Vaulty

Secure secret management CLI with GitHub or local storage

Vaulty is a secure CLI tool for managing environment variables, SSH keys, and configuration files. Your secrets are encrypted with AES-256-GCM and can be stored in your GitHub repository or locally.

---

Features

• Secure Encryption — AES-256-GCM with PBKDF2 key derivation (100k+ iterations)
• Multiple Backends — GitHub repository or local file storage
• Session Management — Auto-lock after configurable timeout
• Environment Variables — Load secrets directly into commands with vty run
• Backup & Restore — Export/import vault to compressed archives
• Cross-Platform — Works on macOS, Linux, and Windows
• GitHub CLI Integration — Use gh auth token or set GITHUB_TOKEN

---

Requirements

• Go 1.21+ — For building from source
• GitHub CLI (optional) — For GitHub storage backend

---

Installation

Quick Install

curl -sSL https://raw.githubusercontent.com/sthbryan/vaulty/main/install.sh | bash

From Releases

Download from releases page:

# macOS Apple Silicon
curl -L https://github.com/sthbryan/vaulty/releases/latest/download/vty-darwin-arm64 -o vty
chmod +x vty && sudo mv vty /usr/local/bin/

# Linux AMD64
curl -L https://github.com/sthbryan/vaulty/releases/latest/download/vty-linux-amd64 -o vty
chmod +x vty && sudo mv vty /usr/local/bin/

Build from Source

git clone https://github.com/sthbryan/vaulty.git
cd vaulty
make install

---

Quick Start

1. Create or Link Vault

vty start

Follow the wizard to create a new vault or link to an existing one.

2. Push Secrets

vty push env api .env.api               # Push environment file
vty push env production .env.prod -e prod
vty push ssh deploy ~/.ssh/id_ed25519  # Push SSH key

3. Pull Secrets

vty pull env api -o .                  # Download to current dir
vty pull env production                # Download with original name

4. Run with Secrets

vty run env production -- bun dev      # Inject env vars and run

5. Other Commands

vty list                               # Show vault contents
vty show env api                       # Display secret content
vty delete env old-key                 # Delete a secret
vty export -o backup.vtybk             # Backup vault
vty import backup.vtybk                # Restore from backup
vty update                             # Check for updates
vty logout                             # Lock vault

---

Commands

System Commands

Command	Description
vty start	Create new vault or link to existing
vty login	Unlock vault / extend session
vty logout	Lock vault
vty info	Show session information

Secret Commands

Command	Description
vty push <type> <name> <path>	Push secret to vault
vty pull <type> <name> [-o path]	Pull secret from vault
vty show <type> <name>	Display secret content
vty run <type> <name> -- <cmd>	Execute with secrets as env vars
vty delete <type> <name>	Delete a secret

Backup Commands

Command	Description
vty export [-o file]	Export vault to backup file
vty import <file>	Import from backup file

Utils Commands

Command	Description
vty list	List vault contents
vty update [--check]	Check/install updates

---

Secret Types

Type	Use Case	Example
env	Environment variables	.env, .env.production
ssh	SSH keys	~/.ssh/id_rsa
config	Configuration files	config.json, nginx.conf
resources	Other files	Certificates, licenses

---

Storage Backends

GitHub (Recommended)

Store secrets in a private GitHub repository. Authenticate via:

1. GitHub CLI: gh auth token (recommended)
2. Environment variable: GITHUB_TOKEN
3. Manual token: Enter when prompted

Local

Store secrets in ~/.vaulty/<vault-id>/. No internet required.

---

Configuration

Session stored at ~/.vaulty/session.yaml:

• Duration: Default 8 hours (--session=24h)
• Master key: Stored encrypted, never in plaintext

---

License

MIT License — see LICENSE.