Get a secrets management server running on your machine in minutes. Docker required.
Docker & Docker Compose
Install from docker.com
Git
To clone the stack repository
git clone https://github.com/brainz-lab/stack.git
cd stackcp .env.example .envThe defaults work for local development. No changes needed.
Run the setup script to generate all required keys:
./scripts/setup.shThis starts Vault along with its dependencies (PostgreSQL, Redis):
docker-compose up -d vault timescaledb redis traefik
Tip:
To run the full stack (all services), use ./scripts/start.sh
For subdomain routing, add to /etc/hosts:
127.0.0.1 vault.localhostOnce Vault is running, store and retrieve secrets from your Rails app.
gem 'brainzlab'# config/initializers/brainzlab.rb
BrainzLab.configure do |config|
config.vault_url = "http://vault.localhost"
config.vault_api_key = "your_api_key_from_env"
end# Store a secret
BrainzLab::Vault.set("stripe/api_key", "sk_live_xxx")
BrainzLab::Vault.set("aws/access_key", "AKIA...")
# Retrieve a secret
api_key = BrainzLab::Vault.get("stripe/api_key")
# Use in your app
Stripe.api_key = BrainzLab::Vault.get("stripe/api_key")
# Delete a secret
BrainzLab::Vault.delete("old/unused_key")# Secrets are scoped by environment
BrainzLab::Vault.set("stripe/api_key", "sk_test_xxx", environment: "development")
BrainzLab::Vault.set("stripe/api_key", "sk_live_xxx", environment: "production")
# Automatically uses current Rails environment
api_key = BrainzLab::Vault.get("stripe/api_key")
Find your API key:
Check the VAULT_API_KEY in your .env file after running setup.
Let Claude access your secrets securely via MCP.
# Add to your Claude Desktop config
{
"mcpServers": {
"vault": {
"command": "curl",
"args": ["-N", "http://vault.localhost/mcp"]
}
}
}Now Claude can securely retrieve secrets when you ask:
"Get the Stripe API key from Vault and use it to check our balance."
docker-compose logs -f vault
Stream Vault's application logs in real-time.
docker-compose down
Stop and remove all running containers.
docker-compose restart vault
Restart just the Vault service.
curl http://localhost:3006/up
Verify Vault is healthy and responding.
./scripts/reset.sh
Stop services, remove volumes, start fresh. Warning: deletes all secrets!
Something else is using the port. Find and stop it:
lsof -i :3006
kill -9 <PID>Make sure TimescaleDB is healthy:
docker-compose ps timescaledb
docker-compose logs timescaledbCheck the API key was generated correctly:
grep VAULT_API_KEY .envNow that Vault is running, explore more.
Questions? Issues? Let us know.