Keyblind — Blind AI to Your Keys
Encrypted secrets vault with MCP for AI agents. Secrets resolved at runtime, never leaked to LLM conversations.
Why
Developers regularly leak API keys, passwords, and tokens to AI coding tools. 100,000+ LLM conversations with exposed secrets were found indexed by search engines in 2025.
AI agents read your .env files. They copy-paste secrets into conversations. They commit them accidentally. Keyblind stops this by keeping secrets encrypted at rest and resolving them at runtime — the plaintext value never touches the LLM transcript.
How It Works
┌──────────┐ ┌────────────────┐ ┌─────────────────┐
│ AI Agent │ ──→ │ Keyblind MCP │ ──→ │ Encrypted │
│ (Claude) │ │ Server │ │ SQLite Vault │
│ │ ←── │ (6 tools) │ ←── │ (AES-256-GCM) │
└──────────┘ └────────────────┘ └─────────────────┘
↑ │
│ secret value never appears │ secrets never
│ in conversation transcript │ stored in plaintext
Quick Start
# Install npm i -g keyblind # Initialize your vault keyblind init # Store secrets echo "sk-proj-abc123" | keyblind set OPENAI_API_KEY keyblind set DATABASE_URL - # prompts securely # Sandbox your .env (AI agents see fakes) keyblind sandbox # Resolve a secret keyblind get OPENAI_API_KEY # Run commands with secrets injected as env vars keyblind run -- npm start # List all secrets (names only) keyblind list
MCP Server
Keyblind is MCP-first — it works with every AI tool that speaks the Model Context Protocol:
Claude Code — add to .mcp.json:
{
"mcpServers": {
"keyblind": {
"command": "npx",
"args": ["keyblind", "start"]
}
}
}Cursor, Windsurf, Copilot, Cline, Zed — any MCP-compatible editor.
MCP Tools
| Tool | Description |
|---|---|
resolve_secret |
Resolve a secret at runtime (value hidden from transcript) |
store_secret |
Encrypt and store a secret |
list_secrets |
List secret names (values never revealed) |
sandbox_env |
Replace .env values with deterministic fakes |
unsandbox_env |
Restore real .env values from vault |
delete_secret |
Delete a secret |
Backends
Keyblind supports multiple secret backends:
keyblind backends # List available backends keyblind backend 1password # Switch to 1Password keyblind backend bitwarden # Switch to Bitwarden
| Backend | Read | Write | Requires |
|---|---|---|---|
| local (default) | ✓ | ✓ | Nothing |
| 1password | ✓ | ✓ | op CLI |
| bitwarden | ✓ | — | bw CLI |
| env | ✓ | — | Nothing |
Keyblind vs Cloak
| Keyblind | Cloak | |
|---|---|---|
| Protocol | MCP (all editors) | VS Code extension only |
| Storage | AES-256-GCM SQLite | AES-256-GCM file |
| Backends | Local, 1Password, Bitwarden, Env | Local only |
| Sandbox | Deterministic HMAC fakes | AES-256-GCM encrypted |
| Touch ID | ✓ (macOS biometric gate) | ✓ |
| CI/CD | keyblind run for env injection |
— |
| Network | Zero (fully local) | Zero |
| License | MIT | Proprietary |
Security
- AES-256-GCM encryption with PBKDF2 key derivation (600K iterations)
- Machine-identity-bound key — encryption key XOR-wrapped with machine fingerprint
- Zero network, zero telemetry — no cloud, no accounts, no analytics
- Vault stored at
~/.keyblind/with0700permissions - Deterministic sandbox fakes using HMAC-SHA256 per project + key name
CLI Reference
keyblind init Initialize the encrypted vault
keyblind set <name> Store a secret (value from stdin)
keyblind set <name> - Store a secret (prompts securely)
keyblind get <name> Resolve and print a secret
keyblind list List all stored secrets
keyblind delete <name> Delete a secret
keyblind sandbox [.env] Replace .env with deterministic fakes
keyblind unsandbox [.env] Restore real .env values
keyblind run <command...> Run command with secrets as env vars
keyblind start Start MCP server (for AI agents)
keyblind backends List available backends
keyblind backend <name> Switch backend
Development
git clone https://github.com/aarifmms/keyblind.git cd keyblind npm install npm run build # Compile TypeScript npm test # Run tests npm run dev # Watch mode
License
MIT