| name | secret-vault |
| description | Encrypted credential store — AES-256-GCM secured tokens and secrets in one place. |
| category | security |
| maturity | stable |
| tags | ["aes-256-gcm","credential-store","encryption","cli","node"] |
secret-vault
Encrypted credential store — AES-256-GCM secured tokens and secrets in one place.
What it does
Keeps API tokens, passwords, and other sensitive values in an encrypted file at ~/.openclaw/vault.enc. Each secret has its own IV and auth tag so no two ciphertexts are alike, even for identical values.
The master key (~/.openclaw/vault.key) is 32 random bytes stored with chmod 600. Without it the vault is unreadable.
Trigger phrases
- "store the token in the vault"
- "get X from the vault"
- "what secrets are in the vault?"
- "add X to the vault"
- "vault set / vault get / vault list"
- "encrypt and store"
- "use getSecret to fetch"
- "vault check" / "verify the vault"
Primary file
${SECRET_VAULT_HOME:-$HOME/projects/secret-vault}/vault.cjs
Symlink (or same file) also lives at:
${CLAUDE_SKILLS_DIR:-$HOME/.claude-agent/.claude/skills}/secret-vault/scripts/vault.cjs
CLI quick reference
node vault.cjs set NAME "value"
node vault.cjs get NAME
node vault.cjs list
node vault.cjs delete NAME
node vault.cjs export
node vault.cjs check
Programmatic usage
const { getSecret } = require("${SECRET_VAULT_HOME:-$HOME/projects/secret-vault}/vault.cjs");
const token = getSecret("GITHUB_TOKEN");
Key locations
| File | Purpose | Permissions |
|---|
~/.openclaw/vault.key | 32-byte master key | 600 |
~/.openclaw/vault.enc | Encrypted secrets JSON | 600 |
Security model
- AES-256-GCM — authenticated encryption (detects tampering)
- Unique random IV per secret (16 bytes)
- Auth tag per secret (16 bytes)
- Values never logged or printed in
list
- Export blob is safe to back up; useless without the key
References
references/usage.md — full examplesreferences/security.md — threat model
