SealKey

🔐 SealKey: Local-Only Secrets, Done Right

SealKey is a developer-native secrets manager that ditches .env files, hardcoded creds, and cloud vaults in favor of LUKS2-encrypted, audit-safe secrets that never leave your machine.

🌟 Core Features

• Zero cloud, zero metadata leaks: Secrets live as nameless encrypted blobs inside a LUKS2 container (~/.sealkey/vault.luks)
• MIT licensed & open source — fully yours, no vendor lock-in
• Team-ready: Up to 32 devs, each with their own LUKS2 passphrase — no shared keys, no GPG mess
• Git-safe vault: Commit your vault.luks — it’s encrypted, portable, and syncs secrets securely across teammates
• Memory-safe: Fetch secrets with --mode memory + TTL for auto-wipe after use

🛠️ Built for Real Dev Workflows

• CLI + SDKs for TypeScript (Bun/Node), Go, and Rust
• No Windows (by design — lacks secure local secret model)
• Audit log tracks only metadata, never secret values
  → Logs are safe to ship, grep, or panic-search 😅

🔒 Crypto You Can Trust

• LUKS2 + AES-256 + Argon2id — battle-tested disk encryption
• True local-only: No network, no servers, no auto-deletion (only sealkey delete nukes secrets)
• Export on demand: Create standalone LUKS2 backups — only with live passphrase

SealKey = your local vault, forensically quiet, cryptographically honest, and uncompromisingly yours.
Go ahead — commit that vault. We dare you. 😏