Quickstart

import { Aside, Steps } from ‘@astrojs/starlight/components’;

Get from zero to zero-knowledge in under 5 minutes.

Already have secrets in a `.env` file or a git repo? Run `ov scan .` first — no account required. It'll show you exactly what's exposed before you move anything.

Prerequisites

• macOS or Linux
• Claude Code installed (or any MCP-compatible AI client)
• An OpaqueVault account — create one free

---

1. Install

brew install opaquevault-brew/tap/ov

Linux / manual install:

curl -fsSL https://get.opaquevault.com | sh

Verify:

ov --version

---

2. Log in

ov auth login

You’ll be prompted for your email and master password. OpaqueVault derives your Key Encryption Key (KEK) from the password using Argon2id — the KEK never leaves your machine.

On first login, a default app is created automatically. You can create your own app in the next step.

---

3. Create an app

Secrets in OpaqueVault are organized by app — so DATABASE_URL for my-saas never collides with DATABASE_URL from another project.

ov app create my-saas
ov app use my-saas

ov app use sets my-saas as the default for all subsequent commands.

---

4. Store secrets

ov secret set DATABASE_URL
ov secret set STRIPE_SECRET_KEY
ov secret set OPENAI_API_KEY

OpaqueVault prompts for each value (input is hidden), encrypts it locally with a fresh DEK, and stores only the ciphertext on the server.

List what you’ve stored:

ov secret list

Output:

App: my-saas

NAME               UPDATED
DATABASE_URL       2026-04-10T14:32:11Z
STRIPE_SECRET_KEY  2026-04-10T09:01:44Z
OPENAI_API_KEY     2026-04-08T17:23:05Z

---

5. Connect to Claude Code

Add OpaqueVault as an MCP server in your Claude Code config (~/.claude/claude_desktop_config.json):

{
  "mcpServers": {
    "opaquevault": {
      "command": "ov",
      "args": ["mcp", "serve"]
    }
  }
}

Restart Claude Code. When ov mcp serve starts, it logs the active app to stderr so you can confirm it’s targeting the right context.

---

6. Ask Claude to use a secret

In Claude Code, you can now say:

“Run the database migrations using DATABASE_URL.”

Claude will call vault_run — the local bridge decrypts the secret, injects it as an env var into the subprocess, and returns only the exit code and output. The plaintext value never appears in Claude’s context window. Not once.

---

What’s running

Claude Code  ──MCP/stdio──▶  ov mcp serve  ──HTTPS+PQC──▶  api.opaquevault.com
(never sees                   (decrypts                      (ciphertext only,
 plaintext)                    locally)                       no decrypt endpoint)

The interceptor in ov mcp serve is active by default. If a raw secret accidentally enters the MCP channel — a pasted API key, a token in a stack trace — it’s blocked before Claude sees it and logged to your audit trail.

---

Next steps

• How it works — the full two-process model explained
• ov app — managing multiple projects
• ov scan — find secrets already leaked in your repos
• MCP tools reference — all 7 tools, params, and responses
• Claude Code integration — detailed setup guide