Zero-knowledge secret provisioning for AI agents. HPKE end-to-end encryption. In-memory only. No plaintext ever touches the wire.
AI agents need credentials to do their jobs. But every current method leaks secrets.
AI agents ask for API keys in chat. Keys get logged, stored in conversation history, and leaked through prompt injection.
.env files and configs get committed to repos, shared in Slack, and copied across machines unencrypted.
Secrets transmitted as plain text through middleware, proxies, and gateways that can read everything passing through.
Secrets persist forever in memory, logs, and databases with no automatic cleanup or time-based expiration.
A secure 5-step process for end-to-end encrypted secret delivery.
Agent generates an ephemeral HPKE keypair. Keys exist only in memory โ never written to disk, never logged.
SPS creates a secret request with 3-minute TTL, HMAC-signed URL, and a human-readable confirmation code.
Gateway sends the secure URL to human via Telegram or Slack. The LLM never sees the URL or confirmation code.
Human opens the URL, verifies the confirmation code, enters the secret. Browser encrypts with HPKE.Seal โ no server sees plaintext.
Agent atomically retrieves the ciphertext (single-use), decrypts in memory, then immediately destroys all keys.
Four components working together with cryptographic guarantees at every boundary.
Redis-backed secret provisioning with 3-min auto-expiry TTL, atomic single-use GETDEL retrieval via Lua scripts, and Ed25519 JWT authentication.
Self-contained encryption page. No external dependencies, no CDN. HPKE.Seal happens entirely in your browser with a vendored, audited library.
HPKE keypair generation, in-memory SecretStore with Buffer zeroing, custom toJSON() returning [REDACTED], and lazy re-request flow.
LLM-blind URL generation, egress URL filtering with homograph attack detection, Ed25519 identity signing, and anti-phishing controls.
Defense in depth, not security theater. Every layer neutralizes a specific threat.
Key compromise โ no forward exposure
Secret never plaintext on wire
Service compromise โ no secrets exposed
Replay attacks blocked
Phishing via prompt injection neutralized
Agent never sees URL or confirmation code
LLM-injected malicious URLs redacted
Agent impersonation prevented
Crash dumps and disk forensics defeated
Non-repudiation and rogue agent detection
Host OS compromise neutralized (optional)
State-of-the-art cryptography, designed specifically for LLMs and ephemeral interactions.
X25519 + HKDF-SHA256 + ChaCha20-Poly1305. Industry-standard hybrid encryption, not homebrew crypto.
The AI agent never sees the secret URL or confirmation code. Gateway controls the entire delivery flow.
Per-request keypairs. Generated, used once, destroyed. No key storage, no forward exposure.
Secrets live in zeroed Buffers. No disk, no logs, no serialization. Agent crash = clean slate.
Atomic GETDEL via Redis Lua script. First retrieval succeeds, all subsequent attempts get 410 Gone.
HMAC-signed URLs, human-readable confirmation codes, egress URL filtering. Social engineering blocked at every layer.
Integrate secure secret provisioning with just a few lines of code.
# Install agent-Kryptos
$ npm install agent-kryptos
# Start the secret provisioning service
$ npx agent-kryptos serve
๐ SPS Server running on http://localhost:3100
๐ Gateway identity loaded (Ed25519)
โ
Ready to provision secrets
# In your agent code
const secret = await agent.requestSecret("Stripe API Key");
// โ Human receives secure link via Telegram
// โ Secret encrypted client-side with HPKE
// โ Agent decrypts in-memory, keys destroyed