A secure, offline-first desktop application for managing application configurations and secrets. Built with PyQt5 and Python, featuring strong encryption and a professional Qt interface.
- 🔐 Strong Encryption: AES-256-GCM encryption with PBKDF2 key derivation
- 👤 Multiple Profiles: Organize configurations into separate profiles
- 🌍 Environment Support: Manage configs for development, staging, and production
- 🔍 Search Functionality: Quickly find configurations by key or value
- 📦 Import/Export: Share profiles securely or backup your data
- 🔒 Auto-Lock: Automatic vault locking after 15 minutes of inactivity
- 🎨 Professional UI: Clean, intuitive PyQt5 interface
- 💾 Offline-First: All data stored locally and encrypted
- Python 3.7 or higher
- pip
pip install -r requirements.txtpython main.py- On first launch, you'll be prompted to create a new vault
- Choose a strong master password (at least 8 characters)
- Important: Remember this password - it cannot be recovered if lost!
- A default profile will be created for you
- Click "Add Configuration" button or use the toolbar
- Enter the key (e.g.,
DATABASE_URL) - Enter the value (e.g.,
postgresql://localhost/mydb) - Check "This is a secret" to mask sensitive values
- Select the environment (default, development, staging, production)
- Click OK
- Double-click a row in the table, or
- Select a row and click "Edit Selected"
- Select a row and click "Delete Selected"
Profiles help you organize different sets of configurations (e.g., separate profiles for different projects).
- Go to Profile → New Profile
- Enter a profile name and optional description
- Click OK
- Use the "Active Profile" dropdown at the top of the window
- Go to Profile → Delete Current Profile
- Confirm the deletion (cannot delete the last profile)
Use the "Environment" dropdown to filter configurations by environment:
- All: Show all configurations
- default: Default environment
- development: Development environment
- staging: Staging environment
- production: Production environment
Type in the search box to filter configurations by key or value. Search works across the currently selected environment filter.
- Go to Profile → Export Current Profile
- Choose a location and filename (
.vaultextension) - The profile will be encrypted with your master password
- Go to Profile → Import Profile
- Select the
.vaultfile - Enter your master password
- If a profile with the same name exists, you'll be asked to overwrite
- Go to Tools → Export Vault (Plaintext)
- Confirm the warning
- Choose a location for the JSON file
- Keep this file secure!
The vault automatically locks after 15 minutes of inactivity. Any action (adding, editing, viewing) resets the timer.
- Go to File → Lock Vault, or
- Click the "Lock" button in the toolbar
- Go to Tools → Change Master Password
- Enter your current password
- Enter and confirm your new password
By default, the vault is stored at:
- Linux/Mac:
~/.config_vault.json - Windows:
C:\Users\<username>\.config_vault.json
The file is encrypted and cannot be read without the master password.
-
Use a Strong Master Password:
- At least 12 characters
- Mix of uppercase, lowercase, numbers, and symbols
- Don't use common words or patterns
-
Keep Your Password Safe:
- Don't share your master password
- Don't write it down in plain text
- Consider using a password manager
-
Regular Backups:
- Export profiles periodically
- Store encrypted backups in a secure location
- Test restoring from backups
-
Mark Secrets Appropriately:
- Check "This is a secret" for passwords, API keys, tokens
- Secrets are masked in the UI as
••••••••
-
Lock When Not in Use:
- Manually lock the vault when stepping away
- The auto-lock provides additional protection
- Algorithm: AES-256-GCM (Galois/Counter Mode)
- Key Derivation: PBKDF2-HMAC-SHA256 with 100,000 iterations
- Random Salt: 16 bytes per encryption
- Random Nonce: 12 bytes per encryption
- Authentication: Built-in GCM authentication tag
- Vault contains multiple profiles
- Each profile contains multiple configuration entries
- Each entry has: key, value, secret flag, environment, timestamps
- Data serialized as JSON
- Entire JSON encrypted with master password
- Base64 encoded for text storage
- Salt, nonce, tag, and ciphertext combined in output
- Double-check your password (case-sensitive)
- Ensure Caps Lock is off
- If you've forgotten your password, the vault cannot be recovered
- The imported profile was encrypted with a different password
- Ensure you're using the correct password for that profile
- Check that all dependencies are installed:
pip install -r requirements.txt - Verify Python version:
python --version(should be 3.7+)
qt-config-vault/
├── main.py # Main GUI application
├── encryption.py # Encryption/decryption logic
├── models.py # Data models (Vault, Profile, ConfigEntry)
├── storage.py # Persistent storage backend
├── requirements.txt # Python dependencies
└── README.md # This file
Currently, the project focuses on manual testing. To test:
- Create a vault with a test password
- Add various configurations with different environments
- Test search, filter, edit, delete operations
- Test profile creation, export, import
- Test password change
- Test auto-lock functionality
MIT License - see LICENSE file for details.
Contributions are welcome! Please feel free to submit issues or pull requests.
Max Base - GitHub