WordPress.org
Get WordPress
WordPress.org

Plugin Directory

Kagivault

Kagivault

By miya
Download

Description

Kagivault is an encrypted vault for the WordPress 7.0 AI Connectors API. Out of the box, WordPress stores the API keys you configure on Settings Connectors (OpenAI, Anthropic, Google, OpenRouter, and any other AI provider registered with the AI Client) as plaintext rows in the wp_options table. Anyone with database access — backups, leaked dumps, host migration files — can read them.

Kagivault wraps each AI Connectors key with XChaCha20-Poly1305 (authenticated encryption) and protects the data-encryption key with a vault password derived through Argon2id. The vault password is never persisted, and the vault automatically re-locks after a short, configurable idle timeout. Unlock from the admin UI, and the WordPress AI client transparently sees the decrypted keys — no other plugin changes required.

Highlights

  • Drop-in encryption for every AI Connectors provider (connectors_ai_*_api_key rows)
  • Vault password unlock with idle-timeout auto-lock
  • Recovery key as a parallel unlock path
  • Optional: link a WordPress login password so signing in automatically unlocks the vault
  • Easy-mode initialization — no separate vault password to remember if you just want one-click setup
  • Transparent for the core WP AI client and the Connectors admin page
  • Versioned blob format for future cipher upgrades

Requirements

  • WordPress 7.0 or newer (uses the Connectors API introduced in 7.0)
  • PHP 8.3 or newer
  • PHP sodium extension with XChaCha20-Poly1305 AEAD (sodium_crypto_aead_xchacha20poly1305_ietf_encrypt)
  • PHP sodium extension with Argon2id (SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13, requires libsodium 1.0.13+)

The bundled sodium extension shipped with PHP 8.3+ on most platforms (Debian/Ubuntu php-sodium, RHEL php-sodium, Alpine php-sodium, Windows official builds) includes both capabilities. The plugin refuses to activate and surfaces a clear admin notice if either is unavailable.

Privacy Policy

Kagivault does NOT:

  • Send any data to external servers
  • Track users
  • Use cookies for tracking
  • Share data with third parties

Kagivault DOES:

  • Process and store encrypted API keys locally on your server (wp_options)
  • Keep the data-encryption key only in a short-lived transient that expires after the configured idle timeout

Support

For support, bug reports, or feature requests:

  • Website: https://github.com/benridane/kagivault

Development

Development happens on GitHub. Pull requests welcome!

  • Follow WordPress coding standards
  • All code must pass wp plugin check kagivault

Installation

  1. Upload the kagivault directory to /wp-content/plugins/.
  2. Activate the plugin through the Plugins menu in WordPress. If sodium or Argon2id is missing, activation aborts with a specific message listing what is missing.
  3. Visit Settings Kagivault and set a vault password. Store the recovery key shown to you – it cannot be recovered later.

FAQ

What happens to my AI keys while the vault is locked?

They cannot be decrypted, so AI calls that rely on those keys will not have a key available for that request. Unlock the vault from Settings Kagivault to restore functionality.

Where is the vault password stored?

Nowhere. It is held only in browser memory long enough to unlock the vault. The derived data-encryption key lives in a short-lived transient that expires after the configured idle timeout.

Does it cover keys defined in wp-config.php?

Not in this release. Constants and environment variables still take precedence over the encrypted database entries, as defined by core. A later release will add a migration path.

Can I change the idle-lock timeout?

Yes. Kagivault auto-locks after one hour of inactivity by default. Override per environment by defining the constant in wp-config.php:

define( 'KAGIVAULT_IDLE_TIMEOUT', 1800 ); // seconds

The constant always wins over the database setting. Values below 60 seconds are clamped to 60.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Kagivault” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Kagivault” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

0.1.2

  • Updated the plugin and support links to point to the GitHub repository.
  • Clarified the readme and admin UI wording describing how the vault locks and unlocks.

0.1.1

  • Default idle-lock timeout extended from 30 minutes to 1 hour.
  • Added KAGIVAULT_IDLE_TIMEOUT constant so the timeout can be overridden from wp-config.php (takes precedence over the database setting).

0.1.0

  • Initial release: encrypted storage for WordPress AI Connectors API keys (OpenAI, Anthropic, Google, OpenRouter, …), vault-password unlock with idle auto-lock, recovery key, and optional WP login-password auto-unlock.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum