Skip to content

Vault

Encrypted API key management with AES-256-GCM and 1Password integration.

Vault

Brainstorm includes a built-in encrypted vault for storing API keys and secrets. Keys are encrypted at rest using AES-256-GCM with Argon2id key derivation, and the vault integrates with 1Password for teams that use it.

How It Works

The vault stores encrypted credentials locally at ~/.brainstorm/vault.enc. A master password protects the vault, and Argon2id (a memory-hard key derivation function) makes brute-force attacks impractical.

The key resolver chain checks sources in order:

1. Local vault -- encrypted store on disk

2. 1Password -- via the op CLI and Dev Keys vault

3. Environment variables -- fallback for CI/CD environments

Getting Started

Initialize the vault with a master password:

``bash

storm vault init

`

Add your first API key:

`bash

storm vault add anthropic

Prompts for the API key value securely

`

Commands

vault init

Create a new vault with a master password. The password is never stored -- it derives the encryption key via Argon2id.

`bash

storm vault init

`

vault add

Add or update a secret in the vault.

`bash

storm vault add openai

storm vault add google --value "AIza..." # provide inline (less secure)

`

vault list

Show all stored keys (names only, never values).

`bash

storm vault list

`

vault get

Retrieve a decrypted key value. Requires the vault to be unlocked.

`bash

storm vault get anthropic

`

vault remove

Delete a key from the vault.

`bash

storm vault remove old-provider

`

vault rotate

Generate a new encryption key and re-encrypt all secrets. Use this periodically or if you suspect the master password was compromised.

`bash

storm vault rotate

`

vault lock

Lock the vault, clearing the decrypted keys from memory.

`bash

storm vault lock

`

vault status

Show vault health: locked/unlocked state, number of stored keys, encryption algorithm, and 1Password bridge status.

`bash

storm vault status

`

1Password Integration

If you use 1Password with the op CLI, Brainstorm can read API keys directly from your Dev Keys vault without duplicating them locally.

Configure the bridge in your global config:

`toml

[vault.onepassword]

enabled = true

vault = "Dev Keys"

`

Item names in 1Password are mapped to provider names automatically. For example, an item named "Anthropic API Key" maps to the anthropic provider. Custom mappings are defined in packages/vault/src/backends/op-cli.ts.

The 1Password bridge requires OP_SERVICE_ACCOUNT_TOKEN` to be set in your environment for non-interactive use (CI/CD, background tasks).

Security Details

  • Encryption: AES-256-GCM (authenticated encryption)
  • Key derivation: Argon2id with 64MB memory cost, 3 iterations
  • Storage: Single encrypted file, no plaintext on disk
  • Memory: Keys are cleared from memory on vault lock
  • No cloud sync: The vault is local-only by design