Key & Secrets Vault
Key & Secrets Vault description
Overview
The Key & Secrets Vault is a secure system designed to manage API keys and secrets while enabling natural language interactions with LLM systems. It implements a human-readable key mapping mechanism that allows LLMs to reference keys naturally while maintaining security.
Core Concepts
Human-Readable Keys
The vault system introduces the concept of human-readable keys, which are intuitive identifiers that LLMs can understand and use in their operations. For example:
Human-readable key:
GOOGLE_MAPS_KEY_FOR_GEOCODING
Actual API key:
AIza...
(actual API key stored securely)
Local-First Storage
The vault prioritizes security by storing secrets locally on the user's machine:
Keys are stored in an encrypted format
Storage location is user-specific and access-controlled
No cloud synchronization by default
Key Mapping System
The vault implements a bidirectional mapping system:
Translation from human-readable keys to actual API keys
Runtime replacement of keys in API calls
Secure key rotation support
Implementation
Storage Structure
The vault uses a hierarchical storage structure:
vault/
├── keys/
│ ├── encrypted_keys.db
│ └── key_metadata.json
├── mappings/
│ └── key_mappings.json
└── config/
└── vault_config.json
Security Measures
Encryption at Rest
All keys are encrypted before storage
User-specific encryption key
Secure key derivation
Access Control
Permission-based access system
Application-level authentication
Audit logging
Key Rotation
Automated key rotation support
Version history maintenance
Graceful transition periods
Usage
Key Registration
Register new keys with human-readable identifiers:
await vault.register({
readableKey: "MAPS_GEOCODING_KEY",
actualKey: "actual-api-key-value",
description: "Google Maps Geocoding API Key",
expiresAt: "2024-12-31"
});
Key Retrieval
Retrieve keys using human-readable identifiers:
javascriptCopyconst apiKey = await vault.get("MAPS_GEOCODING_KEY");
LLM Integration
Example of LLM interaction using human-readable keys:
// LLM can generate code using human-readable keys
const geocodingCode = `
const response = await fetch(url, {
headers: {
'Authorization': MAPS_GEOCODING_KEY
}
});
`;
// Vault system automatically replaces keys during execution
const executedCode = await vault.executeWithKeys(geocodingCode);
Configuration
Local Storage Setup
Configure the local storage location:
vault.configure({
storageLocation: "~/.config/vault",
encryptionMethod: "AES-256-GCM",
backupEnabled: true
});
Key Management Rules
Define rules for key management:
vault.setKeyRules({
rotationPeriod: "90days",
minimumLength: 32,
requiresBackup: true
});
Best Practices
Key Naming Conventions
Use descriptive, purpose-indicating names
Include service and functionality in the name
Use uppercase with underscores
Include version or environment if necessary
Security Guidelines
Regular key rotation
Secure backup management
Access logging and monitoring
Environment-specific keys
Local Development
Find a better init Vault set-up for LeviaProtocal, easier way.
Setting Up Local Vault
Initialize local vault:bashCopyvault init --local
Configure encryption:bashCopyvault configure encryption --method AES-256-GCM
Set up backup:bashCopyvault configure backup --location ./backup
Testing
Key registration testingKey retrieval performanceEncryption/decryption validationAccess control verification
Error Handling
The vault implements comprehensive error handling:
Key not found scenarios
Encryption/decryption failures
Storage access issues
Permission-related errors
Limitations
Current limitations of the system:
Single-machine scope
No built-in synchronization
Limited to local filesystem
Requires secure environment
Future Enhancements
Planned improvements:
Distributed vault support
Cloud backup options
Team sharing capabilities
Advanced key rotation patterns
API Reference
Core Functions
vault.register(keyConfig)
vault.get(readableKey)
vault.update(readableKey, newConfig)
vault.delete(readableKey)
vault.rotate(readableKey)
vault.list()
vault.verify(readableKey)
Configuration Functions
vault.configure(config)
vault.setKeyRules(rules)
vault.getKeyMetadata(readableKey)
vault.updateKeyMetadata(readableKey, metadata)
Last updated