Coffer is a zero-dependency encrypted vault for passwords, private notes, build commands, and API keys. One encrypted file on your own disk. No cloud, no account, no telemetry — encrypted with AES-256-GCM and a key derived from your master passphrase.
Coffer is a small command-line tool. It keeps everything in a single encrypted JSON file at ~/.secrets — chmod 600, atomic writes, rotating backups. There is no server to trust and nothing to sync.
Your master passphrase derives a 256-bit key. The vault is sealed with AES-256-GCM, so tampering or a wrong passphrase is rejected — not silently mis-decrypted.
No network calls, ever. The optional serve UI binds 127.0.0.1 only. Nothing is uploaded, backed up to a cloud, or phoned home.
There is no reset link and no recovery key. If you lose the master passphrase, the data is gone. That is the point — only you can open it.
No home-grown ciphers. Coffer uses well-understood primitives from the Node standard library — nothing else.
Every item carries a title and tags, plus fields specific to its type.
Coffer is one file you run from your terminal. Here is what a session looks like.
$ coffer init Set a master passphrase (won't echo): •••••••• ✓ vault created at ~/.secrets (chmod 600) $ coffer add password --title "GitHub" \ --username kristenslab --url github.com Password (leave blank to generate): ✓ generated + stored · tags: git,work $ coffer add api --title "Anthropic (prod)" \ --service anthropic --env AF ✓ stored $ coffer search anthropic api Anthropic (prod) [anthropic · AF] $ coffer serve → http://127.0.0.1:7777 (loopback only)
Manage the vault entirely from the command line.
gen makes strong passwords · passwd rotates the master key · import-env pulls keys straight from a .env · doctor checks file perms and backups.
This runs entirely in your browser using the WebCrypto API. Type a passphrase, add a few items, lock it, and try the wrong passphrase to see the vault refuse to open.
Try locking, then unlocking with a different passphrase — GCM authentication fails and the vault refuses to decrypt. There is no way around it.