Layer 11
Secrets Vault
Encrypted credential storage with AES-256-GCM encryption. Never paste API keys in chat again.
Why Use the Vault?
Stop pasting keys — Store once, retrieve anytime
AES-256-GCM — Military-grade encryption at rest
Key rotation — Update secrets without losing context
Masked retrieval — View last 4 chars without full exposure
Storing Secrets
Natural Language
"Store my OpenAI API key: sk-abc123..."
✓ Stored as 'openai' (api_key)
MCP Tool
ekkOS_StoreSecret({
service: "openai",
value: "sk-abc123...",
type: "api_key",
description: "Production key"
})Secret Types
api_keyAPI keys (OpenAI, Anthropic, Stripe, etc.)passwordPasswords for servicestokenOAuth/bearer tokenscredentialGeneric credentials (username + password)otherAny other sensitive dataRetrieving Secrets
Full Value
ekkOS_GetSecret({ service: "openai" })
// → "sk-abc123xyz789..."Masked (Safer)
ekkOS_GetSecret({ service: "openai", masked: true })
// → "sk-****...789"Vault Tools
| Tool | Description |
|---|---|
ekkOS_StoreSecret | Encrypt and store a secret |
ekkOS_GetSecret | Retrieve and decrypt a secret |
ekkOS_ListSecrets | List stored secrets (metadata only, no values) |
ekkOS_DeleteSecret | Permanently delete a secret |
ekkOS_RotateSecret | Update a secret with a new value |
Security Model
AES-256-GCM encryption — Industry standard authenticated encryption
Row-level security — Only you can access your secrets
Never logged — Secret values are never included in logs or analytics
Optional expiration — Set expiresInDays for temporary tokens
Best Practices
Use descriptive service names
openai-production not key1
Set expiration for temp tokens
Use expiresInDays: 30 for short-lived credentials
Rotate secrets regularly
Use ekkOS_RotateSecret to update without losing context
Prefer masked retrieval
Use masked: true unless you need the full value