ds-vault is a minimal, hardened Emacs Lisp utility for encrypting, decrypting, and managing a KeePassXC-compatible password database using GnuPG.
It uses the external gpg command for maximal control, auditability, and OPSEC transparency.
DeadSwitch does not trust abstractions. This vault is silent, verifiable, and self-destructing by design.
DeadSwitch uses raw gpg intentionally:
- Full Transparency: You see every step. No hidden agents.
- Cross-Tool Compatibility: Decrypt from the terminal if Emacs disappears.
- No Trust in Caching: Explicit keys, explicit files, explicit logic.
- Real Signing Flow:
--sign+--encrypt= your data is yours alone.
- Clone or copy this repo.
- Add it to your
load-path:(add-to-list 'load-path "/path/to/ds-vault/") (require 'ds-vault)
- Create a config file (
ds-vault-config.el) that defines:(defvar ds/key-id "YOUR-GPG-KEY-ID") (defvar ds/clear-db "/path/to/vault.kdbx") (defvar ds/encrypted-db "/path/to/vault.kdbx.gpg") (defvar ds/backup-dir "/path/to/backups/") (defvar ds/timestamp (format-time-string "%Y%m%d-%H%M%S"))
Call the commands from M-x or bind them to keys.
| Command | Description |
|---|---|
ds/vault-encrypt | Encrypt and sign the vault |
ds/vault-decrypt | Decrypt the vault |
ds/vault-status | Check if vault is sealed or exposed |
ds/vault-backup | Backup the encrypted vault with version |
ds/vault-help | Show usage instructions |
The status check is brutally honest:
- Vault is ENCRYPTED - you’re good.
- Vault is PLAIN TEXT - seal it now.
- Insecure state - both files exist. Fix it.
- No vault files found - nothing to protect… yet.
DeadSwitch believes encryption should be:
- Explicit
- Reversible
- Offline-friendly
- Not reliant on agents or GUIs
This vault reflects that mindset.
M-x ds/vault-status
M-x ds/vault-encrypt
M-x ds/vault-backup
M-x ds/vault-decryptMIT - because freedom includes the freedom to vanish.
DeadSwitch | The Silent Architect