Vault Management
hq-vault init
Create a new vault. Prompts for a master passphrase via stdin (echo disabled).
hq-vault inithq-vault init --vault-path /custom/path/vault.dbhq-vault init --force # reinitialize (destroys all secrets)| Flag | Description |
|---|---|
--vault-path <path> | Custom vault file location (default: ~/.hq-vault/vault.db) |
--force | Reinitialize existing vault — destroys all secrets |
hq-vault serve
Start the vault server. Holds the master key in memory so secrets can be retrieved without re-entering the passphrase.
hq-vault servehq-vault serve --port 9000hq-vault serve --daemonhq-vault serve --idle-timeout 60hq-vault serve --insecure # HTTP only (testing)| Flag | Default | Description |
|---|---|---|
--port <number> | 13100 | Server port |
--vault-path <path> | ~/.hq-vault/vault.db | Vault file location |
--idle-timeout <min> | 30 | Auto-lock after N minutes of inactivity |
--insecure | false | Use plain HTTP instead of HTTPS |
--daemon | false | Run as background daemon |
--stop | — | Stop a running daemon |
--restart | — | Restart daemon with new options |
The server binds to localhost only (127.0.0.1). HTTPS uses an auto-generated self-signed certificate stored in ~/.hq-vault/.
A bootstrap token is generated on start and written to ~/.hq-vault/token.
hq-vault unlock
Unlock the vault by providing the master passphrase. Required after auto-lock or manual lock.
hq-vault unlockhq-vault lock
Lock the vault immediately. Wipes the master key from memory using sodium_memzero().
hq-vault lockhq-vault status
Show vault state — locked/unlocked, secret count, server info.
hq-vault statushq-vault status --vault-path /custom/path/vault.dbExample output:
Vault: ~/.hq-vault/vault.dbStatus: unlockedSecrets: 12Server: running (port 13100, PID 4821)Idle timeout: 30 minLast activity: 2 min ago