A cross-platform command-line tool for managing password-protected encrypted folders
Features β’ Installation β’ Quick Start β’ Documentation β’ Security β’ Contributing
vaultix is a secure, lightweight CLI tool that encrypts files in place using military-grade cryptography. No cloud, no services, no complexityβjust strong encryption for your sensitive files.
- π Strong Encryption: AES-256-GCM with Argon2id key derivation
- π Zero Dependencies: Single static binary, no runtime requirements
- π» Cross-Platform: Linux, macOS, and Windows support
- π― Simple UX: Intuitive commands with smart defaults
- π No Password Storage: Passwords exist only in memory
- π¦ Portable: Encrypted vaults work across all platforms
β
Automatic Encryption - Initialize a vault and all files are encrypted instantly
β
Master Key Encryption - Random 256-bit master key protects all vault data
β
Recovery Key Support - Unlock vault if you forget your password
β
Dual Unlock Methods - Use password OR recovery key
β
Fuzzy File Matching - No need to type exact filenames
β
Default to Current Directory - Less typing, more doing
β
Extract or Drop - Extract files while keeping in vault, or drop them out
β
Secure Deletion - Original files are overwritten before deletion
β
Hidden Metadata - Even filenames are encrypted
β
No Background Process - Runs only when you invoke it
vaultix uses a master key encryption model with industry-standard cryptographic primitives:
- Master Key: Random 256-bit key generated per vault (encrypted, never stored in plaintext)
- Password Protection: Master key encrypted with Argon2id-derived key (64MB memory, 1 iteration, 4 threads)
- Recovery Key: Random 256-bit key that can decrypt the master key (backup unlock method)
- Data Encryption: AES-256-GCM authenticated encryption for all vault data
- Randomness: Go's
crypto/randpackage for all cryptographic random generation
vaultix protects against:
- Unauthorized access to files at rest (assuming strong password)
- Accidental exposure of file contents
- Casual inspection of encrypted data
vaultix does not protect against:
- Weak passwords (use a strong, unique password)
- Malware or keyloggers on your system
- Physical access to your computer while unlocked
- Attacks on the underlying operating system
- Side-channel attacks or memory analysis
- Coercion or legal compulsion
- Dual authentication required: Keep both password AND recovery key safe
- No password reset: If you lose BOTH password and recovery key, data is permanently lost
- Recovery key is critical: Store it safely (printed, secure password manager, etc.)
- No automatic backups: You are responsible for backing up your vaults
- Single-user design: No multi-user or sharing capabilities
- Files only: Cannot encrypt directories (add files individually)
Download the latest release for your platform:
Linux:
curl -LO https://github.com/Zayan-Mohamed/vaultix/releases/latest/download/vaultix-linux-amd64
chmod +x vaultix-linux-amd64
sudo mv vaultix-linux-amd64 /usr/local/bin/vaultixmacOS:
curl -LO https://github.com/Zayan-Mohamed/vaultix/releases/latest/download/vaultix-darwin-amd64
chmod +x vaultix-darwin-amd64
sudo mv vaultix-darwin-amd64 /usr/local/bin/vaultixWindows (PowerShell as Admin):
Invoke-WebRequest -Uri "https://github.com/Zayan-Mohamed/vaultix/releases/latest/download/vaultix-windows-amd64.exe" -OutFile "vaultix.exe"
Move-Item vaultix.exe C:\Windows\System32\Requires Go 1.21 or higher:
git clone https://github.com/Zayan-Mohamed/vaultix.git
cd vaultix
go build -o vaultixThen move the binary to your PATH:
Linux/macOS:
sudo mv vaultix /usr/local/bin/Windows:
Move-Item vaultix.exe C:\Windows\System32\cd ~/my_secrets
# Initialize vault (encrypts all files automatically)
vaultix init
# Enter password: ****
# Confirm password: ****
# β Vault initialized
# β All files encrypted
# β Original files securely deleted
#
# β οΈ IMPORTANT: RECOVERY KEY
# Your recovery key: 5025f74e-c5d7a54a-7b99c87b-78cca1a0-...
# Save this recovery key in a secure location!
# It can unlock your vault if you forget your password.
# List encrypted files
vaultix list
# Files in vault (3):
# passwords.txt
# api_keys.json
# private_key.pem
# Extract a file (keeps in vault)
vaultix extract passwords
# β File extracted: passwords.txt
# Drop a file (extracts and removes from vault)
vaultix drop api_keys
# β Dropped: api_keys.json (extracted and removed from vault)
# Extract all files
vaultix extract
# β Extracted 3 file(s)| Command | Description | Example |
|---|---|---|
init [path] |
Initialize vault and encrypt all files | vaultix init |
add <file> |
Add file to vault | vaultix add secret.txt |
list [path] |
List encrypted files | vaultix list |
extract [file] |
Extract file(s), keeps in vault | vaultix extract |
drop <file> |
Extract and remove from vault | vaultix drop secret |
remove <file> |
Remove file from vault (no extract) | vaultix remove old.txt |
clear [path] |
Remove all files from vault | vaultix clear |
recover [file] |
Unlock vault using recovery key | vaultix recover |
π‘ Pro Tip: Most commands default to current directory, so you rarely need to specify paths!
