Secure token storage system with AES-256-GCM encryption-at-rest for API keys, secrets, and credentials.
Token Vault provides military-grade encryption for your sensitive data with a simple, secure API. All secrets are encrypted with AES-256-GCM before storage, using Argon2id key derivation for password-based encryption.
# Cargo.toml
[dependencies]
token-vault = "0.1"use token_vault::TokenVault;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Create vault with password
let vault = TokenVault::new("my_vault.db", "my-secure-password")?;
// Store API tokens
vault.store("github_token", "ghp_1234567890abcdef", None)?;
// Retrieve securely
let token = vault.retrieve("github_token", None)?;
assert_eq!(token, Some("ghp_1234567890abcdef".to_string()));
Ok(())
}- ๐ Encryption-at-rest: AES-256-GCM encryption for all stored secrets
- ๐ Key derivation: Argon2id password-based key derivation (256 MB RAM, 3 iterations)
- ๐ฆ Session isolation: Multiple isolated sessions with separate token namespaces
- โฐ Token expiration: Automatic expiration and rotation support
- ๐ฅ Access control: Role-based access control (RBAC)
- ๐ Audit logging: Comprehensive audit trail for all operations
- ๐งน Memory security: Automatic zeroization of sensitive data with
zeroize - ๐ Thread-safe:
Arc<Mutex<T>>for concurrent access
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Token Vault โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ User Password โ
โ โ โ
โ โผ โ
โ Argon2id Key Derivation (t=3, m=256MiB, p=4) โ
โ โ โ
โ โผ โ
โ Master Key (256-bit) โ
โ โ โ
โ โโโโถ Encryption Key (AES-256-GCM) โ
โ โ โ โ
โ โ โผ โ
โ โ Encrypted Secrets (SQLite) โ
โ โ โ โ
โ โ โโโโถ Stored on Disk โ
โ โ โ
โ โโโโถ HMAC Key (authentication) โ
โ โ โ
โ โโโโถ Verify operations โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
let vault = TokenVault::new("path/to/vault.db", "master-password")?;vault.store("api_key", "sk_live_1234567890", None)?;
vault.store("db_password", "secret123", Some("production"))?;let value = vault.retrieve("api_key", None)?;vault.update("api_key", "new_secret_value", None)?;vault.delete("api_key", None)?;let tokens = vault.list_tokens(Some("production"))?;
for token in tokens {
println!("{}", token);
}// Use sessions to isolate different contexts
vault.store("api_key", "prod_key", Some("production"))?;
vault.store("api_key", "dev_key", Some("development"))?;
// Retrieve from specific session
let prod_key = vault.retrieve("api_key", Some("production"))?;
let dev_key = vault.retrieve("api_key", Some("development"))?;let entries = vault.audit_entries();
for entry in entries {
println!("{:?} {} - {:?}", entry.operation, entry.target, entry.result);
}Token Vault protects against:
- Compromised Database: AES-256-GCM encryption-at-rest
- Memory Dump Attacks: Zeroization with
zeroizecrate - Password Brute Force: Argon2id with high memory/time cost
- SQL Injection: Parameterized queries only
See threat_model for detailed analysis.
- Algorithm: Argon2id
- Time Cost: 3 iterations
- Memory Cost: 256 MiB (262,144 KiB)
- Parallelism: 4 lanes
- Output: 256-bit key
- Algorithm: AES-256-GCM
- Nonce: 96-bit (random per encryption)
- Authentication: GCM auth tag (128-bit)
// 1. Application Configuration
let config = AppConfig::new("config.db", "password")?;
let db_url = config.get_database_url()?;
// 2. API Key Storage
vault.store("stripe_secret", "sk_live_...", None)?;
vault.store("github_token", "ghp_...", None)?;
// 3. Database Credentials
vault.store("db_password", "secure_password", Some("production"))?;
// 4. Service Tokens
vault.store("jwt_secret", "jwt_signing_key", None)?;Token Vault includes three CLI tools:
token-vault-server
# Starts HTTP server on 0.0.0.0:8080
# TODO: Full implementation coming soontoken-vault-client get <token>
token-vault-client set <token> <value>
token-vault-client list
# TODO: Full implementation coming soontoken-vault-admin init <db-path>
token-vault-admin backup <db-path> <backup-file>
token-vault-admin restore <backup-file> <db-path>
# TODO: Full implementation coming soon# Run all tests
cargo test
# Run with output
cargo test -- --nocapture
# Run specific test
cargo test test_store_and_retrieveSee the examples/ directory for complete examples:
basic_vault.rs- Basic CRUD operationscustom_integration.rs- Application integrationserver_client.rs- Server/client usage (TODO)backup_restore.rs- Backup/restore (TODO)
Run examples:
cargo run --example basic_vault
cargo run --example custom_integrationcargo install token-vaultOr add to your Cargo.toml:
[dependencies]
token-vault = "0.1"- Store: O(1) - Single INSERT with indexed lookup
- Retrieve: O(1) - Single SELECT with index
- Encrypt: ~1ยตs per 1KB (AES-256-GCM hardware accelerated)
- Decrypt: ~1ยตs per 1KB (AES-256-GCM hardware accelerated)
// TODO: Add privox integration example
// Use privox to redact PII in audit logsLicensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contributions are welcome! Please see CONTRIBUTING.md for details.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- privox - Privacy redaction engine
- tripartite-rs - Multi-agent consensus
- knowledge-vault - Vector database
- GitHub Issues: https://github.com/SuperInstance/token-vault/issues
- Discussions: https://github.com/SuperInstance/token-vault/discussions
- SuperInstance - Multi-agent orchestration platform
Made with โค๏ธ by the SuperInstance team