Blindkey

The local-first credential vault your AI agents can use โ€” but never see.

No server. No account. One encrypted file. Your coding agents get a handle, a human approves at the terminal, and the secret is injected at the edge โ€” the agent process never receives the bytes.

CI License MSRV

Why it exists

Developers now work alongside AI agents that read their files, run their shells, and โ€” if a secret sits in a .env or an MCP config โ€” read their credentials too. In 2026 researchers found ~24,000 secrets exposed in public MCP configuration files on GitHub. The industry's own answer is converging on one principle: the agent should never hold or see the secret. Blindkey is that principle, built local-first.

What makes it different

Model-blind by design

The agent gets a scoped handle; a human approves; the secret is delivered to the destination, never to the requesting process.

No proxy, no account

Not a cloud platform or a MITM HTTPS proxy in your traffic. One encrypted file plus a local broker โ€” nothing to stand up, nothing to trust with your connection.

Zero-plaintext at rest

URLs, titles, timestamps โ€” all encrypted. Argon2id with an enforced floor; XChaCha20-Poly1305 STREAM; whole-file rollback detected.

Memory-hardened Rust

zeroize + mlock, panic = "abort", and no unsafe outside one designated FFI crate.

Every claim is testable

66 numbered security constraints, each with a test โ€” not a trust-us page. Read the whole design in an afternoon.

Fully offline

Zero network, zero telemetry. Sync the encrypted blob over any storage you don't trust; rollback is still detected.

60 seconds

$ blindkey init
  Created vault at ~/.blindkey/vault.vlt

$ blindkey import --format raw --yes keys.txt
  Imported 2 entries into ~/.blindkey/vault.vlt

$ blindkey get github            # copies to clipboard, model-blind by default
  โœ“ copied github password to clipboard (clears in 30s)
Status: functional; on-disk format v1 is stable. Not yet independently third-party audited โ€” keep your own backup of anything you store. See the security policy and threat model.