Your terminal is the most powerful
security tool you own.
Developers live in the terminal. Secret managers should too. FyVault gives you 40+ commands, kernel-level injection, and offline operation — all from a single binary with zero dependencies.
You have been managing secrets through web dashboards. Clicking through UIs. Copy-pasting values between browser tabs and .env files. That is not how developers work. You work in the terminal. Your workflows are scripts, pipes, and keystrokes. Your secret manager should be the same.
FyVault is the tool you have been building shell scripts to replace.
One line. Two minutes. Production-ready.
Boot and Seal
$ fyvault boot --org acmeOne command cold-starts everything. Fetches secrets from the vault, loads eBPF programs into the kernel, seals the keyring. Your app never sees a plaintext credential.
$ fyvault statusInstant health check. See what is loaded, what is stale, whether the kernel is locked down, and if the cloud connection dropped. No dashboard needed.
Manage from Anywhere
$ fyvault secrets:create --name stripe-live --env productionCreate secrets without leaving your terminal. No browser tab. No UI form. Type the command, paste the value, done. It syncs to every device in the org.
$ fyvault rotate --secret stripe-liveRotate without restarting. The kernel keyring updates in-place. Your running application never drops a request. Zero downtime by design, not by luck.
$ fyvault secrets:list --env production --format tableList, filter, and inspect every secret across environments. Pipe the output to jq, grep it, feed it into your own tooling. It is just stdout.
CI-First Pipelines
$ fyvault sync vercel --env=production --token=$VERCEL_TOKEN --project-id=prj_xxxPush secrets into Vercel, Netlify, Railway, Fly.io, or any platform that accepts env vars. One command replaces a dozen clicks through a web console.
$ fyvault export --env=staging --format=dotenv | docker run --env-file /dev/stdin myappPipe secrets directly into any build step. No .env files committed. No intermediate storage. Secrets flow from the vault to the process and nowhere else.
Scan and Protect
$ fyvault scan --file=.env.backupPoint it at any file, directory, or repo. It detects AWS keys, Stripe tokens, database URLs, private keys, and 22+ other patterns. Catch leaks before they ship.
$ fyvault hooks:install --pre-commitInstall a git pre-commit hook that blocks any commit containing a secret. One command. Every contributor on the repo is protected from that point forward.
Boot. Create. Scan. Rotate. Ship.
This is what a real workflow looks like. Five commands take you from a cold start to production-synced secrets with a clean security scan along the way.
Same CLI. Different superpowers.
Linux gets eBPF kernel injection. macOS gets Keychain backed by the Secure Enclave. Windows gets DPAPI encryption tied to your machine identity. One binary adapts to whatever OS it lands on and uses the strongest protection available.
Linux
eBPF kernel injection
Attaches to syscalls at the kernel level. Secrets are rewritten in-flight before your process ever touches them. The keyring is sealed with a dedicated eBPF program that blocks unauthorized reads.
macOS
Keychain integration
Secrets are stored in the macOS Keychain, protected by the Secure Enclave on Apple Silicon. Access is scoped per-application. Touch ID can gate retrieval for interactive workflows.
Windows
DPAPI encryption
Secrets are encrypted with the Windows Data Protection API, tied to the user profile and machine identity. No plaintext ever hits the filesystem. Works with Windows Credential Manager.
40+ commands. One binary.
Every operation that used to require a browser tab, a web dashboard, or a custom shell script is now a single command. Create, rotate, scan, sync, export, fingerprint, and more.
One-Line Install
curl | bash. Registers the device, installs the systemd service, attaches eBPF. Two minutes from zero to sealed.
Hardware Fingerprinting
CPU serial, board ID, DMI data. Every machine gets a unique identity that cannot be copied or spoofed.
eBPF Kernel Injection
Hooks into syscalls and rewrites credentials in-flight at the kernel level. Roughly 3 microseconds of overhead.
Offline by Default
The cloud is only needed at boot. After secrets are cached, the agent runs fully independent. Network goes down, secrets stay up.
Hot Rotation
Rotate any secret without restarting your app. The kernel keyring patches itself live. Your process never notices.
Isolated OS User
The agent runs as a dedicated fyvault-agent user with its own keyring. Even root on the host cannot read the sealed secrets.
30+ Platform Syncs
Push secrets to Vercel, Netlify, Heroku, Railway, Fly.io, Render, and more. One command replaces a web console.
Secret Scanner
22+ detection patterns for AWS keys, Stripe tokens, private keys, database URLs. Pre-commit hooks block leaks before they merge.
Git-Native Hooks
Pre-commit scanning installs in one command. Every contributor is protected. No configuration files to maintain.
40+ Commands
Create, read, rotate, delete, scan, sync, export, fingerprint. Every operation you need, accessible from a single binary.
System Requirements
Full eBPF support requires Linux 5.8 or later with root privileges. macOS and Windows use native OS security primitives and do not require elevated access for basic operation.