Features · Installation · Usage · Security · Dependencies

Vault

vault is a securely encrypted credential manager with a vim-style TUI, built in Rust.

Self-hosted, local-first architecture - your credentials never touch our servers.

✨ Features

• Secure Storage: Per-credential encryption with ChaCha20-Poly1305 AEAD
• Strong Key Derivation: Argon2id with 19 MiB memory cost
• Hierarchical Keys: Master Key wraps DEK (Data Encryption Key), DEK encrypts credentials - enables password changes without re-encrypting data
  • Master key → DEK (wrapped) → Credential keys (encrypted)
• Full-Text Search: SQLite FTS5 for fast search
• Search or filter by project/tag: Organize your credentials and keys via tagging
• Vim Keybindings: Modal editing with hjkl navigation
• TOTP Support: Generate 2FA codes with countdown timer
• Password Generator: Configurable CSPRNG password generation
• Password Strength Checker: Evaluates the security of user passwords in real-time, providing feedback on complexity, and length to help users create stronger, safer passwords.
• Audit Trail: Extensive HMAC-signed logs for tamper detection and activity records
• Auto-clear clipboard: Automatically overwrite or wipe clipboard memory with 0-bytes (Zeroization) after 15 seconds
• Auto-lock: Automatically lock vault after 3 minutes of inactivity
• Export: Flexible credential export with format and encryption options
  • Formats: JSON, Plain Text
  • Encryption: None (not recommended), GPG (AES-256), age (ChaCha20-Poly1305)
  • Supports filtered export when search or tag filters are active

⚡ Installation

Prerequisites

• Requires Rust toolchain (rustc, cargo) to be installed on your system!

Quick Install

Unix (Linux/macOS):

git clone https://github.com/iamKimlong/vault.git
cd vault
cargo build --release && sudo install -m 755 target/release/vault /usr/local/bin/vault

Windows:

git clone https://github.com/iamKimlong/vault.git
cd vault
cargo build --release
Copy-Item .\target\release\vault.exe "$env:LOCALAPPDATA\Microsoft\WindowsApps\"

Alternative Methods

Manual install (per-user)

cargo build --release
# Unix
mkdir -p ~/.local/bin && mv target/release/vault ~/.local/bin/
# Ensure ~/.local/bin is in your PATH

Cargo install

cargo install --path .
# Installs to ~/.cargo/bin (must be in PATH)

Development/testing

cargo run

📜 Note: whenever you update the vault, your credentials will remain unchanged unless you explicitly delete them.

🚀 Usage

vault

Normal Mode

Key	Action
j/k or ↓/↑	Navigate up/down
gg	Go to top
G	Go to bottom
Ctrl+d	Half page down
Ctrl+u	Half page up
Ctrl+f	Page down
Ctrl+b	Page up
Enter	View details
n	New credential
e	Edit credential
dd/x	Delete credential
yy/c	Copy password
u	Copy username
T	Copy TOTP code
Ctrl+t	Copy TOTP secret
Ctrl+s	Toggle password visibility
Ctrl+p	Change master key
Ctrl+l	Clear message
i	View logs
t	View tags
L	Lock vault
/	Search
:	Command mode
?	Help
q	Quit

Commands

• :q - Quit
• :new - New credential
• :project - New project
• :changepw - Change master key
• :gen - Generate password
• :audit - Verify audit log integrity
• :log - View logs
• :tag - View existing tags
• :export - Export credentials with options
• :help - Show help

🛡️ Security

Encryption

• ChaCha20-Poly1305 AEAD encryption
• Argon2id key derivation (19 MiB, 2 iterations) - resistant to GPU/ASIC attacks
• Unique random salt per vault, embedded in PHC string

Key Architecture

• Master Key derived from your password via Argon2id
• Data Encryption Key (DEK) random 256-bit key that encrypts all credentials
• Wrapped DEK - DEK encrypted by Master Key, stored in database
• Password changes only re-wrap the DEK - no need to re-encrypt credentials

Memory Protection

• Zeroized memory for sensitive data
• mlock()/VirtualLock() to prevent key material from swapping to disk
• PR_SET_DUMPABLE=0 to prevent core dumps (Unix)

Audit Trail

• Audit Trail all sensitive actions logged (unlock, create, read, copy, update, delete)
• HMAC-SHA256 signatures on each log entry
• Tamper detection on unlock and via :audit command
• Detects if attacker modifies or deletes log entries

Miscellaneous

• Auto-lock after 3 minutes
• Auto-wipe clipboard after 15 seconds with zeroization

⚙️ Dependencies

TUI

• ratatui
• crossterm

Database

• rusqlite Features: bundled, backup

Crypto

• argon2
• chacha20poly1305
• hkdf
• sha2
• hmac
• sha1
• rand
• secrecy
• zeroize Features: derive

TOTP

• totp-rs Features: otpauth

Clipboard

• arboard

Serialization

• serde Features: derive
• serde_json

Utilities

• libc
• chrono Features: serde
• uuid Features: v4
• hex
• base64
• dirs
• thiserror
• anyhow

Development Dependencies

• tempfile