P.S. Vault P.S. Vault

Documentation

Everything you need to self-host P.S. Vault.

Quick start

Requirements

  • Docker and Docker Compose
  • An SMTP provider (Gmail, Mailgun, Resend, AWS SES, etc.)

1. Clone the repository

git clone https://github.com/anieto/ps-vault.git
cd ps-vault

2. Configure environment

cp .env.example .env

Edit .env — at minimum set:

Variable Description
PSVAULT_BASE_URL URL where P.S. Vault will be accessed
PSVAULT_JWT_SECRET Long random string — openssl rand -hex 32
PSVAULT_ENCRYPTION_PEPPER Long random string — openssl rand -hex 32
PSVAULT_SMTP_HOST SMTP server hostname
PSVAULT_SMTP_PORT SMTP port (587 for STARTTLS, 465 for TLS)
PSVAULT_SMTP_USER SMTP username
PSVAULT_SMTP_PASS SMTP password
PSVAULT_SMTP_FROM From address for outgoing emails

3. Start

docker compose up -d

P.S. Vault will be available at http://localhost:3000. The first account you register becomes the admin.

Reverse proxy

P.S. Vault is designed to run behind a reverse proxy for HTTPS. Example configurations for Nginx Proxy Manager, Caddy, and Traefik are in the /docker directory.

Always run behind HTTPS — never expose P.S. Vault over plain HTTP.

Unraid

  • Set PUID and PGID to match your Unraid user (typically 99/100)
  • Mount /config to /mnt/user/appdata/psvault/config
  • Mount /data to /mnt/user/appdata/psvault/data
  • Community Applications template is included at /docker/unraid-template.xml

Storage backends

All storage backends store encrypted blobs only — file contents are encrypted client-side before upload.

Backend Variable
Local disk (default) PSVAULT_STORAGE_BACKEND=local
S3-compatible (AWS S3, MinIO, Backblaze B2, Cloudflare R2) PSVAULT_STORAGE_BACKEND=s3 + S3 vars

Updating 

docker compose pull
docker compose up -d

Database migrations run automatically on startup.

Backup & restore 

# Backup (outputs a timestamped .tar.gz archive)
./docker/backup.sh [output_dir]

# Restore
./docker/restore.sh <backup_file.tar.gz>

The backup script captures the PostgreSQL database and file storage. Backups older than 30 days are pruned automatically.

Security recommendations

  • Always run behind HTTPS — never expose P.S. Vault over plain HTTP
  • Back up your database and PSVAULT_ENCRYPTION_PEPPER securely — losing the pepper makes recovery impossible
  • Set PSVAULT_REGISTRATION_MODE=invite or closed if this is a private instance
  • Enable TOTP MFA on your account

Emergency admin recovery

If you are locked out of the admin account:

docker exec psvault-api ./psvault reset-admin --email admin@example.com

This resets admin credentials without touching any vault data.

Browser support

P.S. Vault requires the WebCrypto API for client-side encryption.

  • Chrome 90+
  • Firefox 88+
  • Safari 14+
  • Edge 90+

Internet Explorer is not supported.