{"id":320119,"date":"2026-06-05T16:22:18","date_gmt":"2026-06-05T16:22:18","guid":{"rendered":"https:\/\/ja.wordpress.org\/plugins\/connectvault\/"},"modified":"2026-06-06T11:54:40","modified_gmt":"2026-06-06T11:54:40","slug":"kagivault","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/kagivault\/","author":18440949,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"0.1.2","stable_tag":"0.1.2","tested":"7.0","requires":"7.0","requires_php":"8.3","requires_plugins":null,"header_name":"Kagivault","header_author":"Benridane","header_description":"Encrypts WordPress AI Connectors API keys at rest using XChaCha20-Poly1305 + Argon2id, with admin-side unlock.","assets_banners_color":"","last_updated":"2026-06-06 11:54:40","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/benridane\/kagivault","header_author_uri":"https:\/\/benridane.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":54,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"0.1.1":{"tag":"0.1.1","author":"presents111","date":"2026-06-05 16:22:03"},"0.1.2":{"tag":"0.1.2","author":"presents111","date":"2026-06-06 11:54:40"}},"upgrade_notice":{"0.1.2":"

Documentation and project-link updates. No functional changes.<\/p>","0.1.1":"

Idle-lock timeout defaults to 1 hour and is now configurable via the KAGIVAULT_IDLE_TIMEOUT<\/code> wp-config constant.<\/p>","0.1.0":"

Initial release of Kagivault.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3562553,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3562553,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1.1","0.1.2"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[2353,265993,246286,259397,12167],"plugin_category":[],"plugin_contributors":[252320],"plugin_business_model":[],"class_list":["post-320119","plugin","type-plugin","status-publish","hentry","plugin_tags-ai","plugin_tags-ai-connectors","plugin_tags-api-keys","plugin_tags-connectors","plugin_tags-encryption","plugin_contributors-presents111","plugin_committers-presents111"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/kagivault\/assets\/icon-128x128.png?rev=3562553","icon_2x":"https:\/\/ps.w.org\/kagivault\/assets\/icon-256x256.png?rev=3562553","generated":false},"screenshots":[],"raw_content":"\n

Kagivault is an encrypted vault for the WordPress 7.0 AI Connectors API<\/strong>. Out of the box, WordPress stores the API keys you configure on Settings \u2192 Connectors<\/strong> (OpenAI, Anthropic, Google, OpenRouter, and any other AI provider registered with the AI Client) as plaintext rows in the wp_options<\/code> table. Anyone with database access \u2014 backups, leaked dumps, host migration files \u2014 can read them.<\/p>\n\n

Kagivault wraps each AI Connectors key with XChaCha20-Poly1305 (authenticated encryption)<\/strong> and protects the data-encryption key with a vault password derived through Argon2id<\/strong>. The vault password is never persisted, and the vault automatically re-locks after a short, configurable idle timeout. Unlock from the admin UI, and the WordPress AI client transparently sees the decrypted keys \u2014 no other plugin changes required.<\/p>\n\n

Highlights<\/h4>\n\n
    \n
  • Drop-in encryption for every AI Connectors provider (connectors_ai_*_api_key<\/code> rows)<\/li>\n
  • Vault password unlock with idle-timeout auto-lock<\/li>\n
  • Recovery key as a parallel unlock path<\/li>\n
  • Optional: link a WordPress login password so signing in automatically unlocks the vault<\/li>\n
  • Easy-mode initialization \u2014 no separate vault password to remember if you just want one-click setup<\/li>\n
  • Transparent for the core WP AI client and the Connectors admin page<\/li>\n
  • Versioned blob format for future cipher upgrades<\/li>\n<\/ul>\n\n

    Requirements<\/h4>\n\n
      \n
    • WordPress 7.0 or newer (uses the Connectors API introduced in 7.0)<\/li>\n
    • PHP 8.3 or newer<\/li>\n
    • PHP sodium extension with XChaCha20-Poly1305 AEAD<\/strong> (sodium_crypto_aead_xchacha20poly1305_ietf_encrypt<\/code>)<\/li>\n
    • PHP sodium extension with Argon2id<\/strong> (SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13<\/code>, requires libsodium 1.0.13+)<\/li>\n<\/ul>\n\n

