Encryption keys and signing keys don't belong in environment variables or on disk. Revaulter keeps them in your passkey: scripts submit a request with the CLI, you approve it in your browser with a passkey, and the browser performs the crypto locally. Everything is End-to-End Encrypted (E2EE) between the CLI and your browser.
What you can use Revaulter for:
- Encrypt/decrypt messages, secrets, keys
- Unlock encrypted disks at boot
- Protect backup repository passwords
- SSH logins with a passkey-backed SSH agent
- Sign release binaries from CI
- Issue long-lived JWTs
- Encrypt/decrypt very large files with age and Revaulter
- Passkey-derived keys — encryption keys are derived from WebAuthn passkeys (with PRF) directly in the browser; the server never has access to them
- End-to-end encryption — all cryptographic operations happen in the user's browser using WebCrypto, the server stores only opaque, encrypted envelopes
- Self-hosted — runs on your infrastructure, you own your data and keys
- Webhook notifications — get notified on Discord, Slack, or any webhook endpoint when a request is waiting
- Lightweight — single binary, requires only a database (SQLite or PostgreSQL)
- Strong cryptography — includes support for hybrid, quantum-resistant asymmetric cryptography
Run Revaulter with Docker:
# docker-compose.yml
services:
revaulter:
image: ghcr.io/italypaleale/revaulter:2
ports:
- "8080:8080"
volumes:
- ./config.yaml:/etc/revaulter/config.yaml:ro
- ./data:/data
restart: unless-stoppedCreate a minimal config.yaml:
webhookUrl: "https://discord.com/api/webhooks/..."
databaseDSN: "/data/revaulter.db"
secretKey: "<generate with: openssl rand -base64 32>"
baseUrl: "https://revaulter.example.com"Then start the server, open the web UI, and create your first account.
All documentation lives on the website.
Quick links:
- What is Revaulter — how it works, security model, webhooks
- Installing Revaulter — Docker setup, configuration reference, Docker Compose and Podman examples
- Using the CLI — commands, flags, and examples
- Cryptography architecture — key layers, wrapping, derivation, transport encryption
Revaulter is open source software released under a permissive MIT license. See LICENSE.
