Encrypted secrets vault for AI agents. Secrets are resolved at runtime, never leaked to LLM conversations.
Encrypt API keys, tokens, and passwords into a local AES-256-GCM vault.
echo "sk-abc123" | keyblind set OPENAI_API_KEY
One command to configure Claude Code, Cursor, Copilot, Windsurf, Cline, or Zed.
keyblind setup-mcp
Your AI agent resolves secrets when needed. The values never appear in chat.
keyblind sandbox && keyblind run -- npm start
Encrypted SQLite. Machine-identity-bound key. Zero network.
Local, 1Password, Bitwarden, env vars, AWS, GCP, Azure.
Deterministic HMAC-SHA256 fakes. Clean git diffs. Safe for AI review.
Built-in 2FA code generation. No phone needed. Zero deps.
AES-256-GCM encrypted URL fragments. Time-limited. View-limited.
Auto-release vault to contacts if you don't check in.
Git-safe shared vault. Passphrase-protected. PBKDF2 key derivation.
Team vault access via Google, Okta, or any OIDC provider.
Slack and Discord webhooks for secret expiry and vault events.
PH launch: use code PH2025 for 50% off
| Feature | Keyblind | Cloak |
|---|---|---|
| Protocol | MCP (every AI tool) | VS Code / Cursor only |
| Editors supported | 6 (Claude Code, Cursor, Copilot, Windsurf, Cline, Zed) | 2 (VS Code, Cursor) |
| Encryption | AES-256-GCM + machine-identity-bound key | AES-256-GCM |
| Backends | 7 (local, 1Password, Bitwarden, AWS, GCP, Azure, env) | 1 (local) |
| Sandbox | Deterministic HMAC-SHA256 fakes | Random placeholders |
| TOTP / 2FA built-in | Yes | No |
| Secret sharing | Encrypted URL fragments | No |
| Dead man's switch | Yes | No |
| Team vaults | Git-safe, passphrase-protected | No |
| Dashboard | Web dashboard (app.keyblind.dev) | No |
| Browser extension | Chrome (paste interception) | No |
| License | MIT (open source) | Proprietary |
| Pricing | Free tier + $79/yr Pro | $8/mo ($96/yr) |
Install, init, first secret, sandbox walkthrough.
All 40+ commands with examples and flags.
16 MCP tools with parameter schemas and usage patterns.
Per-editor config for Claude Code, Cursor, Copilot, and more.
Threat model, cryptographic architecture, attack surface analysis.
CI/CD, Docker, pre-commit, sharing, TOTP, multi-machine sync.
Common questions about setup, security, licensing, and teams.
"Finally: an MCP-native secrets manager that actually works across all my editors. The sandbox feature alone saved me from leaking keys to Claude Code twice."
Alex R., Senior Engineer
"We run Keyblind in CI to sandbox .env files before AI code review. Clean diffs, real secrets never exposed. It's part of our standard dev setup now."
Jordan M., DevOps Lead
"Switched from hand-managing .env files to Keyblind. The dead man's switch gives me peace of mind for our team vault access."
Sam T., CTO at 12-person startup