Kagivault

Kagivault is an encrypted vault for the WordPress 7.0 AI Connectors API. Out of the box, WordPress stores the API keys you configure on Settings → Connectors (OpenAI, Anthropic, Google, OpenRouter, and any other AI provider registered with the AI Client) as plaintext rows in the wp_options table. Anyone with database access — backups, leaked dumps, host migration files — can read them.

Kagivault wraps each AI Connectors key with XChaCha20-Poly1305 (authenticated encryption) and protects the data-encryption key with a vault password derived through Argon2id. The vault password is never persisted, and the vault automatically re-locks after a short, configurable idle timeout. Unlock from the admin UI, and the WordPress AI client transparently sees the decrypted keys — no other plugin changes required.

Highlights

• Drop-in encryption for every AI Connectors provider (connectors_ai_*_api_key rows)
• Vault password unlock with idle-timeout auto-lock
• Recovery key as a parallel unlock path
• Optional: link a WordPress login password so signing in automatically unlocks the vault
• Easy-mode initialization — no separate vault password to remember if you just want one-click setup
• Transparent for the core WP AI client and the Connectors admin page
• Versioned blob format for future cipher upgrades

Requirements

• WordPress 7.0 or newer (uses the Connectors API introduced in 7.0)
• PHP 8.3 or newer
• PHP sodium extension with XChaCha20-Poly1305 AEAD (sodium_crypto_aead_xchacha20poly1305_ietf_encrypt)
• PHP sodium extension with Argon2id (SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13, requires libsodium 1.0.13+)

The bundled sodium extension shipped with PHP 8.3+ on most platforms (Debian/Ubuntu php-sodium, RHEL php-sodium, Alpine php-sodium, Windows official builds) includes both capabilities. The plugin refuses to activate and surfaces a clear admin notice if either is unavailable.

Privacy Policy

Kagivault does NOT:

• Send any data to external servers
• Track users
• Use cookies for tracking
• Share data with third parties

Kagivault DOES:

• Process and store encrypted API keys locally on your server (wp_options)
• Keep the data-encryption key only in a short-lived transient that expires after the configured idle timeout

Support

For support, bug reports, or feature requests:

• Website: https://github.com/benridane/kagivault

Development

Development happens on GitHub. Pull requests welcome!

• Follow WordPress coding standards
• All code must pass wp plugin check kagivault