Docs / Core Concepts / Vault

Vault

Encrypted local storage for agent secrets.

What it is

The vault is a local encrypted key-value store. Secrets deposited through the deposit box end up here. You can also write to it directly.

CLI

# Store a secret
atomic vault set stripe-key sk_live_abc123

# Read it back
atomic vault get stripe-key

# List all labels
atomic vault list

# Delete
atomic vault delete stripe-key

Encryption

  • AES-256-GCM with a random nonce per write
  • Vault key derived from the agent’s private key via HKDF
  • Stored in ~/.atomic/ with 0600 file permissions
  • Atomic file writes (write temp, rename) to prevent corruption

The vault key never exists outside of the agent process. If you lose the private key, you lose the vault.

Platform mode

In hosted mode, the vault lives in Cloudflare KV, encrypted at rest with the same AES-256-GCM scheme. The agent accesses it through the SDK or deposit webhooks.

Previous Deposit Box Next Request Signing