TinyVaultSecrets that never leave your machine.

A single Go binary — an encrypted local vault, a full .env toolkit, and an MCP server for AI agents. No servers, no accounts, no cloud.

Get Started

What is TinyVault?

View on GitHub

🔐

Strong, simple crypto

AES-256-GCM with a two-tier passphrase → KEK → per-project DEK hierarchy. Argon2id (64 MiB, memory-hard) key derivation. Keys zeroed from memory after use.

📦

One binary, zero deps

tvault is the CLI, the MCP server, and an interactive terminal studio. No database server, no Docker, no network — just one encrypted bbolt file.

🤖

Built for AI agents

A 21-tool MCP server where secret values never enter the model's context. Inject into a subprocess, write to disk, or seal to a recipient instead.

🧬

A real .env toolkit

Safe dotenv parsing (no shell expansion), tvault:// placeholders, two-way sync, drift diffs, and commit-safe .env.encrypted files.

🤝

Share without the passphrase

X25519 recipients (age-style) let a teammate, CI runner, or agent read a project with their own key. Revoking rotates the key and re-encrypts everything.

🌿

Commit secrets safely

Transparent git filters and sealed files keep ciphertext in history and plaintext in your working tree — git-crypt style, with no passphrase in the repo.

🕰️

Versioned & recoverable

Every overwrite archives the prior value. Inspect history, read a past version, and roll back non-destructively. History survives key rotation.

⚡

Unlock once

An opt-in local agent holds the vault unlocked over a private 0600 socket, so daily get/env/run skip the prompt and the Argon2id cost. Auto-locks when idle.

Install & go

bash

# Homebrew (macOS / Linux)
brew install abdul-hamid-achik/tap/tvault

# or with Go
go install github.com/abdul-hamid-achik/tinyvault/cmd/tvault@latest