Phantom Vault

Your AI uses your API keys. Make sure nobody else does.

A free, open-source credential vault built for developers who code with AI. Store keys once. Your AI agent uses them, but never sees them. Free forever. No tiers. No account. No telemetry.

Install (macOS & Linux)
curl -fsSL https://phantomvault.riscent.com/install | bash
View on GitHub 5-Command Setup โ†’

๐Ÿ“ Edit Like a Notepad

phantom edit opens your vault in $EDITOR as KEY=VALUE text. Save โ€” encrypted. No add/remove ceremony for adding 10 secrets at once.

๐Ÿ’ธ Spending Guardrails

Cap monthly USD spend per key per provider. Never wake up to an $82K bill from a leaked API key.

๐Ÿ” Hardware-Backed Encryption

AES-256-GCM + Argon2id. Master key in macOS Keychain (Touch ID when present). The vault on disk is opaque without you.

๐Ÿ”— Claude Code + MCP Native

One command wires Phantom into Claude Code. Your AI agent gets tools โ€” none return plaintext secrets. Auto-unlock at boot.

๐Ÿชค Canary Detection

Drop a honeypot fake credential in your code. If it's ever used, you get an instant alert. Catch the leak before it catches you.

๐Ÿ” Multi-Encoding Sanitization

Output scanned for secrets in 15+ encodings before returning to your AI. Base64, hex, URL-encoded โ€” all caught.

Your AI Can See All Your API Keys

Without Phantom Vault
# Your .env file โ€” visible to every AI agent STRIPE_SECRET_KEY=sk_live_51abc... DATABASE_URL=postgres://admin:p@ssw0rd@db.example.com... CLERK_SECRET_KEY=sk_live_xyz789... # Claude Code reads this. All of it. Every time.
With Phantom Vault
> vault_run STRIPE_SECRET_KEY -- stripe deploy โœ“ Command analyzed: SAFE โœ“ Secret injected into sandbox โœ“ Output sanitized (0 leaks) โœ“ Secret memory zeroed # Claude never saw the key. It just used it.

Every AI coding assistant โ€” Claude Code, Cursor, Aider, Windsurf โ€” reads your .env files directly. Your API keys sit in conversation context, logs, memory. If the AI is compromised by prompt injection, or the conversation gets saved/synced/forked, your keys go with it.

This isn't theoretical. February 2026: a three-person startup in Mexico woke up to an $82,314 Gemini bill over 48 hours โ€” a stolen key, no refund, near bankruptcy (The Register). April 2026: Lakera scanned 46,500 npm packages and found 1 in 13 with Claude Code's "allow always" leaked live credentials (bdtechtalks). Phantom Vault eliminates this entire category of risk โ€” locally, free, open-source, audit the crypto yourself.

5 Commands. 60 Seconds. Done.

1
curl -fsSL https://phantomvault.riscent.com/install | bash

Detects your OS + CPU. Downloads phantom and vault-mcp from GitHub Releases. SHA-256 verified. Drops into /usr/local/bin (sudo) or ~/.local/bin (no sudo).

2
phantom init

Sets a master password. Creates your encrypted vault. Local only.

3
phantom edit

Opens the vault in your $EDITOR as plain KEY=VALUE text. Save and quit โ€” re-encrypted. Like a notepad, but the file on disk is always sealed.

4
phantom biometric enable

One-time setup. Master password lives in macOS Keychain (encrypted by your login). After this, every phantom command and the vault-mcp server auto-unlock โ€” no prompts. Touch ID adds an extra layer when present.

5
phantom mcp install

Wires Phantom into Claude Code's MCP config. Restart Claude โ€” your AI now sees secrets by reference name (openai-key), never by value.

Optional but recommended: phantom guardrail set OPENAI_KEY --cap 50 --provider openai โ€” cap monthly spend per key. Never wake up to an $82,000 surprise bill from a leaked credential.

5 Layers Between Your Secrets and Everything Else

Layer 0

Hardware Root of Trust

Master key lives in Apple Secure Enclave or TPM 2.0. Physically cannot be extracted.

Layer 1

Dual-Layer Encryption

AES-256-GCM + XChaCha20-Poly1305. Unique nonce per secret. Memory locked and zeroed.

Layer 2

Process Sandbox

Commands run in network-restricted subprocesses. Only approved domains reachable.

Layer 3

Output Sanitization

15+ encoding variants scanned. Base64, hex, URL, HTML entities โ€” all caught.

Layer 4

Audit & Detection

HMAC-chained logs. Canary honeypots. Trust-level tracking. Tamper-evident.

We Found 14 Security Blind Spots in Existing Secret Managers

These are the gaps that humans consistently miss because they think about secrets the way humans use them โ€” not the way machines exploit them.

1
Master Password Paradox
2
Exact-Match-Only Sanitization
3
No Memory Protection
4
Uncontrolled Subprocesses
5
No Canary Detection
6
Differential Oracle Attacks
7
No Ephemeral Secrets
8
No Process Lineage
9
Clipboard Exfiltration
10
Config File Attack Surface
11
No Timing Protection
12
No Dependency Graph
13
No Multi-Tenant Isolation
14
No Dead Man's Switch
Read the Full Security Analysis โ†’

What Your AI Agent Can Do (and What It Can't)

โœ“ 6 Tools Available

โœ“vault_list โ€” See names, never values
โœ“vault_exists โ€” Check if a secret exists
โœ“vault_masked โ€” See last 4 chars only: โ€ขโ€ขโ€ขโ€ขrXYZ
โœ“vault_run โ€” Execute commands with secrets injected
โœ“vault_health โ€” Check expirations and rotation status
โœ“vault_rotate โ€” Request rotation (you approve via Touch ID)

โœ— 4 Tools That Don't Exist

โœ—vault_get โ€” Cannot retrieve full values
โœ—vault_export โ€” Cannot bulk extract
โœ—vault_dump โ€” Cannot dump the vault
โœ—vault_decrypt โ€” Cannot decrypt anything

These tools aren't hidden or restricted โ€” they don't exist in the binary. You cannot call what does not exist.

Built in the Open

Phantom Vault is open source under Apache 2.0. Security tools must be auditable. Every line of code is public. Every design decision is documented. We need security researchers, Rust developers, and anyone who cares about AI safety to review, challenge, and improve this.

Report a Vulnerability

Found a way to extract a secret? Responsible disclosure welcome.

Contribute Code

Every PR requires a security test. Help us close the gaps.

Star on GitHub

Stars help others find this project.