rvault 0.1.3

A local-first, multi-tenant password manager with cloud sync capabilities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

# 🔐 Vault

A local-first, multi-tenant password manager with cloud synchronization capabilities. Built with Rust for maximum security and performance.

## Features

- **🔒 Zero-Knowledge Encryption**: AES-256-GCM and ChaCha20-Poly1305 with Argon2id key derivation
- **🏠 Local-First**: Works completely offline, cloud sync is optional
- **🏢 Multi-Tenant**: Organizations, projects, and role-based access control
- **☁️ Cloud Sync**: Optional encrypted sync via S3, Postgres, or other backends
- **🛡️ Security**: Memory-safe Rust implementation with automatic secret zeroization
- **🎨 Beautiful CLI**: Intuitive commands with progress indicators and colored output

## Quick Start

### Installation

```bash
# Install via script (recommended)
curl -sSL https://releases.vault.dev/install.sh | sh

# Or build from source
git clone https://github.com/vault/vault.git
cd vault
cargo build --release
```

### Basic Usage

```bash
# Initialize vault for your organization
vault init --tenant acme-corp --admin alice@acme.com

# Login to your tenant
vault login --tenant acme-corp

# Store a secret
vault put github-token --namespace development
# Enter secret value: [hidden input]

# Retrieve a secret
vault get github-token --namespace development

# List all secrets in a namespace
vault list --namespace development

# Sync with cloud (optional)
vault sync push
```

## Architecture

### Local Storage
- **Database**: Sled (embedded key-value store)
- **Encryption**: Client-side AES-256-GCM encryption
- **Key Derivation**: Argon2id with configurable parameters

### Cloud Sync (Optional)
- **Backends**: S3, Postgres, or custom implementations
- **Security**: Zero-knowledge - server only sees encrypted data
- **Conflict Resolution**: Vector clocks with merge UI

### Multi-Tenancy
- **Tenants**: Top-level organizations
- **Namespaces**: Project-level secret scoping
- **Roles**: Admin, Owner, Writer, Reader, Auditor
- **Sessions**: JWT-based authentication with expiration

## Security

### Encryption
- **Symmetric**: AES-256-GCM (primary), ChaCha20-Poly1305 (alternative)
- **Key Derivation**: Argon2id with high memory cost (configurable)
- **Envelope Encryption**: Optional integration with AWS KMS, GCP KMS, Azure KeyVault
- **Memory Safety**: Automatic zeroization of secrets in memory

### Threat Model
- ✅ Protects against data breaches (encrypted at rest)
- ✅ Protects against network interception (encrypted in transit)
- ✅ Protects against server compromise (zero-knowledge)
- ✅ Protects against memory dumps (zeroization)
- ⚠️ Does not protect against compromised client devices
- ⚠️ Does not protect against weak master passwords

## Development

### Project Structure
```
vault/
├── src/           # Rust CLI source code
├── test.code/     # Integration tests and examples
├── website/       # React marketing website
└── docs/          # Documentation
```

### Testing
```bash
# Run unit tests
cargo test

# Run integration tests
cd test.code
./scripts/run-tests.sh

# Test multi-host sync
./scripts/simulate-sync.sh
```

### Building
```bash
# Debug build
cargo build

# Release build
cargo build --release

# Cross-platform builds
cargo install cross
cross build --target x86_64-pc-windows-gnu
cross build --target x86_64-apple-darwin
```

## Configuration

Create `~/.config/vault/config.toml`:

```toml
storage_path = "~/.vault/vault.db"
tenant_id = "my-org"

[cloud_sync]
backend = "S3"
region = "us-east-1"
bucket = "my-vault-bucket"

# Optional KMS integration
# kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/..."
```

## Commands

### Core Operations
- `vault init` - Initialize new vault
- `vault login` - Authenticate to tenant
- `vault put <key>` - Store secret
- `vault get <key>` - Retrieve secret
- `vault list` - List secrets
- `vault delete <key>` - Delete secret

### Sync Operations
- `vault sync push` - Upload encrypted secrets to cloud
- `vault sync pull` - Download and merge secrets from cloud
- `vault sync status` - Show sync status

### Management
- `vault roles add` - Add user to tenant
- `vault audit tail` - View audit logs
- `vault export` - Export encrypted backup
- `vault import` - Import from backup

## License

MIT License - see [LICENSE](LICENSE) for details.

## Contributing

1. Fork the repository
2. Create a feature branch
3. Add tests for new functionality
4. Ensure all tests pass
5. Submit a pull request

## Security Reporting

Report security vulnerabilities to security@vault.dev (PGP key available).

## Roadmap

- [ ] Hardware security key support (YubiKey, WebAuthn)
- [ ] Browser extension for autofill
- [ ] Mobile apps (iOS/Android)
- [ ] Audit log streaming to SIEM systems
- [ ] Plugin system for custom backends
- [ ] GUI application (Tauri-based)