← all projects
/vault open source

vault

Encrypted secrets and env manager. Cross-platform Go CLI with AES-256 SQLCipher.

Go SQLCipher CLI Cobra

What it is

A small, sharp CLI for managing secrets across projects on a single developer machine. Every key lives in a SQLCipher-encrypted SQLite file. Project-scoped or global keys. .env import/export so wiring vault into a project’s runtime is one command.

vault key add OPENAI_API_KEY --project=manzas
vault env export --project=manzas > .env

The problem

I had keys scattered across ~/.zshrc, .env files in projects, password managers, and op:// URIs. Each tool with its own ergonomics, none of them sync-friendly across machines, all of them leaking into shell history. I wanted one place that’s encrypted at rest, scoped per project, and frictionless to read into a running process.

The approach

  • One encrypted store, AES-256 via SQLCipher. Master password on first run, kept in OS keychain so subsequent calls are silent.
  • Project scopes--project=foo namespaces a key. --project=global for shared things (GITHUB_TOKEN, CF_API_TOKEN).
  • .env interop in both directions — import an existing .env into vault, or stream vault contents back out into a runtime .env for local dev.
  • Interactive key add — values never appear in shell history. The annoying twin of this: scripting around key add requires a small wrapper, captured in the kulify wiki.

Tech notes

Pure Go, single binary, ~25 tests. The interesting parts were the SQLCipher integration (CGo build, has to ship with the right libcrypto) and the cross-platform keyring abstraction. Linux uses libsecret, macOS uses Keychain, Windows uses Credential Manager — all behind a uniform Go interface.

Heavily used in the kulify ecosystem now. Coolify tokens, GitHub tokens, Cloudflare tokens, deployment scripts that need a credential — all read from vault at runtime, never from .env files committed by accident.