SSH Vault
БесплатноНе проверенEnables AI agents to securely access encrypted secrets (SSH keys, API tokens, passwords) with real-time user approval via Passkey, and supports SSH remote execu
Описание
Enables AI agents to securely access encrypted secrets (SSH keys, API tokens, passwords) with real-time user approval via Passkey, and supports SSH remote execution through the MCP protocol.
README
A secure secret vault with MCP (Model Context Protocol) interface. Store any secret as encrypted markdown — SSH credentials, API keys, certificates, notes. Human approves via Passkey, AI agent accesses secrets securely.
Why?
AI agents need access to secrets (SSH keys, API tokens, passwords) — but giving them raw credentials is dangerous. Secret Vault solves this:
- Agent requests secrets by name — never browses raw credential stores
- You approve every access — via Passkey on your phone, in real-time
- Flexible storage — any secret stored as markdown (SSH hosts, API keys, notes)
- SSH built-in — secrets tagged
sshcan be used directly for remote execution - Works with any MCP-compatible AI — Claude, GPT, or your own agent
Features
- 🔐 Passkey + Master Password — dual-factor vault access
- 🔒 End-to-end encryption — secrets never stored in plaintext (Argon2id + XSalsa20-Poly1305)
- 🤖 MCP compatible — works with Claude Desktop, Cursor, OpenClaw, and any MCP client
- 📝 Markdown secrets — store any secret as structured markdown
- ⚡ One-step approval — agent requests secret → you tap Passkey → secret delivered
- 🔑 Session reuse — after first approval, subsequent requests don't need re-approval
- ⏱️ Auto-lock — vault locks after inactivity, keys wiped from memory
- 🖥️ SSH execution — secrets with SSH info can be used to execute remote commands
Quick Start
1. Self-Hosted Docker
docker run -d -p 3001:3001 \
-v vault-data:/app/data \
-v vault-config:/app/config \
qsobad/ssh-vault-mcp:latest
- Config:
/app/config/config.yml— auto-created with localhost defaults if missing - Data:
/app/data/— encrypted vault storage (persist this!) - Custom domain: set
SSH_VAULT_ORIGINenv var (e.g.-e SSH_VAULT_ORIGIN=https://ssh.example.com)
Open http://localhost:3001 → set Master Password → register Passkey → done.
2. Local MCP (Claude Desktop / Cursor)
Add to your MCP client config:
{
"mcpServers": {
"ssh-vault": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-p", "3001:3001",
"-v", "ssh-vault-data:/app/data",
"-v", "ssh-vault-config:/app/config",
"-e", "SSH_VAULT_ORIGIN=http://localhost:3001",
"qsobad/ssh-vault-mcp:latest"
]
}
}
}
3. OpenClaw Skill
For OpenClaw agents — everything happens through chat. Agent self-registers, adds hosts, and runs commands via approval links.
How It Works
Execution Flow
- Agent calls
executewith host + command - If no session → vault returns approval URL
- User opens URL → sees host + command → authenticates with Master Password + Passkey
- Vault unlocks → creates session → executes command → returns result to agent via SSE
- Agent receives
sessionId— subsequent commands execute immediately without re-approval
Adding Hosts
- Agent requests to add a host (name, IP, username)
- User opens approval URL → enters SSH password or private key during approval
- Credentials are encrypted and stored in vault — agent never sees them
SSE Status Flow
pending → approved → executing → completed
Agent listens on SSE endpoint and receives:
{"status":"completed","stdout":"...","stderr":"...","exitCode":0,"sessionId":"..."}
Configuration
Config file at /app/config/config.yml. Auto-created with localhost defaults if missing.
vault:
path: /app/data/vault.enc
backup: true
webauthn:
rp_id: "your-domain.com"
rp_name: "SSH Vault"
origin: "https://your-domain.com"
web:
port: 3001
external_url: "https://your-domain.com"
session:
timeout_minutes: 15
Environment variable overrides: SSH_VAULT_ORIGIN, SSH_VAULT_PORT, SSH_VAULT_DATA_PATH
Technical Details
For API reference, security details, and development setup, see TECHNICAL.md.
License
MIT
Установка SSH Vault
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/qsobad/ssh-vault-mcpFAQ
SSH Vault MCP бесплатный?
Да, SSH Vault MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для SSH Vault?
Нет, SSH Vault работает без API-ключей и переменных окружения.
SSH Vault — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить SSH Vault в Claude Desktop, Claude Code или Cursor?
Открой SSH Vault на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare SSH Vault with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
