Introduction
Vaulted is a local-first .env and secrets manager, MCP-native from day one.
Secrets live in an encrypted SQLite vault on your machine, never on a server. Values are encrypted with AES-256-GCM under a key hierarchy rooted in your master password through Argon2id. Decryption happens locally, and plaintext reaches a target process through exactly one path, a hardened Rust runner loaded over FFI.
vaulted init create a vault and projectvaulted import .env move your .env into the vaultvaulted run -- npm run dev run with secrets injectedvaulted mcp agent surface for Claude Code, Cursor, Codex, ...
Positioning
Vaulted is a CLI-first secrets manager for developers and AI coding agents. There is no server, no account, and no billing. The flagship workflows are vaulted import .env followed by vaulted run -- npm run dev, which decrypts locally and injects plaintext into the target process through the hardened runner, and vaulted mcp, which exposes the vault to Claude Code, Cursor, Codex, Zed, OpenCode, and Claude Desktop without secret values ever entering the model context window.
When to use it
- Encrypted at rest
Your .env moves into an encrypted vault. Only ciphertext values ever touch disk, and the .env file can be deleted.
- One injection path
Plaintext reaches a process only through the Rust runner, with a cleaned environment, zeroized buffers, and no disk writes.
- Agents without values
An agent can inspect secret names and run commands that use secrets, but values never enter its context window. Captured output is redacted before it returns.
- Audited access
Every reveal, export, run, and MCP access lands in a local audit log.
Vaulted v0.3 is single user and local. There is no team sharing and no hosted dashboard. The key hierarchy is kept sharing-ready, so later releases can add vault sharing and machine identities without re-encrypting the vault.
How it works
- Vault
An encrypted SQLite database at
~/.config/vaulted/vaulted.db. Secret values are ciphertext, key names stay plaintext so listing and search work. - Key hierarchy
Your master password derives an AES-256-GCM master key via Argon2id. That key encrypts an RSA-2048 private key, which unwraps per-project AES-256-GCM keys, which encrypt secret values.
- Runner
A Rust cdylib loaded over FFI. It disables core dumps, clears the child environment down to a 10-variable allowlist plus the injected secrets, zeroizes secret buffers, and never writes to disk.
- MCP server
Five tools over stdio. Four are read-only and return names and metadata, never values. The fifth runs commands through the same runner and redacts injected secret values from the captured output.
Design rationale lives in Architecture. The full threat model, including what Vaulted deliberately does not defend against, is in Security. Agent setup and the tool reference are in MCP.