RVault is a local-first password manager written in Rust, with a terminal UI, a CLI, and a Helium browser extension that talks to the local rvault binary through native messaging.
Current version: 1.2.0.
RVault keeps storage local. Passwords are encrypted before they are written to SQLite, browser integration goes through a local native host, and the extension does not store plaintext credentials.
Contents
- Install RVault
- Install the Helium Extension Locally
- Quick Start
- Backup and Restore
- Encrypted Export and Import
- TUI Keybindings
- How RVault Works
- Build and Test From Source
- Release Checklist
- Current Boundaries
- License
Install RVault
From GitHub Releases
After the v1.2.0 release is published, install the CLI from the release assets:
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/ata-sesli/rvault/releases/download/v1.2.0/rvault-cli-installer.sh | sh
On Windows PowerShell:
powershell -ExecutionPolicy Bypass -c "irm https://github.com/ata-sesli/rvault/releases/download/v1.2.0/rvault-cli-installer.ps1 | iex"
Confirm the install:
Expected version:
From Source
Requirements:
- Rust toolchain with Cargo
- Bun, only needed for the browser extension
- Helium on macOS, only needed for browser integration
Install the CLI from this repository:
git clone https://github.com/ata-sesli/rvault.git
cd rvault
cargo install --path crates/rvault-cli --force
rvault --versionRun the terminal UI:
Install the Helium Extension Locally
The RVault extension is not published in the Chrome Web Store for 1.2.0. Install it locally in Helium.
This v1 path targets Helium on macOS. rvault browser enable writes Helium's native messaging manifest here:
~/Library/Application Support/net.imput.helium/NativeMessagingHosts/io.github.ata_sesli.rvault.json
Option A: Install From a Release ZIP
-
Install the
rvaultCLI first. -
Download
rvault-extension-1.2.0.zipfrom thev1.2.0GitHub release. -
Unzip it somewhere stable, for example:
mkdir -p ~/Applications/rvault-extension unzip rvault-extension-1.2.0.zip -d ~/Applications/rvault-extension
- Open Helium and go to:
-
Enable Developer mode.
-
Click Load unpacked.
-
Select:
~/Applications/rvault-extension
- Register RVault as Helium's native messaging host:
- Click the RVault toolbar icon in Helium.
If you move or reinstall the rvault binary, run this again:
To remove the native messaging registration:
Option B: Build the Extension Locally
From the repository root:
cd extension
bun install
bun run buildThen load this folder in Helium:
extension/build/chrome-mv3-prod
After loading the extension, register the native host:
Do not load the top-level extension/ folder. Helium must load the built chrome-mv3-prod folder.
Troubleshooting Browser Integration
If the extension says the native host is unavailable:
rvault browser disable
rvault browser enableThen reload the extension in chrome://extensions.
The extension ID is pinned by the manifest key. The expected Helium extension ID is:
gnfmkmiklgghclejbbdmjgcldajahfhh
Quick Start
Set up RVault once:
Unlock the vault:
Add a credential:
rvault add github alice:correct-horse-battery-staple
Copy a credential password to the clipboard:
Generate a password and copy it to the clipboard:
rvault generate --length 20 --special-characters
Launch the terminal UI:
Lock the vault:
Backup and Restore
Backups are full encrypted binary recovery bundles. A backup is for the owner of the vault, not for sharing selected entries.
Create a backup:
rvault backup create --out rvault.rvault-backup
Restore a backup:
rvault backup restore rvault.rvault-backup
Skip the interactive restore confirmation:
rvault backup restore rvault.rvault-backup --yes
Restore replaces local RVault data after confirmation. Keep backup files somewhere you control.
Encrypted Export and Import
Exports are encrypted binary .rvault-export files for selected-entry sharing with another RVault user.
The recipient gets their public RVault identity code:
rvault unlock rvault identity
The sender exports one entry for that recipient:
rvault export --to rvault1-recipient-code --entry github alice --out github.rvault-exportThe sender can export multiple selected entries:
rvault export --to rvault1-recipient-code \
--selected github:alice \
--selected email:alice@example.com \
--out shared.rvault-exportThe recipient imports the file:
rvault unlock rvault import shared.rvault-export
Conflict shortcuts:
rvault import shared.rvault-export --overwrite-all rvault import shared.rvault-export --skip-all
Only the recipient identity can decrypt the export.
TUI Keybindings
Main Table
| Key | Action |
|---|---|
Up / Down |
Move through entries |
Enter |
Copy the selected password to the clipboard |
a |
Add a new entry |
e |
Edit the selected entry |
d |
Delete the selected entry |
p |
Pin or unpin the selected entry |
i |
Copy this device's public identity code |
b |
Create a backup |
r |
Restore a backup |
x |
Export the selected entry |
m |
Import an encrypted export file |
S |
Open sort selection |
t |
Open theme selection |
Tab |
Switch to the password generator |
q / Esc |
Quit |
Shift+Q |
Lock and quit |
Generator View
| Key | Action |
|---|---|
Left / Right |
Decrease or increase password length |
s |
Toggle special characters |
Enter |
Generate a password and copy it |
Tab |
Return to the main table |
q / Esc |
Quit |
Selection Dialogs
| Key | Action |
|---|---|
Up / Down |
Move through options |
j / k |
Move through options in sort and theme selection |
Enter |
Confirm |
q / Esc |
Close the dialog |
How RVault Works
RVault is split into three Rust crates and one browser extension:
rvault-corehandles config, keystore management, encryption, sessions, binary envelopes, backup, identity, export/import, storage, and clipboard integration.rvault-clibuilds thervaultbinary, CLI commands, and native messaging host.rvault-tuiprovides the terminal UI.extensioncontains the Plasmo MV3 extension for Helium.
At setup time, RVault stores a master-password hash in the config directory and creates a local keystore file encrypted with a key derived from the master password.
When the vault is unlocked, protected operations use the active session key instead of asking for the master password for every command.
Browser integration uses Chrome-style native messaging. Helium launches rvault directly when the extension sends a native message. rvault browser enable only registers the native messaging manifest; it does not start a background daemon.
Build and Test From Source
Build Rust crates:
Run Rust tests:
cargo test -p rvault-core cargo test -p rvault-cli cargo test -p rvault-tui cargo check
Build and test the extension:
cd extension bun install bun test bun run build
Create a local extension ZIP:
cd extension/build/chrome-mv3-prod zip -r ../../../rvault-extension-1.2.0.zip .
The ZIP must contain manifest.json at the ZIP root.
Release Checklist
For 1.2.0:
- Confirm versions are
1.2.0inCargo.toml,Cargo.lock, andextension/package.json. - Run Rust checks:
cargo test -p rvault-core cargo test -p rvault-cli cargo test -p rvault-tui cargo check
- Run extension checks:
cd extension bun test bun run build
- Tag and push the release:
The cargo-dist release workflow builds the CLI installers. A separate extension release workflow builds and uploads rvault-extension-1.2.0.zip for local Helium installation after the GitHub Release exists.
Current Boundaries
- The browser extension is distributed locally for
1.2.0; it is not published in the Chrome Web Store. - Browser native host registration targets Helium on macOS.
- Firefox support is not included in this release.
- RVault does not provide hosted sync.
- Export/import is encrypted recipient sharing, not plaintext export.
- Backups are full recovery files and replace local RVault data on restore.
License
Dual-licensed under MIT or Apache-2.0.