← Back to Overview

SECRET VAULT

Creating a Vault

Set up an encrypted local vault to store secrets and certificates — fully offline, protected by a master password.

Create vault screen with master password setup

Overview

A built-in AES-256-GCM encrypted vault for storing secrets (API keys, passwords, tokens) and TLS certificates. No external services needed — fully offline.

Global scope — shared across all workspaces
Advanced Mode — available via the Vault tab
Master password — protects all vault contents
Fully offline — no cloud, no external services

Creating the Vault

Set up a new encrypted vault in a few steps:

  1. Open the Vault tab
  2. Click 'Create Vault'
  3. Enter a master password (used to derive the encryption key)
  4. Confirm the password
  5. Click 'Create Vault'
Creates ~/.openpost/global/vault.enc (encrypted file)
Once created, the vault is immediately unlocked

⚠️ Important: If you forget your master password, vault contents cannot be recovered. This is by design — there is no backdoor.

Unlocking

Unlock your vault to access secrets and certificates:

  1. Open the Vault tab
  2. Enter your master password
  3. Click 'Unlock'
Decrypts vault contents into memory
Vault stays unlocked for the VS Code session
Secrets available for {{variable}} resolution while unlocked
Wrong password shows clear error (auth tag mismatch) without revealing contents

Locking

Lock the vault to clear secrets from memory:

Click the 'Lock' button in the Vault tab
Clears decrypted data from memory
Secrets no longer resolve (silently skipped in interpolation)
Auto-locks when VS Code closes
In Simple Mode, vault is always locked

Changing Password

Change your vault's master password (vault must be unlocked):

  1. Click 'Change Password'
  2. Enter your current password
  3. Enter the new password
Re-encrypts all vault data with the new key
Previous password no longer works

Keep Unlocked (OS Keychain)

Optional convenience toggle to avoid entering your password every session:

Enable the 'Keep Unlocked' toggle
Stores master password in the OS keychain
Vault auto-unlocks on next VS Code startup without password prompt
Disable to require password every session
PlatformKeychain Backend
macOSmacOS Keychain
WindowsWindows Credential Store
LinuxLinux Secret Service

Storage & Encryption

Technical details of how the vault is stored and encrypted:

PropertyValue
File~/.openpost/global/vault.enc
AlgorithmAES-256-GCM
Key derivationPBKDF2 with SHA-512, random 32-byte salt, 100,000 iterations
File formatJSON with salt, iv, authTag, ciphertext (all Base64)
Decrypted payload{ secrets: Record<string,string>, certificates: CertificateEntry[] }
Git safety: The vault file is encrypted and stored in ~/.openpost/global/ (your home directory), not inside workspace folders. It's safe to exist alongside git repos — encrypted contents are never committed.

Next

Ko-fi