Secrets stay on
your machine.
A CLI that stores secrets locally with authenticated encryption. One binary. No setup. Your data never leaves your machine.
Why Veil
Secrets management that respects your time
Store API keys and passwords locally with authenticated AES-256-GCM encryption. No cloud, no accounts, no vendor lock-in.
AES-256-GCM encryption
Authenticated encryption with associated data. Your secrets are encrypted on your machine with a key that never leaves your possession.
cipher: AES-256-GCM
auth: GCM mode
Your data stays on your machine
No cloud sync. No telemetry. No accounts. Your vault lives in your home directory and never leaves your machine unless you decide to share it.
storage: ~/.veil/
offline: true
One binary, zero runtime
Download and run. No Docker, no Node.js, no Python dependencies. Single compiled binary for macOS, Linux, and Windows.
size: ~15MB
static: true
Export to .env, not a browser
Password managers are for personal logins. Veil exports secrets to .env files for your applications. Integrate with your existing workflow.
format: dotenv
workflow: native
The alternative
Cloud secret managers: Veil is free, local, and requires zero infrastructure.
Password managers: Veil is designed for application secrets, not personal credentials.
How it works
Three commands. Zero configuration.
Veil replaces scattered .env files with a simple CLI. Generate secrets, store them safely, export when you need them.
Generate strong secrets
Passwords, API keys, JWT secrets. Cryptographically random. No more "password123" in your repos.
Export to .env instantly
One command dumps your vault to .env format. Works with every framework that reads environment variables.
Search across vaults
Glob patterns find secrets instantly. Stop grepping through scattered .env files to find that API key.
Multiple Vaults
Organize by environment
Copy to Clipboard
One command, no paste
List Without Exposing
Audit vault contents safely
Master Key Lock
AES-256-GCM encryption
Installation
One command to get started
Copy, paste, and run. The installer handles the rest. No dependencies, no configuration.
After installation, run veil init to create your first vault. Your master key will be displayed once — store it securely.
FAQ
What to know before you start
Common questions about security, sync, and how Veil fits into your workflow. Open an issue if you need help.
Veil uses AES-256-GCM authenticated encryption. Your secrets are encrypted locally with a master key that never leaves your machine. The encrypted database lives in ~/.veil/ and the code is open source for anyone to audit.
Your secrets are gone forever. Veil has no backdoors, no recovery mechanism, and no way to decrypt your vault without the master key. Store it in a password manager, hardware token, or physical safe.
Not built-in. But you can sync the encrypted vault file (~/.veil/vault.db) via Dropbox, iCloud, Git, or any file sync. The vault is encrypted so it's safe to store anywhere. Keep your master key separate and secure.
No. Veil is CLI-only. This keeps it fast, scriptable, and free from the complexity and attack surface of a GUI. It works in terminals, over SSH, and in CI/CD pipelines.
Password managers are for logging into websites. Veil is for your code. Use your password manager for Netflix, your bank, and email. Use Veil for API keys, database passwords, and JWT tokens that your applications need. Veil doesn't replace your password manager — it replaces scattered .env files and hardcoded secrets in your repos.
Yes. Copy your encrypted vault and master key to your CI environment securely, then run 'veil export' to inject secrets as environment variables at runtime. The vault remains encrypted until the moment you need the secrets.
Your secrets deserve better than a .env file in Slack.
Start using Veil today. Open source, free forever.