Stop scattering API keys across .env files and sticky notes. Keysmith is a self-hosted credential vault that encrypts everything with AES-256-GCM and keeps your secrets on your own server.
Every secret is encrypted at rest with military-grade encryption. Unique IVs per record. Your keys never exist in plaintext on disk.
Runs on your server, your network, your rules. No cloud dependencies, no third-party access, no subscription fees. Ever.
Drop your existing .env files into Keysmith and it parses, encrypts, and organises every key-value pair automatically.
Protect your vault with time-based one-time passwords. Works with Google Authenticator, Authy, or any TOTP app.
Expose secrets to AI coding agents via Model Context Protocol. Let your tools access keys without hardcoding them.
SQLite-backed, no external database needed. Runs in a single Docker container using minimal resources. Starts in seconds.
Clone the repo and run docker compose up. That's it. No databases to configure, no external services.
Drag in your .env files or create projects manually. Keysmith encrypts everything the moment it touches the vault.
Access secrets via the web UI, CLI, or MCP protocol. Export back to .env anytime. Your workflow doesn't change.
Keysmith is free, open source, and ready to deploy in under a minute.