Layer 5 — Vault (Secrets)
Distributed secret management with AES-256-GCM encryption, Argon2id key derivation, and Shamir's Secret Sharing.
Install
pip install sv-vault
What It Does
Vault stores and manages secrets (API keys, tokens, passwords, SSH keys) for the entire mesh. Every component that needs credentials reads them from Vault.
CLI
sv init # Create a new vault
sv unlock # Unlock (enter master password)
sv add service/api_key # Store a secret
sv get service/api_key # Retrieve a secret
sv list # List all secrets
sv search "api" # Search secrets
sv update service/api_key # Update
sv delete service/api_key # Delete
sv distribute --shares 5 --threshold 3 # Split master key (Shamir)
sv recover # Recover from shares
sv rotate # Rotate master key
sv lock # Lock vault
Security Architecture
Master Password
│
Argon2id (memory-hard KDF)
│
AES-256-GCM Encryption
│
Encrypted Vault File
│
Shamir's Secret Sharing
(split key → N shares, recover with K)
- Encryption: AES-256-GCM (authenticated encryption with associated data)
- Key Derivation: Argon2id — memory-hard, resistant to GPU/ASIC attacks
- Distributed Backup: Shamir's Secret Sharing — no single point of failure
- Transport: Syncs between nodes via vssh (never plaintext over network)
Integration with mpop
mpop's secret command uses Vault as its backend:
mpop secret list # List secrets via Vault
mpop secret get github_pat # Retrieve via Vault
mpop secret set my_token # Store via Vault
Python API
from engine import VaultEngine
from config import VaultConfig
config = VaultConfig.load()
vault = VaultEngine(config)
vault.unlock("master-password")
vault.add("service/key", "secret-value")
value = vault.get("service/key")
secrets = vault.list_secrets()
Source
meshpop/vault — pip install sv-vault
Requirements
- Python 3.9+
- cryptography >= 41.0, argon2-cffi >= 23.1, pyyaml >= 6.0