cryptofort
Provides a secure credential vault with tools for searching, retrieving, listing, and adding credentials, using SQLite as the encrypted storage backend.
Provides a secure credential vault with tools for searching, retrieving, listing, and adding credentials, using Supabase as the encrypted storage backend.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@cryptofortfind the Stripe API key"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Why CryptoFort
Secrets sprawl across .env files, shell history, and plaintext columns — and agents have no safe, structured way to ask for them. CryptoFort seals every secret with authenticated encryption, keeps the key out of the database entirely, and hands agents a narrow MCP interface that returns metadata by default and plaintext only on an explicit get.
Related MCP server: API Locker
Install
npm install cryptofort
# plus the driver for your backend:
npm install @supabase/supabase-js # or: better-sqlite3 | postgresCryptoFort is also published to GitHub Packages as @bradley-t-t/cryptofort. Point the @bradley-t-t scope at the GitHub registry and authenticate with a token that has read:packages — GitHub Packages requires auth even for public packages:
@bradley-t-t:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}npm install @bradley-t-t/cryptofortLibrary usage
import { Vault, Crypto, SqliteAdapter } from 'cryptofort';
const adapter = new SqliteAdapter('vault.db');
await adapter.init();
const vault = new Vault({
adapter,
crypto: new Crypto({ key: process.env.CRYPTOFORT_MASTER_KEY! }),
});
await vault.put({
name: 'stripe-secret-key',
secret: 'sk_live_…',
provider: 'stripe',
tags: ['payments'],
});
await vault.search('stripe'); // metadata only — never the secret
await vault.get('stripe-secret-key'); // the decrypted secretGenerate a master key (base64, 32 bytes):
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"…or from the library with import { generateKey } from 'cryptofort'.
MCP server
Point any MCP client at the cryptofort-mcp binary:
{
"mcpServers": {
"cryptofort": {
"command": "cryptofort-mcp",
"env": {
"CRYPTOFORT_ADAPTER": "supabase",
"SUPABASE_URL": "https://<ref>.supabase.co",
"SUPABASE_SERVICE_ROLE_KEY": "<service-role-key>",
"CRYPTOFORT_MASTER_KEY": "<base64-32-bytes>"
}
}
}
}The server is read-only by default. Add "args": ["--allow-write"] to expose credential_put.
Tools
Tool | Access | Description |
| read | Search by name, description, provider, or tag. Returns metadata only. |
| read | Decrypt and return a single secret by exact name. |
| read | List credential metadata in a namespace, optionally filtered by tag. |
| write | Create or update a credential. Requires |
Environment
Variable | Required | Purpose |
| always | Base64, 32-byte AES-256 key. Never written to the database. |
| — |
|
| — | Key identifier for rotation. Defaults to |
| Supabase | Connection for the Supabase adapter. |
| Postgres | Connection string for the Postgres adapter. |
| — | SQLite file path. Defaults to |
Backends
Backend | Driver | Best for |
Supabase |
| Hosted, shared across agents, service-role access. |
Postgres |
| Dropping the vault into existing Postgres infrastructure. |
SQLite |
| Local, single-process, zero-infrastructure use. |
How it works
Only the secret is ciphertext.
name,description,provider, andtagsstay plaintext, so search and listing work without ever decrypting.Each secret is sealed with AES-256-GCM — authenticated encryption, so any tampering is caught on read.
The master key never touches the database. It lives only in
CRYPTOFORT_MASTER_KEY; a stolen dump reveals nothing without it.The MCP server refuses writes unless started with
--allow-write, so an agent can look secrets up but cannot quietly rewrite the vault.
Schema
See sql/001_cryptofort_credentials.sql — one table, one ciphertext column, the rest plaintext metadata for search.
Development
npm run build # bundle with tsup
npm test # run the vitest suite
npm run typecheck # tsc --noEmitLicense
Released under the MIT License.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/bradley-t-t/cryptofort'
If you have feedback or need assistance with the MCP directory API, please join our Discord server