypt.

The four read tools return names and metadata only. run-with-secrets executes a command through the hardened runner and redacts the injected values from the captured output before it reaches the model.

It disables core dumps, clears the child environment to a 10-variable allowlist plus your secrets, zeroizes secret buffers, and writes nothing to disk. vaulted run and the MCP run tool share this one Rust code path over FFI.

Yes. vaulted export reconstructs a dotenv file from any environment. The export is written to the audit log before any plaintext is emitted.

Your .env file can be deleted today

Install Vaulted, import your secrets, and keep them on your machine.