VaultSync CLI — Zero-Disk Secrets Management for VPS & Node.js

Run apps with secrets — without ever storing .env files on your server.

VaultSync CLI lets you securely deliver secrets to your applications by encrypting them locally and injecting them into processes at runtime. Plaintext never leaves your machine and is never written to disk on the server.

---

⚡ Quick demo

vaultsync secrets push --label API --env prod --file .env
vaultsync run --label API --env prod -- node app.js

No .env files on your server. No secrets on disk.

---

🧠 How it works

Developer machine                  VaultSync Server              VPS Agent
─────────────────                  ────────────────              ─────────
vaultsync secrets push   ───────►  stores AES ciphertext
vaultsync grant          ───────►  stores RSA-wrapped AES key
                                        │
                                        ▼
                                   vaultsync run ──► decrypts in RAM ──► injects into process env

1. CLI encrypts your .env file locally with AES-256-GCM
2. Only ciphertext is sent to the server — plaintext is never exposed
3. AES key is wrapped with each machine's RSA public key
4. Secrets are decrypted only in memory on the VPS
5. Secrets are zeroed after process exit

---

📦 Installation

npm install -g vaultsync-cli

Requires Node.js 18+

---

🏁 Quick start

1. Start your VaultSync server

Deploy the server and note your API key.

---

2. Log in

vaultsync login --key <YOUR_API_KEY>

Credentials are saved to ~/.vaultsync/config.json (mode 600).

For self-hosted deployments:

VAULTSYNC_SERVER=https://your-vault-server.com vaultsync login --key <YOUR_API_KEY>

---

3. Push a secret

vaultsync secrets push --label API-Backend --env Production --file .env

The AES key is stored locally and never sent to the server.

---

4. Create a machine

vaultsync machine create --name production-01

Returns a one-time enrollment token (OTET).

---

5. Enroll the VPS

curl -fsSL https://cdn.jsdelivr.net/gh/KingVics/vaultsync-releases@main/install.sh | sudo bash
vaultsync enroll <OTET>

---

6. Grant access

vaultsync grant --machine production-01 --label API-Backend --env Production

---

7. Run your app

vaultsync run --label API-Backend --env Production -- node dist/index.js

Secrets are injected into environment variables and never written to disk.

---

🛡️ Why VaultSync?

• 🔐 Secrets encrypted before leaving your machine
• 🧠 Server stores only ciphertext — never plaintext
• ⚡ Runtime injection (no .env files on servers)
• 🔑 Per-machine access using RSA keypairs
• 🧹 Secrets wiped from memory after execution

---

🆚 Alternatives

VaultSync is a lightweight alternative to:

• HashiCorp Vault
• Doppler
• Infisical

Unlike traditional tools, VaultSync:

• requires no heavy infrastructure
• avoids storing plaintext secrets anywhere
• injects secrets directly into process memory

---

📚 Commands

Auth

vaultsync login --key <apiKey>

---

Secrets

• secrets push → encrypt + upload .env
• secrets list → view stored blobs
• secrets delete → remove secrets

---

Machines

• machine create → create + enrollment token
• machine list → list machines
• machine revoke → block access
• machine delete → remove machine

---

Access control

vaultsync grant --machine <name> --label <label> --env <environment>

Re-run grant after each secrets push

---

Audit

vaultsync audit

---

🔐 Security model

• AES-256-GCM encryption for secret blobs
• RSA-4096 (OAEP SHA-256) for key wrapping
• Challenge-response authentication (no passwords)
• Replay protection using Redis (short-lived nonce)
• Zero-disk (runtime): secrets decrypted only in memory on the VPS
• Per-machine access control

---

🔍 Keywords

secrets management, dotenv alternative, environment variables, nodejs secrets, vps deployment, encryption cli, zero trust security

---

📄 License

MIT