A zero-dependency, zero-cloud secret management engine built on first principles.
Crypt is a sovereign secret management engine. It stores enterprise secrets in a custom binary format that is indistinguishable from random noise without the master passphrase.
No SQLite. No JSON on disk. No readable headers. No cloud. No third-party services. One encrypted binary file. One passphrase. Everything else is noise.
| Tool | Problem |
|---|---|
| HashiCorp Vault | Cloud dependency. Infrastructure overhead. Token management complexity. |
| AWS Secrets Manager | Vendor lock-in. Network dependency. Per-secret pricing. |
| SOPS | Requires cloud KMS or GPG. Secrets stored in readable YAML/JSON structure. |
| dotenv files | Plaintext. Scattered. No access control. No audit trail. Accidentally committed to git every day. |
| SQLite + encryption | Recognizable 16-byte header. Schema visible in plaintext. WAL/journal files leak data. |
Crypt has none of these problems.
passphrase
│
▼
Scrypt(N=2²⁰, r=8, p=1, salt) ← Memory-hard. ~1s to derive. Brute-force infeasible.
│
▼
master_key (256-bit)
│
├── HKDF("encrypt") → data_key ← AES-256-GCM authenticated encryption
├── HKDF("mac") → mac_key ← HMAC-SHA256 per-entry + file integrity
└── HKDF("index") → idx_key ← Blind index for O(1) lookup
┌─────────────────────────────────────────┐
│ vault.enc (opaque binary) │
├─────────────────────────────────────────┤
│ salt 32 bytes Scrypt salt │
│ nonce 12 bytes AES-GCM nonce │
│ ciphertext variable encrypted data │
│ tag 16 bytes AES-GCM tag │
│ file_mac 32 bytes HMAC integrity │
└─────────────────────────────────────────┘
Without the passphrase, this file is random bytes. No magic numbers. No recognizable structure. No metadata.
When decrypted, the payload contains:
- Version header — format versioning for forward compatibility
- Entries — namespaced key-value pairs with timestamps and rotation versions
- Per-entry MACs — individual tamper detection on every secret
- Audit log — immutable record of every access (get, set, delete, export)
Every secret belongs to a namespace. Services get scoped access to only what they need.
singularity/DISCORD_TOKEN
cthulu/BINANCE_API_KEY
erp/DATABASE_URL
cloudflare/TUNNEL_SECRET
# Lifecycle
dead_drop init # Create new vault
dead_drop verify # Verify integrity
# Secrets
dead_drop set <namespace> <key> <value> # Store a secret
dead_drop set <ns> <key> --from-file k.pem # Store from file (PEM, cert, JSON)
dead_drop get <namespace> <key> # Retrieve a secret
dead_drop get <ns> <key> --to-file out.pem # Extract to file
dead_drop delete <namespace> <key> # Remove a secret
# Management
dead_drop list # List namespaces
dead_drop list <namespace> # List keys in namespace
dead_drop export <namespace> # Export as .env format
dead_drop import <namespace> <file> # Import from .env file
dead_drop migrate # Import all known .env files
dead_drop stats # Vault statistics
dead_drop audit # Access audit logdead_drop serve # Start on 127.0.0.1:8470GET /v1/secret/{namespace}/{key} # Retrieve secret
PUT /v1/secret/{namespace}/{key} # Store secret
GET /v1/secrets/{namespace} # List keys
GET /v1/namespaces # List namespaces
GET /v1/stats # Vault statistics
GET /v1/health # Health check
Localhost only. No network exposure. No authentication tokens to manage — if you can reach 127.0.0.1:8470, you're already on the machine.
from crypt import Crypt
vault = Crypt("/path/to/vault.enc")
vault.unlock("master-passphrase")
# Store
vault.set_str("myapp", "API_KEY", "sk-live-abc123")
vault.set("myapp", "TLS_CERT", open("cert.pem", "rb").read())
# Retrieve
key = vault.get_str("myapp", "API_KEY")
# Multi-line values (PEM keys, JSON, certs) — handled natively
vault.set_str("myapp", "PRIVATE_KEY", open("key.pem").read())
# Namespace management
vault.list_namespaces() # → ["myapp", "infra", ...]
vault.list_keys("myapp") # → ["API_KEY", "TLS_CERT", "PRIVATE_KEY"]
vault.export_env("myapp") # → "API_KEY=sk-live-abc123\n..."
# Audit
vault.audit_log(limit=20) # → [{timestamp, action, namespace, key, detail}, ...]
# Lock when done — wipes all key material from memory
vault.lock()| Threat | Mitigation |
|---|---|
| Disk theft | Vault file is noise without passphrase. No recognizable format. |
| Brute force | Scrypt N=2²⁰ — each guess costs ~1s and 1GB RAM. |
| Tampered vault | File-level HMAC + per-entry MACs. Any modification detected. |
| Wrong passphrase | HMAC verification fails before any decryption attempt. |
| Memory dump | Keys zeroed on lock. Values overwritten before deletion. |
| Git exposure | Vault is safe to commit (opaque). Master passphrase never committed. |
| Network sniff | Dead Drop API is localhost-only. Zero network surface. |
| Key reuse | HKDF separates master key into 3 independent subkeys. |
- Zero cloud dependencies — runs on bare metal, no internet required
- Zero third-party services — no HashiCorp, no AWS, no GCP
- Single file — one
vault.enc, one passphrase, complete portability - Atomic writes — write to tmp → fsync → rename. Vault never corrupts.
- Append-only audit — every access logged, encrypted inside the vault
- Multi-line native — PEM keys, JSON blobs, certificates handled without escaping
- Namespace isolation — services see only their scoped secrets
- Forward compatible — versioned binary format supports future upgrades
- Python 3.11+
cryptographylibrary (for AES-256-GCM, Scrypt, HKDF)- Nothing else.
┌──────────────────────────────────────────────────────────┐
│ CRYPT │
├──────────────┬──────────────┬────────────────────────────┤
│ Dead Drop │ Dead Drop │ Crypt Engine │
│ CLI │ API Server │ (encrypt/decrypt/store) │
│ │ :8470 local │ │
├──────────────┴──────────────┤ │
│ Crypt Python API │ │
├─────────────────────────────┤ │
│ AES-256-GCM │ Scrypt │ HKDF │ HMAC-SHA256 │
├─────────────────┴───────────┴────────┴───────────────────┤
│ vault.enc (binary) │
└──────────────────────────────────────────────────────────┘
Built by Artifact Virtual. First principles. No compromises.
If it computes, it will work.