Skip to content
Manolis Tzanidakis edited this page Mar 15, 2026 · 1 revision

Vault (Encrypted Secrets)

Praktor includes an encrypted vault for API keys, tokens, SSH keys, and service account files. Secrets are encrypted at rest with AES-256-GCM (Argon2id key derivation) and injected into containers at start time — never passed through the LLM.

CLI

praktor vault set github-token --value "ghp_xxx" --description "GitHub PAT"
praktor vault set ssh-key --file ~/.ssh/id_rsa --description "Deploy key"
praktor vault list
praktor vault get github-token
praktor vault assign github-token --agent coder
praktor vault global github-token --enable
praktor vault delete github-token

Secrets can also be managed from the Secrets page in Mission Control.

Usage in Agent Config

Reference secrets with secret:name syntax in env values or files:

agents:
  coder:
    env:
      GITHUB_TOKEN: "secret:github-token"        # Injected as env var
    files:
      - secret: gcp-service-account              # Injected as file
        target: /etc/gcp/sa.json
        mode: "0600"

Clone this wiki locally