Minimalist encryption for those who live off the grid.
A GPG-powered vault manager for your .kdbx password databases.
No GUI. No cloud. Just your keys, your vault, and the silence between.
A BASH script that:
- Encrypts and signs your KeePassXC
.kdbxfile using GPG. - Decrypts when needed, verifies signature integrity.
- Purges the unsealed vault to eliminate traces.
- Backs up your encrypted vault with timestamped versions.
All operations are local. No 3rd-party sync.
You are the cloud. You are the guardian.
Your vault is your memory.
Sign it with your hand.
Seal it with your ghost.
Let no cloud eat what you protect.
— DeadSwitch
- GPG encryption + signature validation
- File wiping of plaintext vaults
- Timestamped backup creation
- Lightweight and auditable
- Config via
.envfile
.
├── examples
│ └── sample.env
├── README.md
└── vault-crypt.sh
git clone https://github.com/DeadSwitch404/vault-crypt.git
cd vault-cryptcp examples/sample.env .env.pwmanager
nano .env.pwmanagerchmod +x vault-crypt.shgpg --list-keys./vault-crypt.sh encrypt # Encrypt and sign the KeePass DB
./vault-crypt.sh decrypt # Decrypt and validate the vault
./vault-crypt.sh status # Show vault state
./vault-crypt.sh backup # Create encrypted, timestamped backup
./vault-crypt.sh help # Show usageKEY_ID="deadbeef42"
PW_DIR="$HOME/vault/passwords"
CLEAR_PW_DB="secrets.kdbx"
CRYPT_PW_DB="secrets.kdbx.gpg"
BACKUP_DIR="$HOME/vault/backups"
TIMESTAMP=$(date +"%Y%m%d-%H%M")
CURRENT_DIR="$PWD"
Keep this .env file outside of version control.
DeadSwitch recommends using chmod 600 and storing it on encrypted storage.
- Use shred or srm to wipe files on exit (manual or optional enhancement).
- Alias vault-crypt.sh decrypt to open-sesame for that final hacker vibe.
- Run via cron for daily encrypted backups to external storage (offline preferred).
Audit it yourself.
MIT.
Use. Fork. Adapt. Ghost away.
But respect the silence. Credit DeadSwitch.
DeadSwitch | The Silent Architect