Single-file, encrypted, local Password Manager built in Python.
- Small single-file local password manager (Python).
- Encrypted vault using scrypt (KDF) and AES‑GCM (AEAD) per entry.
- Simple CLI: init, add, get, list, rm, set-passcode, export/import, change-master.
- Optional short "view passcode" layer that is itself encrypted.
Secure Vault is a compact, single-file Python CLI tool that stores credentials locally in an encrypted JSON vault. It was built as a lightweight, educative alternative for personal use — for when you want a minimal, auditable script rather than a full-featured cloud password manager. The vault uses a memory-hard KDF (scrypt) to derive an encryption key from your master passphrase and AES‑GCM to provide confidentiality and integrity per entry.
This project is intentionally small, easy to read, and easy to fork — perfect for learning, personal use, or as a starting point for a more feature-rich, audited project.
# initialize a new vault (prompts for a master passphrase)
python secure_vault.py init
# add an entry (prompts for the entry password)
python secure_vault.py add "MyBank" -u alice@example.com
# list entries (metadata only)
python secure_vault.py list
# list and reveal passwords (requires master passphrase + view passcode if set)
python secure_vault.py list --reveal
# get a single entry's password
python secure_vault.py get "MyBank"
# set a short view passcode to require before revealing passwords
python secure_vault.py set-passcode- Ensure you have Python 3.8+ installed.
- Install the only runtime dependency:
pip install cryptography- Save
secure_vault.pyinto your project or repository and run the CLI examples above.
Notes & Requirements
- Works on Linux, macOS, and Windows (basically everywhere where Python is available).
- The script stores a vault as a JSON file under
~/.secure_vault/vault.jsonby default — do not commit this file.
- Do not commit your vault file to source control.
- Master passphrase is the single secret protecting the vault — choose a long, strong phrase. If you lose it, the vault cannot be recovered.
- The implementation uses scrypt and AES‑GCM — secure primitives, but this script is not audited. For production-level use, prefer well-audited solutions like Bitwarden or KeePassXC.
- Consider full-disk encryption and regular encrypted backups of the vault.
Found a bug or want a feature? Open an issue on GitHub or start a discussion in the repo's Discussions tab.
Contributions are welcome — please follow these simple steps:
- Fork the repo.
- Open a small, focused pull request with tests or clear manual steps to verify.
- Respect security: never store secrets in plaintext, ensure re-encryption behavior is correct after changes, and add tests for cryptographic flows if you change them.