KE Vault
Buy hard drives. Run the vault server from this computer. Encrypt on device — ciphertext on iron you own. Optional cloud. Built into KE Dev OS.
Coded by William Keenan · K&E Studios LLC
AES-256-GCM on device
Files and original filenames are encrypted before they touch disk or network. Nothing decrypts without your passphrase.
Your hard drives (default)
Buy disks. Mount them. Point KE Vault at the path. Ciphertext lives under vaults/…/blobs on iron you own — not a rental rack.
Server from this computer
grokcode vault serve --lan runs the storage server on your machine. Leave it up; agents and the app talk to your drive.
Optional cloud
Still want Supabase? --backend cloud or hybrid. Ciphertext only. Passphrase never leaves the device.
Two keys, clear jobs
Passphrase unlocks content. Vault key authorizes the server. Losing the passphrase loses the files forever — by design.
Photos & any file
Images, PDFs, zips, docs. Drop in the app, CLI put, or vault_* agent tools.
Own the iron. Encrypt the rest.
# Point at a hard drive (external SSD/HDD recommended) grokcode vault drive /Volumes/SafeBay/ke-vault # Local vault — no cloud required grokcode vault init --passphrase 'your-long-passphrase' grokcode vault unlock --passphrase '…' grokcode vault put ./photo.jpg grokcode vault list # Infra before Amazon drives arrive grokcode vault setup # staging + LaunchAgent :7441 grokcode vault infra # phase / mounts / next steps # When KE-VAULT volume is plugged in grokcode vault migrate # Optional cloud later grokcode vault init --backend cloud --passphrase '…'
Local health: grokcode vault health · cloud API: GET /api/v1/vault · docs: VAULT_INFRA.md