DevSafe / Docs
Docs Lockbox devsafe vault

devsafe vault

Encrypted credential storage for your development environment. Store API keys, tokens, and secrets locally, encrypted with AES-256-GCM. Free to use, no account needed.

Overview

Vault encrypts your secrets at rest using nonce-unique AEAD (AES-256-GCM). Each value gets its own encryption with a fresh nonce, so no two ciphertexts are alike, even for identical values.

How is vault different from lockbox? They solve different problems and work well together.

For maximum protection, use both. Vault encrypts. Lockbox hides. Together, your secrets are encrypted at rest and invisible to any tool that reads text.

Usage

terminal
$ devsafe vault <subcommand> [options]

Subcommands

vault add

Add a single secret interactively. The value is read from stdin, so it never appears in your terminal history or shell logs.

terminal
$ devsafe vault add GITHUB_TOKEN
Enter value for GITHUB_TOKEN: 
 stored GITHUB_TOKEN (encrypted, AES-256-GCM)

vault import

Import all key-value pairs from a .env file into the vault. Each secret is encrypted individually.

terminal
$ devsafe vault import .env
 imported 12 secrets from .env
 all values encrypted at rest

vault inject

Replace {{VAULT:KEY}} placeholders in any file with the decrypted values. The original file is updated in place.

terminal
$ devsafe vault inject docker-compose.yml
 replaced 3 placeholders in docker-compose.yml

vault run

Run any command with all vault secrets injected as environment variables. The secrets exist only in the child process memory. They are never written to disk.

terminal
$ devsafe vault run npm start
 injected 12 env vars into child process
Server listening on :3000

vault set

Associate a stored credential with a specific MCP server. When that server starts, it receives the credential automatically.

terminal
$ devsafe vault set GITHUB_TOKEN --server github
 GITHUB_TOKEN bound to server "github"

vault list

Show all stored keys. Values are never displayed.

terminal
$ devsafe vault list
KEY                SERVER      ADDED
GITHUB_TOKEN       github      2 days ago
DATABASE_URL       -           5 days ago
RESEND_API_KEY     -           5 days ago
STRIPE_SECRET      stripe      1 day ago

4 secrets stored (values hidden)

vault export

Export all vault secrets in .env format. Useful for migrating to a new machine or sharing with a teammate over an encrypted channel.

terminal
$ devsafe vault export > secrets.env
 exported 4 secrets to stdout

# delete secrets.env after use
Exported secrets are plaintext.

The export command decrypts values so they can be used as a standard .env file. Delete the exported file when you are done, or pipe it directly into another tool instead of writing to disk.

Example workflows

Store and bind a GitHub token

Add a token to the vault, then bind it to your GitHub MCP server so the server receives the token automatically on startup.

terminal
# Step 1: store the token (value entered interactively)
$ devsafe vault add GITHUB_TOKEN
Enter value for GITHUB_TOKEN: 
 stored GITHUB_TOKEN

# Step 2: bind it to the github MCP server
$ devsafe vault set GITHUB_TOKEN --server github
 GITHUB_TOKEN bound to server "github"

Run a build with secrets

Instead of exporting secrets to your shell or writing a .env file, run commands directly through the vault. Secrets live only in the child process.

terminal
$ devsafe vault run npm start
 injected 12 env vars
Server listening on :3000

# also works with any command
$ devsafe vault run docker compose up
$ devsafe vault run python manage.py runserver

Inject secrets into Docker Compose

Use {{VAULT:KEY}} placeholders in your docker-compose.yml, then inject before running. This keeps secrets out of your compose file in version control.

docker-compose.yml
services:
  api:
    environment:
      - DATABASE_URL={{VAULT:DATABASE_URL}}
      - STRIPE_SECRET={{VAULT:STRIPE_SECRET}}
terminal
$ devsafe vault inject docker-compose.yml
 replaced 2 placeholders

$ docker compose up

Vault vs. Lockbox

Both tools protect secrets, but they work differently. Here is when to use each one.

All vault data stays on your machine.

Vault uses user-owned storage only. Your encryption key never leaves your device. There is no server, no sync, no account required. You own everything.

How encryption works

Each secret stored in the vault is encrypted individually using AES-256-GCM with a fresh, random nonce (nonce-unique AEAD). This means:

For the full technical details, see Encryption model.