Engineered for security and speed
Explore the detailed mechanics of local-first encryption, cross-device relay synchronization, team access controls, and dynamic CLI secret injection.
Zero-Knowledge Security Architecture
All secrets, passwords, and private tokens are encrypted locally on your machine before they touch the network. CmdVault uses hardware-backed AES-GCM-256 keys derived from your primary master password.
- ✓AES-GCM-256 cryptography at rest
- ✓PBKDF2 master key derivation
- ✓Local SQLite vault with SQLiteCipher
When you save a command containing confidential credentials, CmdVault intercepts the parameters, requests input for placeholders, encrypts the payload locally using your hardware-backed key, and writes it to your encrypted database file.
Unified Interface: CLI meets Desktop Dashboard
Whether you live inside the terminal or prefer a visual dashboard, CmdVault provides identical zero-knowledge access across platforms.
# Add a new recipe with secure environmental parameters $ cmdvault add --secure --name "deploy-prod" ? Enter secret variable value [DB_PASSWORD]: ********** ✓ Recipe successfully saved. # Run the command - secrets are injected on-the-fly $ cmdvault run deploy-prod 🔓 Decrypting environment... 🚀 Running: pg_dump -h $DB_HOST -U $DB_USER $DB_NAME > backup.sql ✓ Command execution completed.
Secure Sync Relay
Synchronize command directories selectively across devices. Connect to a custom cloud relay or self-host your sync backend using standard MongoDB/SQLite setups.
RBAC Workspaces
Divide commands into different team workspaces. Set permissions (Viewer, Editor, Admin) and invite colleagues using zero-knowledge invitations.
Parameter Substitution
Declare custom environmental arguments in commands like `{{API_KEY}}`. CmdVault prompts you dynamically or pulls from secure local vaults at run-time.