Self-host Vault1984

One binary. No Docker. No Postgres. No Redis. Runs anywhere Go runs.

1

Download the binary

The install script detects your OS and architecture, downloads the latest release, and puts it in your PATH.

$ curl -fsSL vault1984.com/install.sh | sh

Or download a binary directly:

linux/amd64 darwin/arm64 darwin/amd64
2

Set your vault key

The vault key encrypts your L1 data at rest. Set it as an environment variable. If you lose this key, L1 data cannot be recovered.

# Generate a random key
$ export VAULT_KEY=$(openssl rand -hex 32)
# Save it somewhere safe (not in your vault...)
$ echo $VAULT_KEY >> ~/.vault1984-key
3

Run it

That's it. The vault server starts on port 1984. A SQLite database is created automatically.

$ vault1984
Vault1984 running on http://localhost:1984
Database: ~/.vault1984/vault.db
4

Configure MCP

Point your AI assistant at the vault. Works with Claude Code, Cursor, Codex, or any MCP-compatible client.

Claude Code (~/.claude/mcp.json)
{
  "mcpServers": {
    "vault1984": {
      "url": "http://localhost:1984/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_MCP_TOKEN"
      }
    }
  }
}
Cursor (.cursor/mcp.json)
{
  "mcpServers": {
    "vault1984": {
      "url": "http://localhost:1984/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_MCP_TOKEN"
      }
    }
  }
}

Generate an MCP token from the web UI at http://localhost:1984 after first run.

5

Import your passwords

Export from your current password manager, then import. The LLM classifier automatically suggests L1/L2 assignments for each field.

# Chrome CSV export
$ vault1984 import --format chrome passwords.csv
# Firefox CSV export
$ vault1984 import --format firefox logins.csv
# Bitwarden JSON export
$ vault1984 import --format bitwarden bitwarden-export.json
# Proton Pass JSON export
$ vault1984 import --format protonpass protonpass-export.json
# 1Password export
$ vault1984 import --format 1password 1password-export.json

Review the L1/L2 classification in the web UI before confirming. You can override any field's tier.

Running as a service (optional)

For always-on availability, run Vault1984 as a systemd service.

/etc/systemd/system/vault1984.service
[Unit]
Description=Vault1984
After=network.target

[Service]
Type=simple
User=vault1984
EnvironmentFile=/etc/vault1984/env
ExecStart=/usr/local/bin/vault1984
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
$ sudo systemctl enable --now vault1984

Exposing to the internet (optional)

Put Vault1984 behind a reverse proxy for TLS and remote access.

Caddyfile
vault.yourdomain.com {
    reverse_proxy localhost:1984
}

Caddy handles TLS automatically via Let's Encrypt. Nginx and Traefik work too.