AxKeyStore

What is AxKeyStore?

AxKeyStore is a secure open-source CLI that encrypts secrets client-side and stores only encrypted data in your private GitHub repository. Its core purpose is to let you use your own private GitHub repository as encrypted storage while treating GitHub as untrusted storage.

With AxKeyStore, encryption happens on the client side. Encrypted data is what gets stored in the remote GitHub repository, and secrets are not kept in plain text in the repository. The tool also avoids storing secrets, master keys, or passwords in unencrypted form on the local filesystem.

Key Features

• GitHub private repository as encrypted backend: Stores secrets in a private repository you control, using encrypted binary blobs.
• Client-side encryption for all secret handling: Secrets are encrypted on your machine before upload; no plain-text secrets are sent over the wire.
• Zero Trust / multi-layer encryption model: Uses a Local Master Key (LMK) for encrypting local configuration (including your GitHub access token and repository name) and a Remote Master Key (RMK) for encrypting the actual stored secrets.
• Modern authenticated encryption and key derivation: LMK encryption uses Argon2id and XChaCha20-Poly1305; the three-layer scheme is designed so that only encrypted artifacts reach GitHub.
• Unified authentication via GitHub Apps and Device Flow: Authenticates securely using GitHub Apps together with the Device Flow.
• CLI workflow for initialization and operations: Includes commands to log in, initialize a repository for storage, and manage secrets via a simple command set.
• Hierarchical category organization: Organize secrets in categories such as api/production/internal.
• Multi-profile support: Manage multiple vaults with different logins, master passwords, and GitHub repositories.

How to Use AxKeyStore

1. Install the CLI: On macOS/Linux, run the provided shell install script. On Windows, run the provided PowerShell install script. The scripts download the binary, place it under $HOME/.axkeystore/bin, and configure your PATH.
2. Log in with your GitHub account: Run axkeystore login. On first login, set a Master Password; this password is used to encrypt the sensitive local GitHub access token.
3. Install the required GitHub App: During login, the CLI provides a link to install the GitHub App for your user or organization. You must install the app to grant repository access.
4. Initialize a storage repository: Run axkeystore init --repo <repo-name> (or include an organization/owner like my-org/my-secret-store). If the repo was initialized earlier on another machine, AxKeyStore will prompt as part of initialization.

After initialization, you can use the CLI to store and retrieve credentials that live as encrypted blobs in your private GitHub repository.

Use Cases

• Store GitHub-hosted credentials without keeping them in plain text: Keep API keys, passwords, and other secrets in a private repository where only encrypted data is stored.
• Separate secrets by environment or domain using categories: Organize secrets under hierarchical categories like api/production/internal to keep different environments easy to navigate.
• Manage multiple vaults across different GitHub repos: Maintain separate profiles for different repositories and different master passwords, useful when working across multiple projects or organizations.
• Lock down local credential storage: Ensure the GitHub access token and repository name (local credentials) are encrypted with the Local Master Key and protected by the user’s Master Password.
• Cross-machine use with untrusted remote storage: Initialize the same encrypted repository on another machine (prompted during init) so the remote holds only encrypted blobs while each client handles encryption.

FAQ

• Does AxKeyStore store secrets unencrypted in GitHub? No. Secrets are encrypted on the client side and only encrypted binary blobs are stored in the private GitHub repository.

• Are encryption keys or master passwords sent over the network? The project describes that no plain-text secrets, master keys, or passwords touch the network. Encryption happens purely on your machine.

• What authentication does AxKeyStore use? It uses GitHub Apps and the Device Flow to authenticate.

• How does AxKeyStore protect data locally? It uses a Local Master Key (LMK) that is encrypted with your Master Password using Argon2id and XChaCha20-Poly1305, and the LMK is used to encrypt local configuration such as the GitHub access token and repository name.

• What operating systems are supported for installation? The repository provides installation scripts for macOS/Linux (via install.sh) and Windows (via install.ps1).

Alternatives

• Other CLI-based secret managers with client-side encryption: Look for tools that encrypt secrets locally and then store only ciphertext in a remote backend (similar untrusted-storage model), typically using S3, Git, or other storage.
• Dedicated password managers (vault-based apps): Use a local app or desktop/mobile vault that manages encryption and sync; workflow differs because the backend is managed by the password manager rather than a private GitHub repository you control.
• Git-based secret storage with encryption tooling: Some approaches store encrypted files in Git and rely on your encryption tooling; compared to AxKeyStore, you’d manage the encryption workflow yourself rather than using the dedicated CLI and its key model.
• Cloud secret managers with managed encryption: Services that store secrets in a managed system; unlike AxKeyStore’s described model, the client-side untrusted-storage approach may not be the primary design pattern.