AES-256-GCM · macOS Keychain · Zero Disk Exposure

Secrets belong in a
vault, not a .env file

Encrypted local secret manager for developers. Replace hardcoded credentials with a secure, shell-native vault.

Install OpenVaultSee how it works →
🛡
🔑
Open source · macOS & Linux · Go 1.22+
zsh — ~/projects/myapp
~ $ openvault set OPENAI_API_KEY
Enter value (hidden): ••••••••••••••••••••••••••••
Secret saved · AES-256-GCM · stored in Keychain
~ $ openvault run python main.py
↳ Injecting 3 secrets into environment...
OPENAI_API_KEY · DATABASE_URL · AWS_SECRET_KEY
Running main.py...
🔐AES-256-GCM Encryption
🗝macOS Keychain Master Key
🙈Never Written to Disk
📜No Shell History Leakage
🔒0600 File Permissions
Random Nonce Per Secret
🧹Key Zeroed from Memory
📦Open Source
Security-First Design

Built for developers who
take secrets seriously

Every design decision prioritizes security without sacrificing developer experience.

🔐
AES-256-GCM Encryption
Military-grade encryption with a unique random nonce for every secret. No two ciphertext blocks are ever the same.
256-bit · authenticated cipher
🗝
Keychain-Backed Master Key
The 32-byte master key lives exclusively in macOS Keychain — never written to disk, never in your dotfiles.
Security.framework · SecItem
🙈
Hidden Input · No History
Values are entered with hidden input, never echoed, and never saved to shell history. Your secrets stay yours.
stty -echo · no HISTFILE
Automatic Injection
Secrets are injected into the process environment before every command run. No manual exports needed.
openvault run <cmd>
🔒
Strict File Permissions
Database file uses 0600 and directories use 0700, following Unix security best practices.
chmod 0600 · 0700
🧹
Memory Safety
Cryptographic keys are explicitly zeroed from memory upon closure, minimizing the window for memory-based attacks.
memset zero on close
256
Bit encryption key
AES-GCM
0
Bytes written to disk
Master key
<1s
Secret inject latency
Per command
Nonce uniqueness
Per secret
Quick Setup

Up and running in under a minute

Four commands. One vault. No configuration files leaking secrets.

1
Install OpenVault
Download a binary for macOS or Linux, or build from source with Go 1.22+.
go install github.com/npc-live/openvault@latest
2
Initialize your vault
Creates an encrypted database and stores your master key securely in macOS Keychain.
openvault init
3
Store your secrets
Input is hidden and never recorded. Each value is encrypted with a unique nonce before writing.
openvault set DATABASE_URL
4
Run commands with auto-injection
OpenVault decrypts and injects secrets into the subprocess environment. No export needed.
openvault run npm start

Stop leaking credentials.
Start using OpenVault.

Free, open source, and works with every shell and CI system.

Get Started Free
Open source · MIT License