Skip to content
VaultTerm

vaultterm --secure --audited

Secrets and SSH access,
brokered and audited.

VaultTerm is the secure credential vault and audited terminal access broker for teams. Share secrets safely, run every session through a full audit trail, and keep AI assistance on your own network.

Request access Talk to sales

free plan to start · your secrets stay encrypted and audited from minute one

session://acme · prod-web-01
acme:~ vault unlock --team
✓ vault open · 42 secrets · envelope-encrypted
acme:~ ssh prod-web-01
→ access granted · JIT 20m · audit a1f9c2
prod-web-01:~ deploy --release v2.8.0
→ 3 replicas rolled · recorded for compliance
prod-web-01:~

one vault, every surface you work on

WebBrowser extensionmacOSWindowsLinuxiOSAndroidCLI

broker status

One broker between your people and your hosts

No standing credentials. The broker decrypts in memory for an authorized, audited session — then everything is on the record.

You & your team request access VaultTerm broker › decrypt in memory › enforce policy + roles › just-in-time access › no plaintext at rest Hosts & secrets SSH · DBs · APIs Tamper-evident audit every access recorded
  1. 01

    Store

    Secrets go into the vault under envelope encryption — typed, organised, and never written as plaintext.

  2. 02

    Request

    When you need a host or a secret, you (or the broker) request access — scoped, and just-in-time where it matters.

  3. 03

    Broker

    The server decrypts in memory for that authorized session only, injecting access without leaving standing credentials behind.

  4. 04

    Audit

    Every read and every session lands in a tamper-evident trail, so access is always attributable after the fact.

vault ls --all

Everything privileged access needs — in one place

A vault for every secret type, an audited broker for every session, and the team controls to run it safely.

Credential vault

Logins, SSH keys, API keys, env files and secure notes — envelope-encrypted, organised per type, never stored as plaintext.

Learn more

Terminal & SSH broker

Connect to any host through an audited access broker. Every session is brokered, recorded and attributable — not a credential free-for-all.

Learn more

Teams & JIT access

Shared team vaults, role-based access, and just-in-time elevation that expires on its own. Onboard and offboard in one place.

Learn more

Browser extension

Autofill logins and capture credentials in Chrome and Firefox with a device-bound unlock — your vault where you work.

Learn more

Privacy-first AI

AI assistance that defaults to your own network (self-hosted Ollama). Terminal output never leaves the LAN unless you allow it, behind a redaction gate.

Learn more

Audit everything

A complete, tamper-evident audit trail of secret access and session activity — the record auditors and security teams actually ask for.

Learn more

trace --security

Secure at every step of every flow

Whatever you do — create, share, or onboard — the data is encrypted in motion and at rest, and every step is audited.

Create a password

Generate, score and store — encrypted before it ever touches disk.

  1. Generate

    strong by default

    01

  2. Strength check

    weak ones flagged

    02

  3. Encrypt

    envelope keys

    03

  4. Stored

    never plaintext

    04

Share a secret

Hand off access with an encrypted, expiring, revocable link — never a plaintext paste.

  1. Pick a secret

    from your vault

    01

  2. Seal

    encrypted link

    02

  3. Send

    expires · revocable

    03

  4. Opened

    access audited

    04

Invite a teammate

Add people by email with a role; access is scoped and recorded from minute one.

  1. Invite

    by email + role

    01

  2. Accept

    device-bound

    02

  3. Granted

    scoped access

    03

  4. On record

    who joined when

    04

open --ui

A look at the interface

Representative views of the VaultTerm UI — vault, teams, extension and privacy-first AI.

vaultterm.io/vault
Credential vault organised by type

A vault for every secret type

Logins, SSH keys, API keys, env files and notes — organised and envelope-encrypted.

vaultterm.io/teams
Team members and just-in-time access requests

Shared access with approvals

Roles, shared vaults, and just-in-time elevation requests you approve in a click.

Chrome & Firefox
Browser extension autofill with in-popup authenticator

Autofill where you work

On-site matches, capture-on-submit, and a built-in TOTP authenticator.

vaultterm.io/ai
Privacy-first AI assist with redaction

AI that stays on your network

A self-hosted model by default, with terminal output redacted before it ever leaves the LAN.

security --model

An audited broker — not zero-knowledge theatre

We are honest about the model: the server decrypts in memory for authorized, audited sessions. No plaintext at rest, envelope encryption throughout, and a tamper-evident record of who accessed what.

No plaintext at rest

Envelope encryption for every secret. Keys are wrapped, rotated, and never stored beside the data they protect.

Fully audited access

Every secret read and every session is attributable in a tamper-evident audit trail your auditors will accept.

Privacy-first AI

AI defaults to your own network. Terminal output never leaves the LAN unless you allow it, behind a redaction gate.

Read the security model

why vaultterm

What we stand for

We're a small team building this in the open. Instead of borrowed logos and invented quotes, here's what actually guides the product.

Honest about the model

We're an audited access broker, not zero-knowledge. The server decrypts in memory for authorized sessions — we say so plainly rather than marketing a guarantee we don't meet.

Privacy-first AI

Assistance defaults to a self-hosted model on your network. Cloud is opt-in and redaction-gated, never the silent default.

Built for engineers

A real SSH client and terminal, typed secrets, importers and a browser extension — designed around how access actually happens, not a generic password box.

faq --list

Common questions

Is VaultTerm zero-knowledge?

No. VaultTerm is an audited access broker: the server decrypts in memory for authorized, audited sessions. There's no plaintext at rest and encryption is envelope-based throughout — but we don't claim a zero-knowledge guarantee we can't keep.

Can I self-host it?

Yes. VaultTerm self-hosts as a single Docker Compose unit — even fully air-gapped — with your keys in your own HSM and AI on your LAN. See the self-hosting page for how on-prem deployment, licensing and bring-your-own-key options work.

Do I have to pay to try it?

No. There's a free plan to start, and paid plans add unlimited vaults and connections, team features, just-in-time access and compliance reporting.

How is this different from a password manager?

A password manager stores secrets. VaultTerm also brokers access: it connects you to hosts through an audited broker with just-in-time elevation, session recording and a tamper-evident audit trail — the access side a vault alone doesn't cover.

Which platforms does it run on?

The web app and browser extension are available today; desktop (macOS, Windows, Linux), mobile (iOS, Android) and a CLI are on the roadmap. See the downloads page for current status.

Bring your secrets and sessions under one audited roof.

Start free in minutes. Upgrade when your team needs shared vaults, JIT access, and compliance reporting.

Request access See pricing