vaultly
v1.0.3
Published
Zero-dependency command-line vault — passwords and documents as individually encrypted files, organized like folders, sealed with one master password, synced through git
Maintainers
Readme
Vaultly is a zero-dependency command-line vault for passwords and private documents.
Every secret lives as its own AES-256-GCM encrypted file, organized in folders like aws/admin,
unlocked by a single master password — and because the vault is just a directory of ciphertext,
it syncs anywhere through git.
Why vaultly?
- 🔐 One password, everything sealed. Each entry is encrypted on its own — fresh scrypt salt and IV per file, GCM-authenticated so tampering is detected. Nothing ever touches disk in plaintext.
- 🗂 Secrets that nest like folders.
aws/admin,work/gcp/service-account— browse them as a tree, fetch them by path. - 💡 It meets you halfway. Typo a name and vaultly suggests the closest matches; hit a folder and it shows you what's inside.
- ☁️ Sync without a service. The vault is a git repo of ciphertext — push it to a private GitHub repo and pull it on every machine you own. No server, no subscription, no trust in anyone's cloud.
- 🪶 Zero dependencies. ~600 lines of Node.js and nothing in
node_modules. Audit it over coffee.
Install
git clone https://github.com/doron2402/vaultly.git && cd vaultly
npm run link # links globally — the `vaultly` command is now on your PATH
vaultly init # pick your master password — it encrypts everythingThe vault lives at ~/.vaultly (override with VAULTLY_HOME).
Usage
# Generate, store and print a password
vaultly generate aws/admin -n 24
vaultly generate github/personal --no-symbols
# Fetch a secret — bare path works
vaultly aws/admin
vaultly get aws/admin -c # copy to clipboard instead of printing
# Store something you already have (hidden prompt)
vaultly insert stripe/live-key
# Store a document / file, encrypted
vaultly insert aws/ssh-key -f ~/.ssh/id_rsa
# Browse
vaultly list
vaultly list aws
# Delete
vaultly rm github/personal
# Change the master password — re-encrypts every entry with the new one
vaultly passwdSuggestions
Typos get you close matches, and hitting a folder shows what's inside:
$ vaultly aws/dor
vaultly: nothing stored at 'aws/dor'. Did you mean:
aws/admin
$ vaultly aws
vaultly: 'aws' is a folder. Entries inside:
aws/admin
aws/prod/rootSync with GitHub
Create a private repo on GitHub, then:
vaultly sync setup [email protected]:you/vaultly-vault.git # one time
vaultly sync # commit + pull + push
vaultly sync status # what would syncOnce linked, every generate, insert, rm and passwd auto-commits locally;
vaultly sync pushes those commits and pulls changes from other machines.
Only ciphertext ever leaves your machine — GitHub sees .pass blobs it can't read.
On a second machine, clone the repo as your vault and use the same master password:
git clone [email protected]:you/vaultly-vault.git ~/.vaultlyIf both machines change the same entry, vaultly sync reports the conflict and leaves
the vault untouched — resolve it in ~/.vaultly like any git conflict, then sync again.
Options
| Flag | Meaning |
|---|---|
| -n <chars> | Password length (default 20) |
| --no-symbols | Alphanumeric passwords only |
| -c, --copy | Copy to clipboard instead of printing |
| -f <file> | Read the secret's content from a file |
Scripting
Set VAULTLY_PASSWORD to skip the master-password prompt:
VAULTLY_PASSWORD=... vaultly aws/adminvaultly passwd also honors VAULTLY_PASSWORD (current password) and
VAULTLY_NEW_PASSWORD (new one) for non-interactive use.
Security notes
- Your master password is never stored; a small encrypted verifier in
config.jsondetects wrong passwords. - Each
.passfile carries its own scrypt salt + IV; GCM authentication detects tampering and corruption. - Changing the master password stages every re-encrypted file first and swaps atomically — a failure mid-way leaves the vault untouched.
- Files are written
0600, vault directories0700. - Entry names are visible as filenames (that's what makes suggestions and git sync work) — keep the sync repo private.
- Losing the master password means losing the vault. There is no recovery. That's the point.
Test
npm testLicense
MIT
