Quickstart
Create a vault, import your .env, and run your app with secrets injected.
Initialize a vault
Run vaulted init in your project directory. It creates the encrypted SQLite vault at ~/.config/vaulted/vaulted.db, a project named after the directory with development, staging, and production environments, and a vaulted.toml that pins the project and default environment for this directory.
$ cd my-app$ vaulted initMaster password:Confirm master password:Initialized vault at /Users/you/.config/vaulted/vaulted.dbCreated project "my-app" (my-app) with environments: development, staging, productionWrote /Users/you/my-app/vaulted.tomlMaster password saved to the OS keychain
The password prompt is hidden and echoes nothing. The master password is saved to the OS keychain, so later commands do not prompt. Every command discovers vaulted.toml by walking up from the current directory, like git.
Import your .env
Move your existing .env into the vault. Values are encrypted before they touch the database.
$ vaulted import .envImported 4 new, overwrote 0, skipped 0 (development)
If a key already exists, the import stops and asks you to pick --overwrite or --skip. Once you have checked the result with vaulted list, your .env file can be deleted.
Set, get, and list
set without a value reads from a hidden prompt or stdin, so the secret never lands in shell history. get prints the raw value to stdout and nothing else, so it pipes cleanly. list shows names, scopes, and value types, never values.
$ vaulted set STRIPE_KEYValue for STRIPE_KEY:Set STRIPE_KEY in development$ vaulted get STRIPE_KEYsk_test_vaulted_quickstart$ vaulted listKEY SCOPE TYPEDATABASE_URL shared stringREDIS_URL shared stringSENTRY_DSN shared stringSESSION_SECRET shared stringSTRIPE_KEY shared string
vaulted list --reveal prints decrypted values and writes a secret.revealed entry to the audit log.
Run with secrets injected
vaulted run decrypts the secrets for the pinned environment and executes your command through the hardened Rust runner. The child environment is exactly a 10-variable allowlist plus your secrets, nothing else from the parent leaks through.
$ vaulted run -- npm run dev$ vaulted run -e production -- ./deploy.sh
The child exit code becomes the vaulted exit code, and every run is recorded in the audit log before the command spawns.
Lock and unlock
lock clears the stored master password, both the keychain entry and the password file. unlock verifies the password and stores it again.
$ vaulted lockVault locked; stored master password cleared$ vaulted unlockMaster password:Vault unlocked; master password saved to the OS keychain
Expose the vault to your agent
claude mcp add vaulted -- vaulted mcp
Run vaulted unlock once before agent use, the MCP server never prompts. Setup for Cursor, Codex, Zed, OpenCode, and Claude Desktop, plus the full tool reference, is in MCP.