mine vault
Store and retrieve secrets encrypted at rest using age encryption.
Secrets live in a single encrypted file at ~/.local/share/mine/vault.age.
Passphrase
Section titled “Passphrase”All vault operations require a passphrase. mine resolves it in this order:
MINE_VAULT_PASSPHRASEenv var — always wins, ideal for scripts- OS keychain — stored via
mine vault unlock, retrieved transparently - Interactive prompt — secure input (no echo) when running in a terminal
The passphrase is never stored on disk in plaintext. By default it is only held in memory for the duration of each vault operation, but if you run mine vault unlock it may also be persisted securely in the OS keychain (encrypted/protected by the OS).
Passphrase Management
Section titled “Passphrase Management”Store in OS Keychain
Section titled “Store in OS Keychain”mine vault unlockPrompts for the passphrase and stores it securely in the OS native keychain (macOS Keychain, GNOME Keyring on Linux via secret-tool). After unlocking, all vault commands work without prompting or setting env vars.
Platform behaviour:
- macOS: Uses the built-in
securityCLI — no extra dependencies. - Linux: Requires
secret-tool(part oflibsecret-tools). Ifsecret-toolis not installed,unlockreturns an error indicating keychain is not available; useMINE_VAULT_PASSPHRASEinstead. - Other platforms: Returns an informational error; use
MINE_VAULT_PASSPHRASEinstead.
Remove from OS Keychain
Section titled “Remove from OS Keychain”mine vault lockRemoves the stored passphrase from the OS keychain. Future vault commands will prompt again.
If no passphrase is stored, lock exits successfully with an informational message.
Store a Secret
Section titled “Store a Secret”mine vault set <key> <value>Keys use dot-notation namespacing by convention:
mine vault set ai.claude.api_key sk-ant-...mine vault set ai.openai.api_key sk-...mine vault set db.production.password hunter2mine vault set github.token ghp_...If the key already exists, the value is overwritten.
Retrieve a Secret
Section titled “Retrieve a Secret”mine vault get <key>Prints the secret to stdout:
mine vault get ai.claude.api_key# sk-ant-...Copy to Clipboard
Section titled “Copy to Clipboard”mine vault get <key> --copyCopies the secret to the system clipboard without printing it. Requires xclip or xsel (Linux), pbcopy (macOS), or wl-copy (Wayland).
List Secret Keys
Section titled “List Secret Keys”mine vault listLists all stored secret keys. Values are never shown.
Delete a Secret
Section titled “Delete a Secret”mine vault rm <key>Permanently removes a secret from the vault.
Export for Backup
Section titled “Export for Backup”mine vault exportmine vault export --output vault-backup.ageWrites the encrypted vault blob to stdout or a file. The export is still age-encrypted — safe to store or transfer.
Import a Backup
Section titled “Import a Backup”mine vault import vault-backup.ageReplaces the current vault with the contents of the backup file. The import must be a valid age-encrypted vault created by mine vault export using the same passphrase.
Subcommand Reference
Section titled “Subcommand Reference”| Subcommand | Description |
|---|---|
set <key> <value> | Store or update a secret |
get <key> | Retrieve a secret (use --copy to copy to clipboard) |
list | List all stored secret keys |
rm <key> | Permanently delete a secret |
export | Export encrypted vault for backup |
import <file> | Restore vault from a backup |
unlock | Store passphrase in OS keychain |
lock | Remove passphrase from OS keychain |
AI Key Integration
Section titled “AI Key Integration”You can store AI provider API keys in the vault in two ways:
Option 1: Use mine ai config (stores key and sets provider in one step)
mine ai config --provider claude --key sk-ant-...# key stored in vault, provider set as defaultOption 2: Store manually, then set the provider
mine vault set ai.claude.api_key sk-ant-...mine ai config --provider claude# provider set as default; key is read from vault when using AI commandsWhen AI commands run (e.g. mine ai ask), they check for keys in this order:
- Standard environment variables (
ANTHROPIC_API_KEY,OPENAI_API_KEY, etc.) - Vault (requires
MINE_VAULT_PASSPHRASEor interactive prompt)
Security Notes
Section titled “Security Notes”- Secrets are encrypted with age using passphrase-based scrypt key derivation.
- Plaintext values are never written to disk at any point.
- The vault file is written atomically (temp file → fsync → rename) to prevent corruption on crash.
- The vault file permissions are
0600(owner read/write only). - If you forget your passphrase, the vault cannot be recovered. Keep a backup.
- Wrong passphrase returns a non-zero exit code with an explicit error — there is no silent fallback.
- A corrupted vault file returns a non-zero exit code with remediation guidance — there is no auto-repair.
Error Handling
Section titled “Error Handling”| Situation | Behavior |
|---|---|
| Wrong passphrase | Non-zero exit, explicit error with hint |
| Corrupted vault file | Non-zero exit, explicit error with hint |
| Missing key | Non-zero exit, key name in error |
| Empty vault on export | Non-zero exit, instructive error |
| Import with wrong passphrase | Non-zero exit, explicit error |
vault unlock on non-TTY | Non-zero exit, “requires an interactive terminal” |
vault unlock — keychain unavailable | Non-zero exit, error with MINE_VAULT_PASSPHRASE hint |
vault lock — nothing stored | Zero exit, informational message (not an error) |
vault lock — keychain unavailable | Non-zero exit, error with MINE_VAULT_PASSPHRASE hint |
Vault File Location
Section titled “Vault File Location”~/.local/share/mine/vault.age (XDG $XDG_DATA_HOME/mine/vault.age)
Override the data directory with the XDG_DATA_HOME environment variable.