SigilGuard.
View Source
Secure vaulting behaviour and utilities for the SIGIL protocol.
Provides an interface for encrypting, decrypting, and managing sensitive values (API keys, tokens, credentials) that should never appear in logs or tool call parameters.
Behaviour
Implement SigilGuard.Vault to provide a custom storage backend:
defmodule MyApp.KmsVault do
@behaviour SigilGuard.Vault
@impl true
def encrypt(plaintext, description) do
# Encrypt via AWS KMS / GCP KMS / HashiCorp Vault
{:ok, vault_id}
end
@impl true
def decrypt(vault_id) do
{:ok, plaintext}
end
@impl true
def exists?(vault_id) do
true
end
endBuilt-in Backend
SigilGuard.Vault.InMemory provides an ETS-backed implementation
using AES-256-GCM encryption. Suitable for development and testing.
Summary
Callbacks
Decrypt and return the plaintext for the given vault ID.
Encrypt plaintext and store it, returning a vault ID for later retrieval.
Check if a vault entry exists for the given ID.
Functions
Decrypt a value using the specified backend module.
Encrypt a value using the specified backend module.
Check if a vault entry exists using the specified backend module.
Types
@type vault_id() :: String.t()
Callbacks
Functions
Decrypt a value using the specified backend module.
Examples
{:ok, plaintext} = SigilGuard.Vault.decrypt("vault_abc123", MyVault)Encrypt a value using the specified backend module.
Examples
{:ok, id} = SigilGuard.Vault.encrypt("sk-abc123", "OpenAI API key", MyVault)Check if a vault entry exists using the specified backend module.