Daemon Mode
For always-on vault access, run the server as a background daemon.
Start as Daemon
hq-vault serve --daemonThis detaches from the terminal and runs in the background. A PID file is written to ~/.hq-vault/vault.pid and the port is recorded in ~/.hq-vault/vault.port.
Stop the Daemon
hq-vault serve --stopThis sends a graceful shutdown signal. The vault locks and the server exits cleanly.
Restart
hq-vault serve --restarthq-vault serve --restart --port 9000 --idle-timeout 60Restart with new options without manually stopping first.
Check Status
hq-vault statusVault: ~/.hq-vault/vault.dbStatus: unlockedSecrets: 12Server: running (port 13100, PID 4821)Idle timeout: 30 minLast activity: 2 min agoAuto-Lock Behavior
The daemon auto-locks after the configured idle timeout (default: 30 minutes). When locked:
- The master key is securely wiped from memory (
sodium_memzero) - All secret retrieval requests return
403 VAULT_LOCKED - Token management and status endpoints still work
- Unlock with
hq-vault unlock(prompts for passphrase)
Any successful vault operation resets the idle timer.
Platform Notes
Windows
On Windows, daemon mode runs as a background Node.js process. The PID file enables --stop and --restart to find and signal the process.
macOS / Linux
Same background process model. For production deployments, consider wrapping with systemd (Linux) or launchd (macOS) for automatic restart on boot.
Example systemd unit:
[Unit]Description=HQ VaultAfter=network.target
[Service]ExecStart=/usr/local/bin/hq-vault serve --port 13100ExecStop=/usr/local/bin/hq-vault serve --stopRestart=on-failureUser=vault
[Install]WantedBy=multi-user.targetLogs
Server logs go to stdout in foreground mode. In daemon mode, logs are written to ~/.hq-vault/vault.log with automatic rotation.