You know that one conversation that happens at every tech meetup, every college cafeteria, and honestly every family dinner where someone finds out you work in tech?
“Hey, is it safe to use [insert password manager here]?”
And then comes the split camp — half the room swears by their cloud password manager, and the other half goes “bro, what if they get hacked?” Meanwhile, I’m sitting there nodding along to both sides like a bobblehead in a storm.
Here’s the thing though — both sides have a point. Password managers are genuinely useful. But storing your most sensitive credentials on someone else’s server, trusting a third party you’ve never met, hoping they don’t get breached or decide to do something shady with your data? That’s a lot of faith for someone who literally studies cybersecurity.
So I thought: What if I just… didn’t?
What if your passwords, API keys, and sensitive notes never left your device at all? No cloud sync to a stranger’s server. No third party. No “oops we got breached, please change your passwords” email at 2 AM.
That thought turned into SecureVault — a zero-knowledge, cryptographically secure CLI vault that lives entirely on your local system. And building it taught me more about applied cryptography than any textbook ever did.
What Even Is SecureVault?
SecureVault is a command-line personal data manager. Think of it like a digital safe bolted to your computer’s floor — except instead of a combination dial, it uses military-grade encryption, and instead of a locksmith, the math does the work.
You can store:
- Passwords
- API keys
- Sensitive notes
- Files
And everything is encrypted before it ever hits your disk. Your master password never gets stored anywhere. Even if someone physically stole your hard drive, they’d be staring at mathematical gibberish.
The “zero-knowledge” part means exactly what it sounds like — the system knows nothing. Not even your password.
I chose a CLI because in the world of security, complexity is the enemy. By stripping away the buttons and the fluff, I reduced the attack surface and built a tool that values speed and transparency over decoration.
Why I Built This (The Real Story)
Honestly? It started as an experiment. I wanted to understand, at a code level, how encryption actually works — not just the textbook diagrams, but the actual implementation. What does AES-256 look like when you write it? How does Argon2 behave under the hood? What happens when you try to securely delete a file?
But the more I dug into it, the more I realized this was genuinely useful. I keep seeing people store sensitive info in plain text files, sticky notes, or unencrypted spreadsheets. And the alternative — trusting a third-party app with your entire digital identity — has its own risks.
So I built something for the in-between: people who want real security without surrendering control to a stranger.
The Cool Tech Behind It (Non-Boring Version, I Promise)
Here’s the fun part. No vague hand-waving — here’s actually what’s powering this thing:
Argon2 for Key Derivation When you enter your master password, SecureVault doesn’t use it directly. It runs it through Argon2 — the winner of the Password Hashing Competition (yes, passwords have competitions, it’s a whole thing). Argon2 is deliberately slow and memory-hungry, which makes brute-force attacks painfully expensive. Even if someone got your encrypted vault, cracking it would require 64MB of RAM per guess. Good luck with that.
AES-256-GCM Encryption Each entry gets its own unique encryption key, then gets encrypted with AES-256-GCM — the same standard used by the NSA for top-secret data. The GCM part means it doesn’t just encrypt, it also authenticates — so if someone tampers with your vault file, SecureVault knows.
CSPRNG for Randomness Every key, salt, and nonce is generated using a Cryptographically Secure Pseudo-Random Number Generator — because regular random() is predictable, and predictable is the enemy of security.
HMAC-SHA256 for Integrity On top of per-entry authentication, the entire vault file gets an HMAC tag. Two layers of tamper detection. Because paranoia, when applied correctly, is just good engineering.
DOD 5220.22-M Secure Deletion When you delete an entry, SecureVault doesn’t just remove the pointer to the data — it overwrites the actual bytes. Seven passes: zeros, ones, then random data five more times. This meets the U.S. Department of Defense standard for data destruction. Your deleted data is gone-gone.
Features at a Glance
Store passwords, API keys, notes, and files — all encrypted
Auto-lock after 5 minutes of inactivity (because we all walk away from our terminals)
Deletion certificates — cryptographic proof that your data was properly destroyed
Encrypted export and import for backups
Built and optimized for Linux, with full native support for macOS and Windows
Clean, color-coded CLI interface that doesn’t make your eyes bleed
Challenges I Ran Into (The Honest Version)
I’ll save the deep technical dive for a dedicated post (it’s coming, I promise!), but here’s the honest overview of where things got spicy:
Getting the cryptographic flow right was harder than expected. The order of operations matters — derive the key, generate the nonce, encrypt, authenticate, in exactly the right sequence. One misstep and you don’t get an error, you get silently broken security.
Secure deletion turned out to be surprisingly tricky on modern systems. SSDs and file system caching mean “overwrite the bytes” isn’t always as straightforward as it sounds. I had to think carefully about what guarantees I could actually make.
Balancing usability with security is a constant tension. Every security feature I added made the tool slightly more cumbersome to use. Finding that sweet spot took a lot of iteration.
What I Learned
Building SecureVault felt like reading a security textbook, except every chapter had a practical exam. A few big takeaways:
- Applied cryptography is humbling. The math is elegant; the implementation details will absolutely get you if you’re not careful.
- Defense in depth isn’t just a buzzword — layering AES-GCM authentication with HMAC gives you two independent chances to catch tampering.
- Zero-knowledge architecture is a design philosophy, not just a feature. Every decision has to flow from the question: “does this require trusting the system with sensitive data?” But Wait — What About the Cloud? Local storage is great until your hard drive dies. I get it.
If system space becomes a concern, or if I want SecureVault to sync across devices, making it cloud-compatible is absolutely on the table. But the zero-knowledge architecture has to survive the move. Here’s how I’d approach it:
Client-side encryption first, always. Data gets encrypted on your device before it ever touches a network. The cloud provider sees only encrypted blobs — they can’t read a thing.
Zero-knowledge key management. Your master password never leaves your device. Key derivation happens locally. The cloud just stores the encrypted output.
Encrypted backups with versioning. So you can roll back if something goes wrong.
End-to-end integrity verification. Every sync gets verified with HMAC to catch any tampering or corruption in transit.
The cloud version would essentially be a secure courier carrying a locked box — it can carry the box, but it has no idea what’s inside.
A Note of Humility (An Important One)
I want to be really clear about something: companies like 1Password, Bitwarden, and others have entire teams of world-class cryptographers, years of security audits, and bug bounty programs that I can only dream about. They’ve thought of attack vectors I haven’t even heard of yet.
SecureVault is a learning project and a demonstration of concepts — not a replacement for production-grade, audited software. If you’re a large enterprise managing thousands of credentials, please use the professionals.
But if you’re curious about how encryption works in practice, or you want something lightweight for local personal use, or you just want to geek out over applied cryptography — welcome to my vault.
Try It Yourself
SecureVault is open source and lives on GitHub. The README has everything you need to get started — dependencies, installation, and all available commands.
👉 github.com/pavithraadeenadayalan/securevault
That’s a wrap from the Cyber Chronicles — until the next trace, stay curious and keep your ops clean.
Want to dive deeper into tech topics that actually matter? Follow me for more behind-the-scenes looks at the technology shaping our world. Got thoughts? Drop a comment — I’d love to hear your take. Found it helpful? A clap or two helps me grow and bring you even more tech stories!
Top comments (0)