BlindKey: Blind Credential Injection for AI Agents

How BlindKey Works

BlindKey addresses the security risk of AI agents handling plaintext API credentials. Instead of giving agents direct access to secrets, it uses a system where agents reference encrypted vault tokens (e.g., bk://stripe). A local proxy intercepts these references and injects the actual credential at the moment the API request is made. The agent process never sees or stores the plaintext secret.

Security Features

• AES-256-GCM encryption for data at rest
• Domain allowlisting per secret (e.g., a Stripe key can only be used with api.stripe.com)
• Default-deny filesystem gating
• Content scanning on agent writes to detect accidentally leaked credentials or PII
• Tamper-evident audit log with cryptographic hash chain

Threat Model and Attack Surface

The main vulnerability identified is if an agent can read BlindKey's own process memory or vault file, which would bypass the blind injection protection. Current mitigations include SQLite encryption and OS-level file permissions. The source suggests kernel-level sandboxing (like nono's approach) would provide stronger protection.

The tool is available on GitHub at github.com/michaelkenealy/blindkey.