User Manual

Secrets exist but are never observable.

Contents

1. Installation

Open Your Terminal

On Mac: Press Cmd + Space, type "Terminal", press Enter.
On Linux: Press Ctrl + Alt + T

Install (One Command)

~ % curl -fsSL https://phantomvault.riscent.com/install | sh

  Detecting system...
  βœ“ macOS 15.3 (Apple Silicon M4)

  Downloading phantom-vault v1.0.0...
  βœ“ Downloaded (4.2 MB)

  Installing to /usr/local/bin/phantom...
  βœ“ Installed

  πŸ” Phantom Vault is ready.
  Run 'phantom init' to create your vault.

Verify It Worked

~ % phantom --version
phantom-vault 1.0.0

2. Your First 5 Minutes

Step 1: Create Your Vault

~ % phantom init

  πŸ” Phantom Vault β€” Initialization

  Detecting hardware security...
  βœ“ Apple Secure Enclave detected (M4)
  βœ“ Touch ID available

  Creating vault at ~/.phantom/vault.db
  βœ“ Vault created with hardware-backed encryption
  βœ“ Master key stored in Secure Enclave

  Your vault is ready. No password exists anywhere.
  Unlock with Touch ID.

What just happened? Phantom created an encrypted database. On Apple Silicon, the encryption key lives inside the Secure Enclave chip β€” it physically cannot be extracted.

Step 2: Add Your First Secret

~ % phantom add OPENAI_API_KEY
Enter value for OPENAI_API_KEY: β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’
βœ“ Added OPENAI_API_KEY

Step 3: Connect to Claude Code

~ % phantom mcp install

  Installing MCP server for Claude Code...
  βœ“ Config written to ~/Library/Application Support/Claude/claude_desktop_config.json

  Done. Restart Claude Code, then ask:
  "What secrets do I have in my vault?"

3. Adding Secrets

Interactive (Secure β€” Value Hidden)

~ % phantom add STRIPE_SECRET_KEY
Enter value: β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’
βœ“ Added STRIPE_SECRET_KEY

From Environment

~ % export TEMP_KEY="sk_live_abc123"
~ % phantom add STRIPE_KEY --from-env TEMP_KEY
βœ“ Added STRIPE_KEY
~ % unset TEMP_KEY

With Expiration

~ % phantom add TEMP_TOKEN --expires 7d
Enter value: β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’
βœ“ Added TEMP_TOKEN (expires in 7 days)

4. Viewing Your Secrets

List All Secrets (Names Only)

~ % phantom list

  Namespace: default

  NAME                 CREATED      EXPIRES     ACCESS
  OPENAI_API_KEY       2 days ago   never       12 times
  STRIPE_SECRET_KEY    1 day ago    never       3 times
  DATABASE_URL         5 hours ago  never       8 times

Notice: Values are never shown. Even phantom list only shows names.

See Last 4 Characters (Verification)

~ % phantom show STRIPE_SECRET_KEY --masked
STRIPE_SECRET_KEY: β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’xyz9

5. Using with AI Agents

Connect to Claude Code

~ % phantom mcp install

After restarting Claude Code, your AI gets these tools:

Example: Ask Claude to Deploy

# You say:
"Deploy my app to Railway using my RAILWAY_TOKEN"

# Claude runs:
vault_run(keys: ["RAILWAY_TOKEN"], command: "railway up")

# Output is sanitized β€” if the token leaked, you'd see:
Deploying with token [REDACTED:RAILWAY_TOKEN]...

6. Running Commands

Inject Secrets as Environment Variables

~ % phantom run -s OPENAI_API_KEY -- python my_script.py
βœ“ Running with 1 secret injected
(your script runs with OPENAI_API_KEY in its environment)

Multiple Secrets

~ % phantom run -s DATABASE_URL -s REDIS_URL -- node server.js

Security: The secrets only exist in that subprocess. When it exits, they're gone. Output is scanned for leaked secrets and redacted automatically.

7. Namespaces

Keep work and personal secrets separate:

~ % phantom namespace create work
~ % phantom namespace use work
~ % phantom add COMPANY_API_KEY

~ % phantom namespace use default  # switch back

8. Health & Rotation

Check Vault Health

~ % phantom health

  Vault Status: Healthy

  Secrets: 5 total
  Expiring soon: 1
    - TEMP_TOKEN (expires in 2 days)

  Last audit entry: 3 minutes ago
  Canary status: OK

Rotate a Secret

~ % phantom rotate STRIPE_SECRET_KEY
Enter new value: β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’
βœ“ Rotated STRIPE_SECRET_KEY (v1 β†’ v2)
βœ“ Old value securely erased

9. Audit Log

~ % phantom audit --last 10

  TIME                  EVENT           SECRET              TOOL
  2026-02-27 14:23:01   accessed        OPENAI_API_KEY      vault_run
  2026-02-27 14:20:15   accessed        DATABASE_URL        vault_run
  2026-02-27 13:05:44   added           STRIPE_SECRET_KEY   cli
  2026-02-27 12:00:00   vault_opened    -                   cli

Every access is logged with HMAC chaining β€” tampering is detectable.

10. Canary Secrets

Honeypot secrets that alert you if something tries to use them:

~ % phantom canary create BACKUP_AWS_KEY --pattern aws-access-key
βœ“ Created canary BACKUP_AWS_KEY
  Looks like: AKIAβ€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’XXXX
  ⚠ Alert will trigger if this is ever accessed

11. Cheat Sheet

# Setup
phantom init                    # Create vault
phantom mcp install             # Connect to Claude

# Secrets
phantom add SECRET_NAME         # Add secret (interactive)
phantom list                    # List all secrets
phantom show NAME --masked      # Show last 4 chars
phantom remove NAME             # Delete secret
phantom rotate NAME             # Rotate secret

# Running commands
phantom run -s KEY -- cmd       # Inject secret into command

# Namespaces
phantom namespace list          # List namespaces
phantom namespace use NAME      # Switch namespace

# Maintenance
phantom health                  # Check vault health
phantom audit                   # View audit log
← Back to Home