ClawHub

Vault

MCP Tools

Secure local password storage tool with AES-256-GCM encryption. Store, retrieve, and manage passwords with CLI commands.

Install

openclaw skills install vault

vault

Use when you need secure local storage for passwords, API keys, or credentials.

🔒 AES-256-GCM encryption - This plugin stores passwords encrypted using industry-standard AES-256-GCM encryption with a master key.

Features

  • 🔒 AES-256-GCM encryption for all stored passwords
  • 📝 Simple command-line interface
  • 🗂️ Key management and listing
  • 💾 JSON-based local storage (encrypted)
  • 🕐 Automatic timestamp tracking
  • 🔑 Master key protection

Installation

clawhub install vault

Usage

Set a password

vault gemini sk-abc123xyz

Show a password

vault gemini show

Remove a password

vault gemini remove

List all keys

vault list

Configuration

Master Key (Required)

Set your master encryption key via environment variable:

export VAULT_MASTER_KEY="your-secure-master-key-here"

Or in your OpenClaw config:

{
  "plugins": {
    "vault": {
      "masterKey": "your-secure-master-key-here",
      "storageFile": ".vault/passwords.json"
    }
  }
}

Options:

  • masterKey - Master encryption key (can also use VAULT_MASTER_KEY env var)
  • storageFile (default: .vault/passwords.json) - Storage file path relative to home directory

⚠️ Important: Keep your master key secure! Without it, you cannot decrypt stored passwords.

Security

🔒 Encryption Details:

  • Algorithm: AES-256-GCM (Galois/Counter Mode)
  • Key Derivation: scrypt with random salt per password
  • IV: Random 12-byte initialization vector per password (GCM recommended size)
  • Salt: Random 32-byte salt per password, stored with encrypted data
  • Authentication: GCM authentication tag for integrity verification

Security Best Practices:

  • Use a strong, unique master key (minimum 32 characters recommended)
  • Store master key securely (environment variable or secure config)
  • Set strict file permissions: chmod 600 ~/.vault/passwords.json
  • Add .vault/ to your .gitignore
  • Never commit your master key to version control
  • Use system-level disk encryption for additional protection
  • Backup your master key securely - lost keys mean lost passwords

Suitable for:

  • Development/testing credentials
  • API keys and tokens
  • Personal passwords
  • Team shared credentials (with secure key distribution)

Examples

# Save API keys
vault openai sk-proj-abc123
vault anthropic sk-ant-xyz789

# View a key
vault openai show
# Output: Password for 'openai': sk-proj-abc123

# List all keys
vault list
# Output:
# Stored passwords:
# • openai (created: 2026-02-17T..., updated: 2026-02-17T...)
# • anthropic (created: 2026-02-17T..., updated: 2026-02-17T...)

# Remove a key
vault openai remove

Links

More in MCP Tools