kalvin0x8d0/secure-vault
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
No description
34 commits 3 branches 0 tags 112 KiB
  • HTML 69.9%
  • Go 22.9%
  • Shell 4.7%
  • JavaScript 1.5%
  • Dockerfile 0.9%
Find a file
Exact
Kalvin Carefour Johnny 02474197a9
 Merge pull request #4 from kalvin0x8d0/claude/security-stability-refactor-Qrhdl 
Security and stability refactoring: Comprehensive improvements
2026-03-30 18:20:59 +08:00
backend Security and stability refactoring: Comprehensive improvements 2026-03-30 10:00:57 +00:00
secure-vault_ynh Security and stability refactoring: Comprehensive improvements 2026-03-30 10:00:57 +00:00
.env.example Update .env.example 2026-03-30 12:03:35 +08:00
.gitignore Move secrets to .env file, add .env.example template 2026-03-20 12:43:23 +00:00
CLAUDE.md Create CLAUDE.md 2026-03-30 11:41:41 +08:00
docker-compose.yaml Update docker-compose.yaml 2026-03-30 12:03:18 +08:00
LICENSE Update LICENSE 2026-03-28 00:03:28 +08:00
nginx.conf Fix security vulnerabilities, bugs, and improve robustness 2026-03-20 12:35:00 +00:00
README.md Update README with AI Generated and CC0 badges 2026-03-21 15:57:51 +08:00

README.md

Secure Vault

A lightweight, self-hosted, zero-knowledge credential manager.

CC0 1.0 Universal (CC0 1.0) Public Domain Dedication

AI Generated Badge

Stack

  • Backend: Go 1.22 — small binary, no CGO required
  • Database: SQLite (Docker volume)
  • Frontend: Single HTML file — Web Crypto API (AES-GCM 256-bit, PBKDF2)
  • Deployment: Docker Compose + Nginx reverse proxy

Security model

  • All encryption and decryption happens in the browser only
  • The Go backend stores only opaque AES-GCM encrypted blobs
  • The vault key is derived with PBKDF2 (310,000 iterations, SHA-256) and never leaves your device
  • Server-side authentication uses bcrypt separately from vault key derivation
  • Each entry uses a unique random IV

Setup

1. Clone / copy files

secure-vault/
├── backend/
│   ├── Dockerfile
│   ├── go.mod
│   ├── main.go
│   └── static/
│       └── index.html
├── docker-compose.yml
└── nginx.conf

2. Generate a JWT secret

openssl rand -hex 32

Paste the output into docker-compose.yml as JWT_SECRET.

3. Configure docker-compose.yml

Set APP_URL to your domain. Optionally fill in SMTP details for email invites (leave blank to skip — invite links are still generated and displayed in the UI).

4. Build and start

cd secure-vault
docker compose up -d --build

5. Configure Nginx (YunoHost)

Copy nginx.conf to your Nginx config directory and update the SSL cert paths if needed:

sudo cp nginx.conf /etc/nginx/conf.d/vault.kalvin.obulou.org.conf
sudo nginx -t
sudo systemctl reload nginx

6. First run

Navigate to https://vault.kalvin.obulou.org. The first visit will show a setup screen — create your admin account. Your master password must be at least 12 characters.

Usage

Action How
Lock vault Click 🔒 in the top bar
Add an entry Click Add Entry
Add fields Use Password field / Text field in the modal
Copy a value Click 📋 next to any field
Clear clipboard Click 📋 in the top bar (writes a zero-width character)
Invite a user Click 📨 Invite (admin only)
Toggle theme Click ☀️ / 🌙

Updating

docker compose pull   # if using a registry
docker compose up -d --build

SQLite data is on a named Docker volume (secure-vault-data) and persists across rebuilds.

Backup

docker run --rm \
  -v secure-vault-data:/data \
  -v $(pwd):/backup \
  alpine tar czf /backup/vault-backup-$(date +%F).tar.gz /data

go.sum note

On first build, go mod tidy runs automatically in the Docker build stage to fetch go.sum. If you want to pin dependencies locally first:

cd backend
go mod tidy