KeySentinel is a lightweight, secure token encryption library and CLI tool for managing sensitive credentials with strong Zero Trust principles.
π Read the full article explaining the Two-Layer Security Architecture here
- π Two-layer token encryption: local symmetric key + vault storage
- π Developer-friendly CLI (keysentinel) with zero plaintext leakage
- π₯ Predefined profiles for common APIs (AWS, GitHub, OpenAI, GCP, etc.)
- π‘οΈ Extensible custom profiles via JSON
- π© Zero Trust Local Environment Enforcement
- π Secure clipboard copy with automatic timeout cleaning
- β Export to plaintext files (.env, .json) intentionally blocked for safety
Most CLI tools expose credentials through .env files or unsecured memory spaces.
KeySentinel breaks this insecure paradigm:
- No unencrypted secrets on disk.
- No unguarded outputs without user consent.
- Ephemeral secrets that self-destroy after a timeout.
- Clear warnings to educate developers about security risks.
"If itβs not encrypted, itβs exposed. If itβs on disk, itβs compromised." β The Zen of Zero Trust
from keysentinel import upsert_encrypted_fields
upsert_encrypted_fields(
fields={"github_token": "ghp_xxx123"},
item_title="GitHub CLI Token",
)from keysentinel import retrieve_and_decrypt_fields
fields = retrieve_and_decrypt_fields("GitHub CLI Token")
print(fields["github_token"])# Encrypt and store fields securely (values prompted securely)
keysentinel encrypt-token --title "AWS CLI Credentials" --fields aws_access_key_id --fields aws_secret_access_key
# Or use a predefined profile
keysentinel encrypt-token --title "GitHub Token" --profile github
# Retrieve and decrypt fields
keysentinel get-token --title "AWS CLI Credentials"
β οΈ Credentials will be cleared from your terminal and memory automatically after a short timeout.
| Aspect | Behavior |
|---|---|
| Local Encryption | AES256/Fernet with a user-local symmetric key |
| Vault Transport | Secrets stored inside 1Password CLI (βopβ) |
| Decryption | Memory-only, no disk writes |
| Export | Blocked by default (no .env, no .json) |
| User Awareness | Visual warnings on decrypted output |
| Secret Lifecycle | Timeout auto-clears memory and screen |
KeySentinel supports predefined profiles to simplify common API credential handling:
| Profile | Fields |
|---|---|
| aws | aws_access_key_id, aws_secret_access_key |
| github | github_token |
| gcp | gcp_client_email, gcp_private_key, gcp_project_id |
| openai | openai_api_key |
| azure | azure_client_id, azure_client_secret, azure_tenant_id, azure_subscription_id |
| slack | slack_token |
and many others⦠(30+ profiles supported!)
You can list and use these profiles by passing --profile <profile_name>.
You can extend KeySentinel by creating a file at:
~/.keysentinel_profiles.jsonExample content:
{
"huggingface": {
"description": "Hugging Face API Token",
"fields": ["hf_token"]
},
"figma": {
"description": "Figma Personal Access Token",
"fields": ["figma_token"]
}
}When running encrypt-token, your custom profiles will be automatically available!
KeySentinel blocks plaintext exports (--export-env, --export-json) intentionally.
Attempting to use them shows this educational warning:
β οΈ Do NOT store or copy them into plaintext files or version control."If it's not encrypted, it's exposed. If it's on disk, it's compromised."
from "The Zen of Zero Trust"
For more info:
- run:
import zero_trust - read: Zero Trust Local Environment Manifesto
You can load the philosophy inside Python:
import zero_trustOr read it online:
π Zero Trust Local Environment Manifesto
- Zero Trust Architecture (NIST)
- Zero Trust Local Environment Manifesto
- Two-Layer Security Architecture for Token Management
- Secure CLI operations
- Custom and extensible token profiles
- Memory-timeout auto-clear after exposure
- Multi-vault support (future)
- Bitwarden CLI integration (future)
MIT License
Built with β€οΈ by Davi Luiz Guides