Veiled

Veiled is a local-first, terminal-based password manager built for people who care about security, simplicity, and control.

• Local-only encrypted vault
• Terminal UI (TUI), keyboard-first
• No cloud, no sync
• Modern cryptography by default
• Minimal, auditable codebase

Your passwords never leave your machine.

Features

• Encrypted local vault
• Fully keyboard-driven TUI
• Master password protection
• Temporary password reveal
• Clipboard copy support
• Change master password
• Safe vault reset with optional backup
• Explicit memory zeroization

Veiled is intentionally minimal. It focuses on doing one thing well: securely storing secrets on a single machine without hidden behavior.

Security Design

Veiled uses conservative and well-studied cryptographic primitives.

The master password is processed using Argon2id, a memory-hard password-based key derivation function designed to resist GPU and ASIC brute-force attacks. Derived keys are then used with XChaCha20-Poly1305, an authenticated encryption scheme providing both confidentiality and integrity.

Each vault is protected by a random per-vault salt, and all encryption operations use unique nonces. No plaintext secrets are ever written to disk, and Veiled performs no network access of any kind.

Sensitive data is actively zeroized from memory once it is no longer needed.

Threat Model

Veiled is designed to protect against offline attacks such as disk theft, stolen vault files, and accidental data exposure.

It does not attempt to protect against a compromised operating system, malicious root access, active keyloggers, or live memory inspection.

Veiled assumes the local machine is trusted at runtime.

Installation

From crates.io

cargo install veiled

From source

git clone https://github.com/shibu0x/veiled
cd veiled
cargo install --path .

Usage

veiled

All available keybindings and actions are displayed directly in the UI header.

No configuration files or setup steps are required beyond setting a master password on first launch.

Contributing

Veiled is a security-focused personal project, but contributions are welcome.

Please keep the following principles in mind:

• Prefer small, focused changes
• Avoid unnecessary dependencies
• Do not modify cryptographic logic without strong justification 0 Preserve the local-first, offline-only design

Before submitting a pull request, ensure the project builds cleanly and is formatted using

cargo fmt.

Disclaimer

Veiled is a personal security tool. While it uses well-audited cryptographic primitives, it has not undergone a formal security audit.

Use at your own risk.