Why I wrote EmberVault instead of using pass

The ecosystem for command-line secrets managers is not small. This is why I wrote EmberVault anyway, and what I chose not to copy from the alternatives.

Why not pass

pass is well-established and has a large ecosystem of extensions. I used it for two years. The reasons I stopped: the GnuPG dependency is heavy and occasionally brittle (I once spent half an afternoon debugging a gpg-agent socket issue on a new machine), and the passphrase prompt is blocking in a way that interferes with terminal workflows I'd built around clipboard managers.

Why not Bitwarden CLI

Bitwarden's CLI is excellent but requires an account and syncs to Bitwarden's servers. That's appropriate for most people but I wanted something that stayed on my machines.

What I deliberately omitted

No browser integration. This adds substantial attack surface for something that's supposed to be a minimal secrets store. If you need browser integration, use a browser password manager.

No sync. Syncing encrypted secrets correctly is harder than it looks. EmberVault's git-friendly format means you can sync it yourself using any system you already trust.

No TOTP. OTP codes deserve a dedicated tool.