Skills

secure-key-manager

Installation
SKILL.md

Secure Key Manager

AES-256-GCM encrypted key storage for AI agents.

When to Use

Use this skill when:

  • Storing API keys or secrets that should not be in plaintext
  • Migrating from hardcoded keys in TOOLS.md to encrypted storage
  • Implementing output sanitization to prevent accidental key leakage
  • Rotating compromised keys in a secure vault

Do NOT use this skill if:

  • You are deploying general security controls → use security-hardening
  • You need to audit existing skills → use skill-security-audit
  • Keys need to be shared across many team members (use enterprise vaults)

Typical triggers:

  • 「加密存储API Key」「密钥管理」「安全存储密码」
  • "encrypt my API keys", "secure vault", "key manager"
  • "API密钥加密", "secret storage", "key rotation"

Workflow

Step 1: Initialize Vault

cd skills/secure-key-manager
python3 key_manager.py init
# Enter a strong password when prompted

Step 2: Store Keys

python3 key_manager.py set \
  -p "your-password" \
  -n "brave-search-api-key" \
  -v "BSAxxxxx..." \
  -d "Brave Search API Key"

Step 3: Retrieve Keys (Runtime)

from key_manager import SecureKeyManager

manager = SecureKeyManager()
manager.unlock("your-password")
api_key = manager.get_key("brave-search-api-key")
# Use api_key for API call, then clear from memory

Step 4: Enable Output Sanitization

from key_manager import sanitize_output
safe_output = sanitize_output(raw_output)  # Auto-redacts patterns

Step 5: List & Rotate

python3 key_manager.py list -p "your-password"
# To rotate: delete old key, set new key with same name

Guardrails

Anti-patterns

  • NEVER store the vault password in code or environment variables on shared systems
  • NEVER commit .secrets.enc or .salt files to public repositories
  • NEVER disable output sanitization in production

Security Layers

  • File permissions: 0600 (owner read/write only)
  • Encryption: AES-256-GCM with authenticated encryption
  • Key derivation: PBKDF2HMAC with 480,000 iterations + random salt
  • Runtime behavior: decrypt on-demand, no persistent cleartext in memory

Incident Response

If leakage suspected:

  1. Immediately revoke exposed keys at the provider
  2. Rotate keys in the vault: set new value for same key name
  3. Review audit logs for unauthorized access patterns

Related Skills

  • security-hardening — Deploy comprehensive security controls including input filtering
  • skill-security-audit — Audit skills to detect hardcoded keys before migration
  • security-drill — Validate that key leakage scenarios are handled correctly

About UniqueClub

This skill is part of the UniqueClub security toolkit. 🌐 https://uniqueclub.ai | 📂 https://github.com/wulaosiji/skills

Related skills

More from wulaosiji/skills

Installs
4
Repository
wulaosiji/skills
GitHub Stars
25
First Seen
Mar 8, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail