ghostware/vault-crypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5 Commits 1 Branch 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
DeadSwitch ed3af56c1d Minor changes in the readme.
2025-07-18 20:07:42 +02:00
examples
initial commit
2025-04-22 20:36:15 +02:00
.gitignore
initial commit
2025-04-22 20:36:15 +02:00
README.md
Minor changes in the readme.
2025-07-18 20:07:42 +02:00
vault-crypt.sh
Clearer readme and script header.
2025-07-18 20:04:38 +02:00

README.md

vault-crypt

Minimalist encryption for those who live off the grid.
A GPG-powered vault manager for your .kdbx password databases.
No GUI. No cloud. Just your keys, your vault, and the silence between.

What is vault-crypt?

A BASH script that:

  • Encrypts and signs your KeePassXC .kdbx file using GPG.
  • Decrypts when needed, verifies signature integrity.
  • Purges the unsealed vault to eliminate traces.
  • Backs up your encrypted vault with timestamped versions.

All operations are local. No 3rd-party sync.
You are the cloud. You are the guardian.

Philosophy

Your vault is your memory.
Sign it with your hand.
Seal it with your ghost.
Let no cloud eat what you protect.
— DeadSwitch

Features

  • GPG encryption + signature validation
  • File wiping of plaintext vaults
  • Timestamped backup creation
  • Lightweight and auditable
  • Config via .env file

File Structure

.
├── examples
│   └── sample.env
├── README.md
└── vault-crypt.sh

Setup

Clone the repo

git clone https://github.com/DeadSwitch404/vault-crypt.git
cd vault-crypt

Copy and configure your env:

cp examples/sample.env .env.pwmanager
nano .env.pwmanager

Make the script executable:

chmod +x vault-crypt.sh

Test your GPG setup:

gpg --list-keys

Commands

./vault-crypt.sh encrypt    # Encrypt and sign the KeePass DB
./vault-crypt.sh decrypt    # Decrypt and validate the vault
./vault-crypt.sh status     # Show vault state
./vault-crypt.sh backup     # Create encrypted, timestamped backup
./vault-crypt.sh help       # Show usage

Example .env.pwmanager

KEY_ID="deadbeef42"
PW_DIR="$HOME/vault/passwords"
CLEAR_PW_DB="secrets.kdbx"
CRYPT_PW_DB="secrets.kdbx.gpg"
BACKUP_DIR="$HOME/vault/backups"
TIMESTAMP=$(date +"%Y%m%d-%H%M")
CURRENT_DIR="$PWD"

Important:

Keep this .env file outside of version control. DeadSwitch recommends using chmod 600 and storing it on encrypted storage.

Bonus: Harden Your Flow

  • Use shred or srm to wipe files on exit (manual or optional enhancement).
  • Alias vault-crypt.sh decrypt to open-sesame for that final hacker vibe.
  • Run via cron for daily encrypted backups to external storage (offline preferred).

Backdoor-Free Guarantee

Audit it yourself.

You're home.

License

MIT.

Use. Fork. Adapt. Ghost away.

But respect the silence. Credit DeadSwitch.

DeadSwitch | The Silent Architect

Reference in New Issue View Git Blame Copy Permalink
Description
Minimalist GPG-powered vault encryption for KeePassXC. No cloud. No traces. Just your keys, your silence, and the seal.
bashcybersecuritydeadswitchencryptiongpginfoseckeepassxclinuxlocal-firstopsecprivacyvault
Readme 39 KiB
Languages
Shell 100%