Skip to content

fkzys/keys-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.github/workflows
.github/workflows
 
 
bin
bin
 
 
completions
completions
 
 
etc
etc
 
 
man
man
 
 
systemd/user
systemd/user
 
 
tests
tests
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
backup
backup
 
 
depends
depends
 
 

Repository files navigation

keys-vault

CI License Spec

File-based encryption for sensitive directories via gocryptfs + GNOME Keyring.

Encrypted ciphertext is stored in a hidden directory; plaintext is mounted via FUSE. The passphrase is stored in GNOME Keyring for automatic unlock.

Installation

AUR

yay -S keys-vault

gitpkg

gitpkg install keys-vault

Manual

git clone https://github.com/fkzys/keys-vault.git
cd keys-vault
sudo make install

Configuration

Configuration is read from (in order, later values override earlier):

  1. /etc/keys-vault.conf — system-wide defaults
  2. $XDG_CONFIG_HOME/keys-vault.conf (default: ~/.config/keys-vault.conf) — per-user overrides
  3. CLI flags (--dir, --cipher-dir)

Variables

Variable Default Description
PLAIN_DIR ~/keys Plaintext mount point
CIPHER_DIR Derived from PLAIN_DIR Encrypted ciphertext directory

CIPHER_DIR is derived as a hidden directory with .enc suffix in the same parent: ~/keys~/.keys.enc, ~/secure/vault~/secure/.vault.enc.

Usage

keys-vault init       # create vault (random or user-supplied passphrase)
keys-vault open       # mount
keys-vault status     # open / locked / stale / not initialized
keys-vault close      # unmount
keys-vault passwd     # rotate passphrase

Custom directory

# Via flag
keys-vault --dir=~/secure/credentials init

# Via config
echo 'PLAIN_DIR="${HOME}/secure/credentials"' > ~/.config/keys-vault.conf
keys-vault init

Commands

Command Description
init Create encrypted volume, store passphrase in keyring
open Mount vault; recovers stale mounts; no-op if already mounted or not initialized
close Unmount vault; handles stale mounts; no-op if not mounted
status Print state: open / locked / stale / not initialized
passwd Rotate gocryptfs passphrase and update keyring

Options

Option Description
--dir=PATH Plaintext mount point (default: ~/keys)
--cipher-dir=PATH Encrypted ciphertext directory (default: derived from --dir)
-h, --help Show usage
--version Show version

Systemd integration

A user service is included for automatic mount on login:

systemctl --user enable --now keys-vault.service

The service mounts on start (After=gnome-keyring-daemon.service) and unmounts on stop.

Custom directories configured via ~/.config/keys-vault.conf are picked up by the service automatically. For per-flag overrides, create a service drop-in:

systemctl --user edit keys-vault.service
[Service]
ExecStart=
ExecStart=/usr/bin/keys-vault --dir=%h/secure/credentials open
ExecStop=
ExecStop=/usr/bin/keys-vault --dir=%h/secure/credentials close

Stale mount recovery

If the gocryptfs process dies (e.g. OOM kill) the FUSE mountpoint becomes stale — it appears in /proc/mounts but stat fails with "Transport endpoint is not connected".

  • open detects this and force-unmounts before re-mounting
  • close detects stale mounts and force-unmounts them
  • status reports stale as a distinct state

Dependencies

  • gocryptfs
  • secret-tool (libsecret)
  • fusermount (fuse2 or fuse3)
  • GNOME Keyring (or any Secret Service provider)

License

AGPL-3.0-or-later

About

File-based encryption for sensitive directories via gocryptfs + GNOME Keyring.

Topics

linux bash security keyring keyrings gocryptfs

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages