keep — encrypted vault

keep is an encrypted secrets/notes vault synced over Swarm. Your key/value pairs are encrypted client-side (ChaCha20-Poly1305) — only ciphertext ever reaches Swarm — and made mutable behind a feed, so the vault follows you across machines.

keep init --stamp <batch>                 # create a vault (~/.keep/keep.json)
keep set api-token s3cr3t --stamp <batch>
keep get api-token                        # -> s3cr3t  (read; no stamp)
keep list
keep rm  api-token --stamp <batch>

Use cases

CLI secret management — API tokens, keys, config secrets.
Portable notes/secrets across machines (copy the config).
A personal vault whose ciphertext is backed up on Swarm.

How it works & security

The vault is a JSON map encrypted under a key derived from a locally-stored secret (~/.keep/keep.json); the ciphertext is uploaded to Swarm and a feed points at the latest version. The config file is the only thing that can decrypt your vault — copy it to use the vault elsewhere; lose it and the data is unrecoverable, by design. Nothing readable is ever stored on Swarm.

The encryption (ChaCha20-Poly1305) is standard but unaudited; treat keep as a convenient personal vault, not a hardened secrets manager.

The scout toolkit

keep — encrypted vault

Use cases

How it works & security