Title: Kagivault Author: miya Published: June 5, 2026 Last modified: June 6, 2026 --- Search plugins ![](https://ps.w.org/kagivault/assets/icon-256x256.png?rev=3562553) # Kagivault By [miya](https://profiles.wordpress.org/presents111/) [Download](https://downloads.wordpress.org/plugin/kagivault.0.1.2.zip) * [Details](https://wordpress.org/plugins/kagivault/#description) * [Reviews](https://wordpress.org/plugins/kagivault/#reviews) * [Installation](https://wordpress.org/plugins/kagivault/#installation) * [Development](https://wordpress.org/plugins/kagivault/#developers) [Support](https://wordpress.org/support/plugin/kagivault/) ## Description Kagivault is an encrypted vault for the **WordPress 7.0 AI Connectors API**. Out of the box, WordPress stores the API keys you configure on **Settings Connectors**( OpenAI, Anthropic, Google, OpenRouter, and any other AI provider registered with the AI Client) as plaintext rows in the `wp_options` table. Anyone with database access — backups, leaked dumps, host migration files — can read them. Kagivault wraps each AI Connectors key with **XChaCha20-Poly1305 (authenticated encryption)** and protects the data-encryption key with a **vault password derived through Argon2id**. The vault password is never persisted, and the vault automatically re-locks after a short, configurable idle timeout. Unlock from the admin UI, and the WordPress AI client transparently sees the decrypted keys — no other plugin changes required. #### Highlights * Drop-in encryption for every AI Connectors provider (`connectors_ai_*_api_key` rows) * Vault password unlock with idle-timeout auto-lock * Recovery key as a parallel unlock path * Optional: link a WordPress login password so signing in automatically unlocks the vault * Easy-mode initialization — no separate vault password to remember if you just want one-click setup * Transparent for the core WP AI client and the Connectors admin page * Versioned blob format for future cipher upgrades #### Requirements * WordPress 7.0 or newer (uses the Connectors API introduced in 7.0) * PHP 8.3 or newer * PHP sodium extension with **XChaCha20-Poly1305 AEAD** (`sodium_crypto_aead_xchacha20poly1305_ietf_encrypt`) * PHP sodium extension with **Argon2id** (`SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13`, requires libsodium 1.0.13+) The bundled sodium extension shipped with PHP 8.3+ on most platforms (Debian/Ubuntu` php-sodium`, RHEL `php-sodium`, Alpine `php-sodium`, Windows official builds) includes both capabilities. The plugin refuses to activate and surfaces a clear admin notice if either is unavailable. ### Privacy Policy Kagivault does NOT: * Send any data to external servers * Track users * Use cookies for tracking * Share data with third parties Kagivault DOES: * Process and store encrypted API keys locally on your server (`wp_options`) * Keep the data-encryption key only in a short-lived transient that expires after the configured idle timeout ### Support For support, bug reports, or feature requests: * Website: https://github.com/benridane/kagivault ### Development Development happens on GitHub. Pull requests welcome! * Follow WordPress coding standards * All code must pass `wp plugin check kagivault` ## Installation 1. Upload the `kagivault` directory to `/wp-content/plugins/`. 2. Activate the plugin through the **Plugins** menu in WordPress. If sodium or Argon2id is missing, activation aborts with a specific message listing what is missing. 3. Visit **Settings Kagivault** and set a vault password. Store the recovery key shown to you – it cannot be recovered later. ## FAQ ### What happens to my AI keys while the vault is locked? They cannot be decrypted, so AI calls that rely on those keys will not have a key available for that request. Unlock the vault from **Settings Kagivault** to restore functionality. ### Where is the vault password stored? Nowhere. It is held only in browser memory long enough to unlock the vault. The derived data-encryption key lives in a short-lived transient that expires after the configured idle timeout. ### Does it cover keys defined in wp-config.php? Not in this release. Constants and environment variables still take precedence over the encrypted database entries, as defined by core. A later release will add a migration path. ### Can I change the idle-lock timeout? Yes. Kagivault auto-locks after one hour of inactivity by default. Override per environment by defining the constant in `wp-config.php`: ``` define( 'KAGIVAULT_IDLE_TIMEOUT', 1800 ); // seconds ``` The constant always wins over the database setting. Values below 60 seconds are clamped to 60. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Kagivault” is open source software. The following people have contributed to this plugin. Contributors * [ miya ](https://profiles.wordpress.org/presents111/) [Translate “Kagivault” into your language.](https://translate.wordpress.org/projects/wp-plugins/kagivault) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/kagivault/), check out the [SVN repository](https://plugins.svn.wordpress.org/kagivault/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/kagivault/) by [RSS](https://plugins.trac.wordpress.org/log/kagivault/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 0.1.2 * Updated the plugin and support links to point to the GitHub repository. * Clarified the readme and admin UI wording describing how the vault locks and unlocks. #### 0.1.1 * Default idle-lock timeout extended from 30 minutes to 1 hour. * Added `KAGIVAULT_IDLE_TIMEOUT` constant so the timeout can be overridden from` wp-config.php` (takes precedence over the database setting). #### 0.1.0 * Initial release: encrypted storage for WordPress AI Connectors API keys (OpenAI, Anthropic, Google, OpenRouter, …), vault-password unlock with idle auto-lock, recovery key, and optional WP login-password auto-unlock. ## Meta * Version **0.1.2** * Last updated **2 hours ago** * Active installations **Fewer than 10** * WordPress version ** 7.0 or higher ** * Tested up to **7.0** * PHP version ** 8.3 or higher ** * Tags * [AI](https://wordpress.org/plugins/tags/ai/)[api keys](https://wordpress.org/plugins/tags/api-keys/) [connectors](https://wordpress.org/plugins/tags/connectors/)[encryption](https://wordpress.org/plugins/tags/encryption/) * [Advanced View](https://wordpress.org/plugins/kagivault/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/kagivault/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/kagivault/reviews/) ## Contributors * [ miya ](https://profiles.wordpress.org/presents111/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/kagivault/)