vaulted-cli
v1.0.1
Published
Zero-knowledge encrypted secret sharing from the command line. End-to-end encrypted, zero dependencies.
Maintainers
maximReadme
vaulted-cli
Share secrets from the terminal. End-to-end encrypted. Zero knowledge.
The official CLI for vaulted.fyi — encrypt and share secrets without the server ever seeing your data. All encryption happens locally with AES-256-GCM. The decryption key never leaves your machine.
Zero dependencies. Single binary. Works with npx.
Share passwords, API keys, .env files, database credentials, and tokens — with a link that self-destructs after a set number of views or a time limit.
Quick start
# No install needed
npx vaulted-cli "my-api-key"
# → https://vaulted.fyi/s/abc123#key
# Or install globally
npm install -g vaulted-cli
vaulted "my-api-key"Requires Node.js 18.3+.
Create secrets
# Pass as argument
vaulted "my-api-key"
# Pipe from stdin
echo "DB_PASSWORD=hunter2" | vaulted
cat .env | vaulted
# Read from file
vaulted --file .env.local
# Set view limit and expiration
vaulted "secret" --views 1 --expires 1h
# Add passphrase protection
vaulted "secret" -p mypassphrase -v 3 -e 7dOutputs a single URL to stdout — ready to share or pipe:
vaulted "secret" | pbcopy # copy to clipboard (macOS)
vaulted "secret" | xclip # copy to clipboard (Linux)Retrieve secrets
vaulted get https://vaulted.fyi/s/abc123#key
# Passphrase-protected
vaulted get https://vaulted.fyi/s/abc123#wrapped.salt -p mypassphrasePlaintext goes to stdout. Metadata (views remaining) goes to stderr:
vaulted get https://vaulted.fyi/s/abc123#key > secret.txtOptions
Create options
| Flag | Short | Default | Values |
|---|---|---|---|
| --views <n> | -v | 0 (unlimited) | 0, 1, 3, 5, 10 |
| --expires <dur> | -e | 24h | 1h, 24h, 7d, 30d |
| --passphrase <text> | -p | — | any string |
| --file <path> | -f | — | file path |
| --host <url> | | https://vaulted.fyi | URL |
Retrieve options
| Flag | Short | Description |
|---|---|---|
| --passphrase <text> | -p | Required if the secret is passphrase-protected |
Security model
You Server Recipient
│ │ │
│ encrypt(secret, key) │ │
│ ──── POST ciphertext ────► │ stores ciphertext only │
│ ◄─── secret ID ────────── │ │
│ │ │
│ share URL with #key ─────────────────────────────────────► │
│ │ │
│ │ ◄─── GET ciphertext ────── │
│ │ ──── ciphertext ──────────► │
│ │ │
│ │ decrypt(ciphertext, key)- Your secret is encrypted locally with AES-256-GCM before anything is sent
- Only the ciphertext is stored on the server
- The decryption key lives in the URL fragment (
#) — never sent to the server - The recipient decrypts locally using the key from the URL
Passphrase-protected secrets add a second layer: the encryption key is wrapped with PBKDF2 + AES-KW, so the URL alone isn't enough to decrypt.
Links are fully interchangeable between the CLI and the web app.
Self-hosted
Point the CLI at your own Vaulted instance:
vaulted "secret" --host https://vault.mycompany.com
vaulted get https://vault.mycompany.com/s/abc123#keyWhy vaulted-cli?
- True end-to-end encryption — the server is zero-knowledge by design
- Zero dependencies — single bundled file, fast
npxstartup - Pipe-friendly — stdout for data, stderr for diagnostics
- Cross-compatible — links work in both CLI and web app
- Passphrase support — optional second factor for sensitive secrets
- Self-hostable — bring your own backend
Alternatives
Looking for a CLI to share secrets securely? Here's how vaulted-cli compares:
| | vaulted-cli | OneTimeSecret | Password Pusher | Yopass | |---|---|---|---|---| | Client-side encryption | Yes | No | No | Yes | | npm / npx | Yes | No | Python (pip) | No (Go binary) | | Zero dependencies | Yes | — | — | — | | Passphrase wrapping | Yes | Server-side | Server-side | Yes | | Self-hostable | Yes | Yes | Yes | Yes |
Related
- vaulted.fyi — Web app
- GitHub — Built by @maximn
License
MIT