What Is the Secrets Vault?

The Secrets Vault is a master-password-protected store for sensitive credentials: API keys, database passwords, tokens, certificates, and anything else you need to keep safe. It is your personal developer secrets manager built into localWiki.

Unlike project keys (which are scoped to environments and shared with your team), vault secrets can be either shared with approved devices or kept local only. They are encrypted with a key derived from your master password using Argon2id, and local-only secrets never leave your machine.

How It Works

Master Password
      |
      v
  Argon2id KDF  ->  Encryption Key
      |
      v
  AES-256-GCM  ->  Encrypted Vault

Your master password is never stored. localWiki derives an encryption key from it using Argon2id (memory-hard key derivation), then encrypts each secret with AES-256-GCM. The vault is locked when you close the app or after inactivity.

Key Features

• Canonical keys — each entry holds the env value, app context, runbook notes, and an audit trail together.
• Setup context / runbook — attach free-text notes to any key explaining rotation steps, service dependencies, or setup instructions.
• Audit trail — every create, read, update, copy, and delete action is logged per-key with timestamps and device identity.
• Sync scope — each key is either “approved devices” (shared) or “local only”.
• Reveal with auto-hide — values are masked by default. Reveal shows the plaintext for 30 seconds, then auto-hides.
• Copy-ready env line — one click copies KEY=value format to your clipboard.

When to Use the Vault vs. Project Keys

The vault is for secrets that benefit from attached context — setup docs, rotation notes, and a per-key audit trail. Project keys are for environment variables your project needs to run.