Encrypted secrets vault with MCP for AI agents. Secrets resolved at runtime, never leaked to LLM conversations.
Developers regularly leak API keys, passwords, and tokens to AI coding tools. 100,000+ LLM conversations with exposed secrets were found indexed by search engines in 2025.
AI agents read your .env files. They copy-paste secrets into conversations. They commit them accidentally. Keyblind stops this by keeping secrets encrypted at rest and resolving them at runtime — the plaintext value never touches the LLM transcript.
┌──────────┐ ┌────────────────┐ ┌─────────────────┐
│ AI Agent │ ──→ │ Keyblind MCP │ ──→ │ Encrypted │
│ (Claude) │ │ Server │ │ SQLite Vault │
│ │ ←── │ (6 tools) │ ←── │ (AES-256-GCM) │
└──────────┘ └────────────────┘ └─────────────────┘
↑ │
│ secret value never appears │ secrets never
│ in conversation transcript │ stored in plaintext
# Install
npm i -g keyblind
# Initialize your vault
keyblind init
# Store secrets
echo "sk-proj-abc123" | keyblind set OPENAI_API_KEY
keyblind set DATABASE_URL - # prompts securely
# Sandbox your .env (AI agents see fakes)
keyblind sandbox
# Resolve a secret
keyblind get OPENAI_API_KEY
# Run commands with secrets injected as env vars
keyblind run -- npm start
# List all secrets (names only)
keyblind listKeyblind is MCP-first — it works with every AI tool that speaks the Model Context Protocol:
Claude Code — add to .mcp.json:
{
"mcpServers": {
"keyblind": {
"command": "npx",
"args": ["keyblind", "start"]
}
}
}Cursor, Windsurf, Copilot, Cline, Zed — any MCP-compatible editor.
| Tool | Description |
|---|---|
resolve_secret |
Resolve a secret at runtime (value hidden from transcript) |
store_secret |
Encrypt and store a secret |
list_secrets |
List secret names (values never revealed) |
sandbox_env |
Replace .env values with deterministic fakes |
unsandbox_env |
Restore real .env values from vault |
delete_secret |
Delete a secret |
Keyblind supports multiple secret backends:
keyblind backends # List available backends
keyblind backend 1password # Switch to 1Password
keyblind backend bitwarden # Switch to Bitwarden| Backend | Read | Write | Requires |
|---|---|---|---|
| local (default) | ✓ | ✓ | Nothing |
| 1password | ✓ | ✓ | op CLI |
| bitwarden | ✓ | — | bw CLI |
| env | ✓ | — | Nothing |
| Keyblind | Cloak | |
|---|---|---|
| Protocol | MCP (all editors) | VS Code extension only |
| Storage | AES-256-GCM SQLite | AES-256-GCM file |
| Backends | Local, 1Password, Bitwarden, Env | Local only |
| Sandbox | Deterministic HMAC fakes | AES-256-GCM encrypted |
| Touch ID | ✓ (macOS biometric gate) | ✓ |
| CI/CD | keyblind run for env injection |
— |
| Network | Zero (fully local) | Zero |
| License | MIT | Proprietary |
- AES-256-GCM encryption with PBKDF2 key derivation (600K iterations)
- Machine-identity-bound key — encryption key XOR-wrapped with machine fingerprint
- Zero network, zero telemetry — no cloud, no accounts, no analytics
- Vault stored at
~/.keyblind/with0700permissions - Deterministic sandbox fakes using HMAC-SHA256 per project + key name
keyblind init Initialize the encrypted vault
keyblind set <name> Store a secret (value from stdin)
keyblind set <name> - Store a secret (prompts securely)
keyblind get <name> Resolve and print a secret
keyblind list List all stored secrets
keyblind delete <name> Delete a secret
keyblind sandbox [.env] Replace .env with deterministic fakes
keyblind unsandbox [.env] Restore real .env values
keyblind run <command...> Run command with secrets as env vars
keyblind start Start MCP server (for AI agents)
keyblind backends List available backends
keyblind backend <name> Switch backend
git clone https://github.com/aarifmms/keyblind.git
cd keyblind
npm install
npm run build # Compile TypeScript
npm test # Run tests
npm run dev # Watch modeMIT