Open source · MIT

Self-host vault1984

One binary. No Docker. No Postgres. No Redis. Runs anywhere Go runs.

1

Download

The install script detects your OS and architecture, downloads the latest release, and puts it in your PATH.

$ curl -fsSL vault1984.com/install.sh | sh

Or download directly:

linux/amd64 darwin/arm64 darwin/amd64
2

Set your vault key

The vault key encrypts your Agent field data at rest. If you lose this key, Agent field data cannot be recovered.

# Generate a random key
$ export VAULT_KEY=$(openssl rand -hex 32)
# Save it somewhere safe
$ echo $VAULT_KEY >> ~/.vault1984-key
3

Run it

A SQLite database is created automatically in ~/.vault1984/.

$ vault1984
vault1984 running on http://localhost:1984
Database: ~/.vault1984/vault.db
4

Configure MCP

Point your AI assistant at the vault. Works with Claude Code, Cursor, Codex, or any MCP-compatible client.

~/.claude/mcp.json

{
  "mcpServers": {
    "vault1984": {
      "url": "http://localhost:1984/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_MCP_TOKEN"
      }
    }
  }
}

Generate an MCP token from the web UI at http://localhost:1984 after first run.

5

Import your passwords

The LLM classifier automatically suggests Agent/Sealed assignments for each field. Review and confirm in the web UI.

# Chrome, Firefox, Bitwarden, Proton Pass, 1Password
$ vault1984 import --format chrome passwords.csv
$ vault1984 import --format bitwarden export.json
$ vault1984 import --format 1password export.json

Run as a service

For always-on availability, run vault1984 as a systemd service.

/etc/systemd/system/vault1984.service

[Unit]
Description=vault1984
After=network.target

[Service]
Type=simple
User=vault1984
EnvironmentFile=/etc/vault1984/env
ExecStart=/usr/local/bin/vault1984
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
$ sudo systemctl enable --now vault1984

Expose to the internet

Put vault1984 behind Caddy for TLS and remote access.

Caddyfile

vault.yourdomain.com {
    reverse_proxy localhost:1984
}