DEV Community

Cover image for Your secrets deserve better Your secrets deserve better than plaintext: why I designed Keyden
Divya Bairavarasu
Divya Bairavarasu

Posted on

Your secrets deserve better Your secrets deserve better than plaintext: why I designed Keyden

#ai #security #api #devtools

TL;DR: Keyden is a CLI that replaces .env with an AES-256-GCM encrypted vault on your machine. One password, one vault file, no plaintext on disk, nothing for git or your coding agent to read by accident. Local dev only — production should use your platform's secrets manager.

npm install -g keyden

keyden init

keyden set GEMINI_API_KEY

keyden run npm start
Enter fullscreen mode Exit fullscreen mode

Why I designed it
My eyes feel the pain, my brain feels the insecurity seeing keys in plaintext on my own machine. And the threat model has gotten worse, not better, in the last two years:

  • Coding agents (Cursor, Claude Code, Copilot) read files into prompts.
  • .env gets pulled in.Public-GitHub scanner bots find sk-... keys within minutes of push.
  • CI runners still echo env blocks into build logs.
  • Teammates still paste production keys into Slack at 2 a.m.

For purely local development I wanted something that:

  • encrypts at rest with no extra service.
  • uses one password I already know doesn't require any change to my application code (keyden run injects env vars).
  • has zero crypto dependencies — Node built-ins only, nothing in the supply chain to attack

How it works

  • AES-256-GCM authenticated encryption. Tampering is caught at decrypt time.
  • scrypt KDF at N=2¹⁷. ~500ms per brute-force attempt.
  • Atomic writes (temp-file rename) so a crashed write can't leave a half-written vault.
  • chmod 600, validated by keyden doctor.
  • Symlink-traversal checks on every write.

What Keyden parks. What it doesn't.
Be honest about the threat model or you mislead people. Keyden removes a specific class of risk — not all of them.
Parked

  • Plaintext keys sitting on disk where any process can read them.
  • Accidental git commits — there is no .env file in the project to commit.
  • CI runners that echo the env block into a build log.

  • Coding agents (Cursor, Claude Code, Copilot) pulling .env into prompts.
    Still on you

  • Malware running on your unlocked machine while the vault is open.

  • A stolen laptop with the vault password remembered or cached.

  • Phishing the vault password out of you.

  • Supply-chain attack on the keyden npm package itself (which is why the crypto is Node built-ins only — smaller surface).

What it's not
Keyden runs on your laptop. It doesn't replace AWS Secrets Manager, GCP Secret Manager, or Vercel env vars in production. Use those for prod — Keyden is for the local-dev part where your keys are most exposed.

Try it

npm install -g keyden && keyden init
Enter fullscreen mode Exit fullscreen mode

Site + docs: https://keyden-guide.space
Examples: https://github.com/divyabairavarasu/keyden-examples

Top comments (0)