Your passwords,
your infrastructure

vaultctl is a zero-knowledge, self-hosted password vault. Encryption happens on your device — the server stores only ciphertext. Not even the admin can read your data.

Get Started

View on GitHub

🔐

Zero-Knowledge Encryption

AES-256-GCM with Argon2id key derivation. All crypto runs client-side — the server never sees plaintext.

🏠

Fully Self-Hosted

One command deploys everything. Docker, binary, or Kubernetes — your data stays on your infrastructure.

📦

7 Item Types

Logins, secure notes, cards, identities, API keys, SSH keys, and passkeys — all encrypted at rest.

🌐

Browser Extension

Chrome + Firefox with autofill, auto-save, and TOTP code generation built in.

🔄

Easy Migration

Import from Bitwarden, 1Password, LastPass, and other managers. Export anytime.

🛡️

Open Source & Auditable

AGPL-3.0 licensed. Cosign-signed releases with SLSA provenance and SBOM attestations.

Deploy in under 2 minutes

curl -fsSL https://vaultctl.vinelabs.de/install.sh (opens in a new tab) | bash

Documentation

Getting Started

Install, create your first account, and learn the core concepts.

User Manual

Vault items, folders, sharing, 2FA, browser extension, and more.

API Reference

Full REST API docs for authentication, vaults, items, and TOTP.

Knowledge Base

Encryption internals, zero-knowledge design, threat model, blob format.

Help Center

FAQs, troubleshooting, server configuration, reverse proxy, backups.

All Install Methods

Docker Hub, GHCR, Compose, binary, Kubernetes — every way to deploy.

Your passwords,your infrastructure