Encrypted secrets vault with MCP for AI agents. Secrets resolved at runtime, never leaked to LLM conversations.
Developers regularly leak API keys, passwords, and tokens to AI coding tools. 100,000+ LLM conversations with exposed secrets were found indexed by search engines in 2025.
AI agents read your .env
files. They copy-paste secrets into conversations. They commit them accidentally. Keyblind stops this by keeping secrets encrypted at rest and resolving them at runtime — the plaintext value never touches the LLM transcript.
┌──────────┐ ┌────────────────┐ ┌─────────────────┐
│ AI Agent │ ──→ │ Keyblind MCP │ ──→ │ Encrypted │
│ (Claude) │ │ Server │ │ SQLite Vault │
│ │ ←── │ (6 tools) │ ←── │ (AES-256-GCM) │
└──────────┘ └────────────────┘ └─────────────────┘
↑ │
│ secret value never appears │ secrets never
│ in conversation transcript │ stored in plaintext
npm i -g keyblind
keyblind init
echo "sk-proj-abc123" | keyblind set OPENAI_API_KEY
keyblind set DATABASE_URL - # prompts securely
keyblind sandbox
keyblind get OPENAI_API_KEY
keyblind run -- npm start
keyblind list
Keyblind is MCP-first — it works with every AI tool that speaks the Model Context Protocol:
Claude Code — add to .mcp.json
:
{
"mcpServers": {
"keyblind": {
"command": "npx",
"args": ["keyblind", "start"]
}
}
}
Cursor, Windsurf, Copilot, Cline, Zed — any MCP-compatible editor.
| Tool | Description |
|---|---|
resolve_secret |
|
| Resolve a secret at runtime (value hidden from transcript) | |
store_secret |
|
| Encrypt and store a secret | |
list_secrets |
|
| List secret names (values never revealed) | |
sandbox_env |
|
Replace .env values with deterministic fakes |
|
unsandbox_env |
|
Restore real .env values from vault |
|
delete_secret |
|
| Delete a secret |
Keyblind supports multiple secret backends:
keyblind backends # List available backends
keyblind backend 1password # Switch to 1Password
keyblind backend bitwarden # Switch to Bitwarden
| Backend | Read | Write | Requires |
|---|---|---|---|
| local (default) | |||
| ✓ | ✓ | Nothing | |
| 1password | |||
| ✓ | ✓ | op CLI |
|
| bitwarden | |||
| ✓ | — | bw CLI |
|
| env | |||
| ✓ | — | Nothing |
| Keyblind | Cloak | |
|---|---|---|
| Protocol | ||
| MCP (all editors) | VS Code extension only | |
| Storage | ||
| AES-256-GCM SQLite | AES-256-GCM file | |
| Backends | ||
| Local, 1Password, Bitwarden, Env | Local only | |
| Sandbox | ||
| Deterministic HMAC fakes | AES-256-GCM encrypted | |
| Touch ID | ||
| ✓ (macOS biometric gate) | ✓ | |
| CI/CD | ||
keyblind run for env injection |
||
| — | ||
| Network | ||
| Zero (fully local) | Zero | |
| License | ||
| MIT | Proprietary |
AES-256-GCM encryption with PBKDF2 key derivation (600K iterations)Machine-identity-bound key— encryption key XOR-wrapped with machine fingerprint** Zero network, zero telemetry**— no cloud, no accounts, no analytics** Vault stored at**with~/.keyblind/
0700
permissionsDeterministic sandbox fakes using HMAC-SHA256 per project + key name
keyblind init Initialize the encrypted vault
keyblind set <name> Store a secret (value from stdin)
keyblind set <name> - Store a secret (prompts securely)
keyblind get <name> Resolve and print a secret
keyblind list List all stored secrets
keyblind delete <name> Delete a secret
keyblind sandbox [.env] Replace .env with deterministic fakes
keyblind unsandbox [.env] Restore real .env values
keyblind run <command...> Run command with secrets as env vars
keyblind start Start MCP server (for AI agents)
keyblind backends List available backends
keyblind backend <name> Switch backend
git clone https://github.com/aarifmms/keyblind.git
cd keyblind
npm install
npm run build # Compile TypeScript
npm test # Run tests
npm run dev # Watch mode
MIT