Quickstart

Create a vault, import your .env, and run your app with secrets injected.

Initialize a vault

Run vaulted init in your project directory. It creates the encrypted SQLite vault at ~/.config/vaulted/vaulted.db, a project named after the directory with development, staging, and production environments, and a vaulted.toml that pins the project and default environment for this directory.

$ cd my-app
$ vaulted init
Master password:
Confirm master password:
Initialized vault at /Users/you/.config/vaulted/vaulted.db
Created project "my-app" (my-app) with environments: development, staging, production
Wrote /Users/you/my-app/vaulted.toml
Master password saved to the OS keychain

The password prompt is hidden and echoes nothing. The master password is saved to the OS keychain, so later commands do not prompt. Every command discovers vaulted.toml by walking up from the current directory, like git.

Import your .env

Move your existing .env into the vault. Values are encrypted before they touch the database.

$ vaulted import .env
Imported 4 new, overwrote 0, skipped 0 (development)

If a key already exists, the import stops and asks you to pick --overwrite or --skip. Once you have checked the result with vaulted list, your .env file can be deleted.

Set, get, and list

set without a value reads from a hidden prompt or stdin, so the secret never lands in shell history. get prints the raw value to stdout and nothing else, so it pipes cleanly. list shows names, scopes, and value types, never values.

$ vaulted set STRIPE_KEY
Value for STRIPE_KEY:
Set STRIPE_KEY in development
$ vaulted get STRIPE_KEY
sk_test_vaulted_quickstart
$ vaulted list
KEY SCOPE TYPE
DATABASE_URL shared string
REDIS_URL shared string
SENTRY_DSN shared string
SESSION_SECRET shared string
STRIPE_KEY shared string

vaulted list --reveal prints decrypted values and writes a secret.revealed entry to the audit log.

Run with secrets injected

vaulted run decrypts the secrets for the pinned environment and executes your command through the hardened Rust runner. The child environment is exactly a 10-variable allowlist plus your secrets, nothing else from the parent leaks through.

$ vaulted run -- npm run dev
$ vaulted run -e production -- ./deploy.sh

The child exit code becomes the vaulted exit code, and every run is recorded in the audit log before the command spawns.

Lock and unlock

lock clears the stored master password, both the keychain entry and the password file. unlock verifies the password and stores it again.

$ vaulted lock
Vault locked; stored master password cleared
$ vaulted unlock
Master password:
Vault unlocked; master password saved to the OS keychain

Expose the vault to your agent

claude mcp add vaulted -- vaulted mcp

Run vaulted unlock once before agent use, the MCP server never prompts. Setup for Cursor, Codex, Zed, OpenCode, and Claude Desktop, plus the full tool reference, is in MCP.