ds-vault: Encrypted Password Vault for Emacs

Overview

ds-vault is a minimal, hardened Emacs Lisp utility for encrypting, decrypting, and managing a KeePassXC-compatible password database using GnuPG.

It uses the external gpg command for maximal control, auditability, and OPSEC transparency.

DeadSwitch does not trust abstractions. This vault is silent, verifiable, and self-destructing by design.

Why External GPG?

DeadSwitch uses raw gpg intentionally:

Full Transparency: You see every step. No hidden agents.
Cross-Tool Compatibility: Decrypt from the terminal if Emacs disappears.
No Trust in Caching: Explicit keys, explicit files, explicit logic.
Real Signing Flow: --sign + --encrypt = your data is yours alone.

Installation

Clone or copy this repo.

Add it to your load-path:

(add-to-list 'load-path "/path/to/ds-vault/")
(require 'ds-vault)

Create a config file (ds-vault-config.el) that defines:

(defvar ds/key-id "YOUR-GPG-KEY-ID")
(defvar ds/clear-db "/path/to/vault.kdbx")
(defvar ds/encrypted-db "/path/to/vault.kdbx.gpg")
(defvar ds/backup-dir "/path/to/backups/")
(defvar ds/timestamp (format-time-string "%Y%m%d-%H%M%S"))

Usage

Call the commands from M-x or bind them to keys.

Command	Description
`ds/vault-encrypt`	Encrypt and sign the vault
`ds/vault-decrypt`	Decrypt the vault
`ds/vault-status`	Check if vault is sealed or exposed
`ds/vault-backup`	Backup the encrypted vault with version
`ds/vault-help`	Show usage instructions

Status Output

The status check is brutally honest:

Vault is ENCRYPTED - you're good.
Vault is PLAIN TEXT - seal it now.
Insecure state - both files exist. Fix it.
No vault files found - nothing to protect… yet.

Philosophy

DeadSwitch believes encryption should be:

Explicit
Reversible
Offline-friendly
Not reliant on agents or GUIs

This vault reflects that mindset.

Example Workflow

M-x ds/vault-status
M-x ds/vault-encrypt
M-x ds/vault-backup
M-x ds/vault-decrypt

License

MIT - because freedom includes the freedom to vanish.

Author

DeadSwitch | The Silent Architect