vault
Encrypted secrets and env manager. Cross-platform Go CLI with AES-256 SQLCipher.
What it is
A small, sharp CLI for managing secrets across projects on a single developer machine. Every key lives in a SQLCipher-encrypted SQLite file. Project-scoped or global keys. .env import/export so wiring vault into a project’s runtime is one command.
vault key add OPENAI_API_KEY --project=manzas
vault env export --project=manzas > .env
The problem
I had keys scattered across ~/.zshrc, .env files in projects, password managers, and op:// URIs. Each tool with its own ergonomics, none of them sync-friendly across machines, all of them leaking into shell history. I wanted one place that’s encrypted at rest, scoped per project, and frictionless to read into a running process.
The approach
- One encrypted store, AES-256 via SQLCipher. Master password on first run, kept in OS keychain so subsequent calls are silent.
- Project scopes —
--project=foonamespaces a key.--project=globalfor shared things (GITHUB_TOKEN,CF_API_TOKEN). .envinterop in both directions — import an existing.envinto vault, or stream vault contents back out into a runtime.envfor local dev.- Interactive
key add— values never appear in shell history. The annoying twin of this: scripting aroundkey addrequires a small wrapper, captured in the kulify wiki.
Tech notes
Pure Go, single binary, ~25 tests. The interesting parts were the SQLCipher integration (CGo build, has to ship with the right libcrypto) and the cross-platform keyring abstraction. Linux uses libsecret, macOS uses Keychain, Windows uses Credential Manager — all behind a uniform Go interface.
Heavily used in the kulify ecosystem now. Coolify tokens, GitHub tokens, Cloudflare tokens, deployment scripts that need a credential — all read from vault at runtime, never from .env files committed by accident.