# Fuzzy file matching (case-insensitive)
vaultix extract SECRET # Matches "secret_document.pdf"
vaultix extract api # Matches "api_keys.json"
# Extract all to specific directory
vaultix extract . /tmp/decrypted/
# Work with specific vault path
vaultix list ~/other_vault
vaultix extract document ~/other_vaultWhen you initialize a vault at a path (e.g., ./my_secrets), vaultix creates a hidden .vaultix/ directory inside:
my_secrets/
βββ .vaultix/
βββ meta # Encrypted metadata (filenames, sizes, timestamps)
βββ salt # Random salt for password-based key derivation
βββ master.key # Master key encrypted with password-derived key
βββ recovery.key # Master key encrypted with recovery key
βββ objects/
βββ 3f9a2c1d.enc # Encrypted file data
βββ 91bd77aa.enc # Encrypted file data
- Master key encryption: A random 256-bit master key encrypts all vault data
- Dual unlock methods: Master key can be decrypted with password OR recovery key
- No plaintext keys: Master key never stored in plaintext on disk
- No passwords stored: Your password exists only in memory during operations
- Encrypted metadata: Even filenames are encrypted with the master key
- Obfuscated object names: Encrypted files have random IDs
- Salt per vault: Each vault has a unique random salt
- Authentication: AES-GCM provides both encryption and integrity verification
Password/recovery key correctness is verified by successful decryption of the master key. There are no stored password hashes. This means:
- Incorrect password/recovery key = decryption failure
- No way to test credentials without attempting decryption
- Recovery key provides backup access if password is forgotten
- If you lose BOTH password AND recovery key, data is permanently lost
Password Selection - Use a strong, unique password:
- β At least 16 characters
- β Mix of letters, numbers, and symbols
- β Not used anywhere else
- β Not easily guessable
Consider using a password manager to generate and store your vault password.
Recovery Key Storage - Your recovery key is displayed ONCE during vault initialization:
- β Print it and store in a safe location
- β Save to a password manager as a secure note
- β Store in a separate secure location from your vault
β οΈ Never store recovery key inside the vault itselfβ οΈ If you lose both password AND recovery key, data is permanently lost
- The entire vault directory (including
.vaultix/) must be backed up - Test your backups by extracting files from backup copies
- Encrypted vaults are safe to backup to cloud storage
β οΈ Losing.vaultix/= permanent data loss
- When adding files with
add, original files are NOT automatically deleted - Use secure deletion tools if you need to remove originals
- Keep temporary extractions out of the vault directory
- Don't extract sensitive files to public/shared directories
- Don't enter passwords where they might be logged
- Don't use vaultix over remote connections without encryption
- Close your terminal after vault operations
- Consider using full-disk encryption alongside vaultix
- Be aware of swap files and hibernation dumps
vaultix works identically on Linux, macOS, and Windows.
Full documentation is available at: https://zayan-mohamed.github.io/vaultix
- π Installation Guide
- π Quick Start
- π Command Reference
- π‘ Examples
- π Security Model
- ποΈ Architecture
# Clone the repository
git clone https://github.com/Zayan-Mohamed/vaultix.git
cd vaultix
# Build
go build -o vaultix
# Run tests
go test ./...
# Run linters
go vet ./...vaultix/
βββ internal/
β βββ crypto/ # Cryptographic operations (Argon2id, AES-GCM)
β βββ storage/ # File system operations
β βββ vault/ # Business logic layer
β βββ cli/ # Command-line interface
βββ docs/ # MkDocs documentation
βββ main.go # Entry point
Contributions are welcome! Please read our Contributing Guide first.
# Fork and clone
git clone https://github.com/YOUR_USERNAME/vaultix.git
cd vaultix
# Build
go build -o vaultix
# Run tests
go test ./...
# Lint code
go vet ./...MIT License - See LICENSE file for details.
- Built with Go
- Uses Argon2 for key derivation
- Inspired by the need for simple, secure file encryption
This software is provided as-is, without any warranties. While vaultix uses well-established cryptographic libraries and follows security best practices, it has not undergone formal security auditing. Use at your own risk.
Remember: Your vault's security depends entirely on your password strength and operational security practices.
Made with β€οΈ for security-conscious developers
β Star this repo if you find it useful!