Get Started
Install PlainVault and set up your team vault in minutes.
Prerequisites
- Docker 20.10+
- Docker Compose v2 (optional)
Quick Start
Option A: Docker Compose (recommended)
# Clone the repository git clone https://github.com/s-w-choi/plainvault.git cd plainvault # Build and start all services docker compose up -d # App: http://localhost:13000 # Web: http://localhost:13001
Option B: Docker run (app only)
docker run -d \ --name plainvault \ -p 13000:3000 \ -e VAULT_ENCRYPTION_KEY="cNe1N8DQGgkse59oOLhpPmxfJcXAvFwzJXeskTVzJDY=" \ -e INIT_ADMIN_EMAIL="admin@plainvault.local" \ -e INIT_ADMIN_PASSWORD="plainvault-admin" \ -v plainvault-data:/app/prisma/data \ boydchoi/plainvault:latest
VAULT_ENCRYPTION_KEY: Provide your own random Base64-encoded 32-byte key. This key is used for AES-256-GCM encryption and should be kept secure.
INIT_ADMIN_EMAIL / INIT_ADMIN_PASSWORD: Set the initial admin credentials. Override defaults as needed.
If not provided, the encryption key is auto-generated on first run and persisted in the data volume.
Environment Variables
| Variable | Required | Description |
|---|---|---|
| VAULT_ENCRYPTION_KEY | No | Master key for AES-256-GCM encryption. Auto-generated on first run if not set. |
| DATABASE_URL | No | Prisma database URL (default: file:/app/prisma/data/vault.db) |
| INIT_ADMIN_EMAIL | No | Override default admin email (default: admin@plainvault.local) |
| INIT_ADMIN_PASSWORD | No | Override default admin password (default: plainvault-admin) |
First Login
After starting the container, visit http://localhost:13000 and log in:
Email: admin@plainvault.local
Password: plainvault-admin
Override defaults with INIT_ADMIN_EMAIL and INIT_ADMIN_PASSWORD env vars.
What is PlainVault?
PlainVault is a secure internal vault for teams to store and share secrets, configuration files, and secure notes. All content is encrypted with AES-256-GCM and access is controlled by role-based permissions.
- Database connection strings and credentials
- API keys for third-party services
- Environment variable configurations (env files)
- SSL certificates and private keys
- Team notes with sensitive information
- Infrastructure configuration (docker-compose, kubernetes configs)
How access works
Request an account — go to the registration page and fill in your name, email, and password
Wait for approval — your administrator will receive your request and approve or reject it
Sign in and start managing files — once approved, log in and browse, create, or edit vault files based on your role
Security model
All file content is encrypted at rest using AES-256-GCM encryption. Even if the database is compromised, the content cannot be read without the encryption key.
For VIEWER role users, sensitive values are automatically masked:
# Raw (DEVELOPER / ADMIN) DATABASE_URL=postgres://user:secret123@db.example.com:5432 API_KEY=sk_live_abcdef123456
# Masked (VIEWER) DATABASE_URL=******** API_KEY=********