A minimal local secret vault CLI for developers, built natively on Deno.
- Encrypted secrets at rest (AES-256-GCM)
- Password-based key derivation (
scrypt) - Clean, minimal ASCII logging
- Native cross-platform clipboard support out of the box (
pbcopy,clip,wl-copy,xclip) - Zero dependencies aside from the Deno Standard Library
vaultlet init [--vault <path>] [--force]vaultlet set <key>vaultlet get <key> [-c|--copy] [--raw]vaultlet listvaultlet delete <key>vaultlet destroy
Download the latest binary for your platform from the Releases page.
deno install --global -A -n vaultlet jsr:@mohxmd/vaultletInitialize a new vault:
deno run --allow-env --allow-read --allow-write --allow-run main.ts initStore a secret:
deno run --allow-env --allow-read --allow-write --allow-run main.ts set github_tokenRetrieve a secret directly:
deno run --allow-env --allow-read --allow-write --allow-run main.ts get github_tokenCopy a secret to your clipboard:
deno run --allow-env --allow-read --allow-write --allow-run main.ts get github_token -cSecurely wipe the entire vault and config:
deno run --allow-env --allow-read --allow-write --allow-run main.ts destroyYou can compile Vaultlet into a standalone executable using Deno:
deno task compileThis will produce a vaultlet binary in the bin/ directory.
Vaultlet employs Deno's secure-by-default runtime. The CLI does not use the --allow-all (-A)
flag. Network access is completely disabled.
When compiling or running, Vaultlet strictly requires:
--allow-env: To locateHOMEandUSERPROFILEfor paths.--allow-read/--allow-write: To generate and read the localvault.encandconfig.tomlfiles.--allow-run: To interface with system clipboards (pbcopy,xclip, etc.).
- Config:
~/.config/vaultlet/config.toml - Default vault:
~/.local/share/vaultlet/vault.enc