CmdVault Features Deep Dive

Engineered for security and speed

Explore the detailed mechanics of local-first encryption, cross-device relay synchronization, team access controls, and dynamic CLI secret injection.

Zero-Knowledge Security Architecture

All secrets, passwords, and private tokens are encrypted locally on your machine before they touch the network. CmdVault uses hardware-backed AES-GCM-256 keys derived from your primary master password.

  • ✓AES-GCM-256 cryptography at rest
  • ✓PBKDF2 master key derivation
  • ✓Local SQLite vault with SQLiteCipher
Raw CLI RecipeDB_PASS="super-secret"
Local EncryptionAES-256 Key
Secure Vault OutputU2FsdGVkX19G4...
How it works:

When you save a command containing confidential credentials, CmdVault intercepts the parameters, requests input for placeholders, encrypts the payload locally using your hardware-backed key, and writes it to your encrypted database file.

Unified Interface: CLI meets Desktop Dashboard

Whether you live inside the terminal or prefer a visual dashboard, CmdVault provides identical zero-knowledge access across platforms.

View Formats
# Add a new recipe with secure environmental parameters
$ cmdvault add --secure --name "deploy-prod"
? Enter secret variable value [DB_PASSWORD]: **********
✓ Recipe successfully saved.

# Run the command - secrets are injected on-the-fly
$ cmdvault run deploy-prod
🔓 Decrypting environment...
🚀 Running: pg_dump -h $DB_HOST -U $DB_USER $DB_NAME > backup.sql
✓ Command execution completed.

Secure Sync Relay

Synchronize command directories selectively across devices. Connect to a custom cloud relay or self-host your sync backend using standard MongoDB/SQLite setups.

RBAC Workspaces

Divide commands into different team workspaces. Set permissions (Viewer, Editor, Admin) and invite colleagues using zero-knowledge invitations.

Parameter Substitution

Declare custom environmental arguments in commands like `{{API_KEY}}`. CmdVault prompts you dynamically or pulls from secure local vaults at run-time.