YubiKey-encrypted credential manager. AES-256-GCM encryption derived from hardware challenge-response. No YubiKey, no decryption. Period.
Every secret passes through four cryptographic layers before it touches storage.
Slot 2 challenge-response. A random challenge is sent to the hardware token. The 20-byte HMAC response never leaves the USB bus unprocessed.
19 MiB memory-hard derivation with 2 iterations and a fixed domain-separation salt. Resists GPU and ASIC brute-force attacks.
Each secret encrypted individually with a random 96-bit nonce. Authenticated encryption ensures both confidentiality and integrity.
Encrypted blob stored via HTTP API. The backend never sees plaintext. Works with Engram, SQLite, or any compatible endpoint.
Hardware-backed encryption with a developer-friendly interface. CLI, TUI, GUI, and HTTP daemon.
The backend never sees unencrypted secrets. All encryption and decryption happens client-side, in memory, with key material scrubbed on drop.
The derived AES key exists only while cred is running. Remove the YubiKey and everything locks. No key file on disk, no password to steal.
The zeroize crate overwrites all key material when it goes out of scope. No residual secrets in process memory.
Owner keys have full CRUD access. Agent keys are read-only, scoped per agent, and independently revocable. Both use constant-time comparison.
Exponential backoff on failed authentication -- from 1 second up to 1 hour. Brute-force is not viable even against a running daemon.
Every agent access is logged to ~/.config/cred/audit.log with timestamps, agent IDs, and requested secrets.
Full command-line interface with Clap. Interactive TUI mode built with Ratatui and Crossterm for browsing and managing secrets visually.
egui/eframe desktop application that communicates with credd over HTTP. Cross-platform, no Electron, no browser required.
Axum-based REST API with full CRUD, agent key management, and health checks. Run on one server, access from everywhere.
api-key, login, oauth-app, ssh-key, note, and environment. Each with typed fields -- no flat key-value dumps.
Default backend is Engram, but any HTTP API implementing store/list/delete works. SQLite backend for fully offline use.
Program multiple YubiKeys with the same HMAC secret. Each machine gets its own challenge file. Share the backend, access secrets from anywhere.
Store and retrieve secrets from the terminal, or run credd for multi-machine HTTP access.
A YubiKey, Rust, and a backend. That's all you need.
ykman otp chalresp 2
cred init
Set ENGRAM_URL and ENGRAM_API_KEY
cred store myservice api-key
cred get myservice api-key --raw
No cloud. No trust required. Just a YubiKey and Rust.