PassBox

Open-source, zero-knowledge secrets management. CLI-native, SDK-ready, AI agent-friendly.

Why PassBox?

PassBox is a zero-knowledge secrets management platform. Your secrets are encrypted client-side before they ever leave your machine — the server never sees plaintext values.

Zero-Knowledge Encryption

End-to-end encryption with Argon2id, AES-256-GCM, and X25519. The server never sees your secrets in plaintext.

CLI-Native

21 commands covering every operation — vaults, secrets, environments, teams, webhooks, and more.

AI Agent Ready

MCP server with 11 tools lets AI agents (Claude, Cursor, Windsurf) securely access secrets without exposing values.

Developer SDK

TypeScript/Node.js SDK (@pabox/sdk) for programmatic access. GitHub Action for CI/CD pipelines.

Quick Example

# Install the CLI
npm install -g pabox

# Register and create your first vault
passbox login
passbox vault create my-app

# Store and retrieve secrets
passbox set DATABASE_URL "postgres://..." --vault my-app
passbox get DATABASE_URL --vault my-app

# Run your app with secrets injected
passbox run --vault my-app -- node server.js

# Push/pull .env files
passbox env push .env --vault my-app
passbox env pull --vault my-app -o .env.local

How It Works

You set a password — PassBox derives a master key using Argon2id (memory-hard KDF)
Secrets are encrypted client-side — AES-256-GCM encryption before any network request
Vault keys are shared via X25519 — team members get access through Diffie-Hellman key exchange
The server stores only ciphertext — even if the database is compromised, secrets remain safe

Platform Components

Component	Package	Description
CLI	`pabox`	Command-line tool (`passbox` binary)
SDK	`@pabox/sdk`	TypeScript SDK for Node.js
MCP Server	`@pabox/mcp-server`	AI agent integration
GitHub Action	`Paparusi/passbox`	CI/CD secrets injection
Web Dashboard	passbox.dev	Browser-based management

Open Source

PassBox is MIT licensed and fully open source. Self-host it or use the managed service at passbox.dev.