vault

fialr vault <action> [path] [options]

Create, open, close, and manage encrypted vaults. Vaults are general-purpose encrypted containers for any file. Tier 1 files are recommended for vault storage but not required.

Actions

Action	Description	Backends
`create`	Create a new encrypted vault	All
`open`	Mount a vault (makes contents accessible)	APFS, VeraCrypt
`close`	Dismount a vault	APFS, VeraCrypt
`status`	Show vault state (default)	All
`generate-keyfile`	Generate a cryptographically random keyfile	VeraCrypt only
`archive`	Archive files into the vault with integrity verification	All
`rehydrate`	Restore files from the vault	All
`list`	List files currently stored in the vault	All

Arguments

Argument	Description
`path`	Path to the vault (container file or directory)

Options

All backends:

Option	Description
`--backend BACKEND`	Encryption backend: `apfs`, `age`, or `veracrypt`. Default: `apfs` on macOS, `age` on Linux.
`--size SIZE`	Vault size, e.g. `100M`, `1G`. Required for APFS and VeraCrypt. Ignored by age.
`--db PATH`	Path to fialr SQLite database (for operation logging)
`--job UUID`	Job UUID for operation tracking

VeraCrypt only:

Option	Description
`--encryption ALG`	Encryption algorithm (default: `aes`)
`--hash ALG`	KDF hash algorithm (default: `sha-512`)
`--pim N`	Personal Iterations Multiplier (default: `0`)
`--filesystem FS`	Vault filesystem: `exfat`, `ext4`, or `apfs` (default: `exfat`)
`--keyfile PATH`	Path to keyfile for additional key material

Backends

APFS (macOS default)

Native encrypted sparse bundle via hdiutil. Zero install. Mountable volume with AES-256 encryption. iCloud-compatible.

age (Linux default)

Per-file encryption via the age CLI. No mount semantics — the vault is a directory of individually encrypted files. Files are decrypted on demand during archive and rehydrate operations. One-command install (brew install age or apt install age).

VeraCrypt

Cross-platform mountable encrypted volume. Supports configurable encryption algorithms, KDF hashes, PIM, keyfiles, and filesystem selection. A vault created on macOS can be opened on Linux if the filesystem is exfat. Requires manual download from veracrypt.fr.

Encryption options: aes, serpent, twofish, aes-twofish, aes-twofish-serpent, serpent-aes, serpent-twofish-aes, twofish-serpent.

KDF hash options: sha-512, sha-256, whirlpool, blake2s-256, streebog.

What it does

Create

Creates an encrypted vault at the specified path. Prompts for a password interactively — passwords are never accepted as CLI arguments.

Open / Close (APFS, VeraCrypt)

open mounts the vault to a temporary directory with 0700 permissions and returns the mount point path. close dismounts the vault and cleans up the mount point. These actions do not apply to age vaults (age directories are always accessible; individual files are decrypted during archive/rehydrate).

Status

Reports the vault backend, encryption settings, file count, and total size. For APFS and VeraCrypt, also reports whether the vault is currently mounted.

Keyfile generation (VeraCrypt only)

generate-keyfile creates a 64-byte cryptographically random file with 0600 permissions. Keyfiles can be combined with a password for two-factor vault access.

Rehydrate

rehydrate restores files from the vault to their original locations (or a specified destination with --dest). File integrity is verified via BLAKE3 hash. The vault entry is removed from the vault_entries table and a rehydrate operation is logged. Works with all three backends.

List

list shows all files currently archived in the vault, including their content hashes, original paths, and archive timestamps. Works with all three backends.

Security

Passwords are prompted interactively and passed to the vault backend via stdin pipe — never visible in process listings
Keyfiles are created with 0600 permissions (VeraCrypt only)
Mount points use 0700 permissions and are cleaned up on close (APFS, VeraCrypt)
Archive and rehydrate operations verify file integrity via BLAKE3 hash before and after
All vault containers use standard formats — no proprietary format

Output

APFS vault (macOS default):

vault create ~/secure-vault --backend apfs --size 1G

  VAULT     created
────────────────────────────────────────────────────────
      path  ~/secure-vault.sparsebundle
   backend  apfs
encryption  aes-256
      size  1G

VeraCrypt vault:

vault create ~/vault.hc --backend veracrypt --size 500M

  VAULT     created
────────────────────────────────────────────────────────
      path  ~/vault.hc
   backend  veracrypt
encryption  aes
      hash  sha-512
      size  500M

vault status ~/vault.hc

  VAULT     mounted
────────────────────────────────────────────────────────
      path  ~/vault.hc
     mount  /tmp/fialr-vault-a1b2c3
   backend  veracrypt
     files  14
      size  23.4 MB

Examples

Platform defaults

# macOS — APFS encrypted sparse bundle (default)
fialr vault create ~/secure-vault --size 1G

# Linux — age per-file encryption (default, no --size needed)
fialr vault create ~/secure-vault

Common operations (all backends)

# Archive a file into the vault
fialr vault archive ~/secure-vault ~/Documents/tax-return-2024.pdf

# Archive multiple files
fialr vault archive ~/secure-vault ~/Documents/passport-scan.pdf ~/Documents/ssn-card.pdf

# List vault contents
fialr vault list ~/secure-vault

# Rehydrate a file by content hash
fialr vault rehydrate ~/secure-vault --hash a1b2c3d4...

# Rehydrate to a specific destination
fialr vault rehydrate ~/secure-vault --hash a1b2c3d4... --dest ~/restored/

# Check vault status
fialr vault status ~/secure-vault

APFS / VeraCrypt (mountable vaults)

# Open (mount) a vault
fialr vault open ~/secure-vault

# Close (dismount) when done
fialr vault close ~/secure-vault

VeraCrypt-specific

# Create with Serpent encryption and a keyfile
fialr vault create ~/vault.hc --backend veracrypt --encryption serpent --keyfile ~/keys/vault.key --size 1G

# Open with keyfile
fialr vault open ~/vault.hc --keyfile ~/keys/vault.key

# Generate a keyfile
fialr vault generate-keyfile ~/keys/new.key