      The bundled sodium extension shipped with PHP 8.3+ on most platforms (Debian\/Ubuntu php-sodium<\/code>, RHEL php-sodium<\/code>, Alpine php-sodium<\/code>, Windows official builds) includes both capabilities. The plugin refuses to activate and surfaces a clear admin notice if either is unavailable.<\/p>\n\n

      Privacy Policy<\/h3>\n\n

      Kagivault does NOT:<\/p>\n\n

        \n
      • Send any data to external servers<\/li>\n
      • Track users<\/li>\n
      • Use cookies for tracking<\/li>\n
      • Share data with third parties<\/li>\n<\/ul>\n\n

        Kagivault DOES:<\/p>\n\n

          \n
        • Process and store encrypted API keys locally on your server (wp_options<\/code>)<\/li>\n
        • Keep the data-encryption key only in a short-lived transient that expires after the configured idle timeout<\/li>\n<\/ul>\n\n

          Support<\/h3>\n\n

          For support, bug reports, or feature requests:<\/p>\n\n

            \n
          • Website: https:\/\/github.com\/benridane\/kagivault<\/li>\n<\/ul>\n\n

            Development<\/h3>\n\n

            Development happens on GitHub. Pull requests welcome!<\/p>\n\n

              \n
            • Follow WordPress coding standards<\/li>\n
            • All code must pass wp plugin check kagivault<\/code><\/li>\n<\/ul>\n\n\n
                \n
              1. Upload the kagivault<\/code> directory to \/wp-content\/plugins\/<\/code>.<\/li>\n
              2. Activate the plugin through the Plugins<\/strong> menu in WordPress. If sodium or Argon2id is missing, activation aborts with a specific message listing what is missing.<\/li>\n
              3. Visit Settings \u2192 Kagivault<\/strong> and set a vault password. Store the recovery key shown to you - it cannot be recovered later.<\/li>\n<\/ol>\n\n\n
                \n

                What happens to my AI keys while the vault is locked?<\/h3><\/dt>\n

                They cannot be decrypted, so AI calls that rely on those keys will not have a key available for that request. Unlock the vault from Settings \u2192 Kagivault<\/strong> to restore functionality.<\/p><\/dd>\n

                Where is the vault password stored?<\/h3><\/dt>\n

                Nowhere. It is held only in browser memory long enough to unlock the vault. The derived data-encryption key lives in a short-lived transient that expires after the configured idle timeout.<\/p><\/dd>\n

                Does it cover keys defined in wp-config.php?<\/h3><\/dt>\n

                Not in this release. Constants and environment variables still take precedence over the encrypted database entries, as defined by core. A later release will add a migration path.<\/p><\/dd>\n

                Can I change the idle-lock timeout?<\/h3><\/dt>\n

                Yes. Kagivault auto-locks after one hour of inactivity by default. Override per environment by defining the constant in wp-config.php<\/code>:<\/p>\n\n

                define( 'KAGIVAULT_IDLE_TIMEOUT', 1800 ); \/\/ seconds\n<\/code><\/pre>\n\n
                The constant always wins over the database setting. Values below 60 seconds are clamped to 60.<\/p><\/dd>\n\n<\/dl>\n\n\n
                0.1.2<\/h4>\n\n
                  \n
                • Updated the plugin and support links to point to the GitHub repository.<\/li>\n
                • Clarified the readme and admin UI wording describing how the vault locks and unlocks.<\/li>\n<\/ul>\n\n
                  0.1.1<\/h4>\n\n
                    \n
                  • Default idle-lock timeout extended from 30 minutes to 1 hour.<\/li>\n
                  • Added KAGIVAULT_IDLE_TIMEOUT<\/code> constant so the timeout can be overridden from wp-config.php<\/code> (takes precedence over the database setting).<\/li>\n<\/ul>\n\n
                    0.1.0<\/h4>\n\n
                      \n
                    • Initial release: encrypted storage for WordPress AI Connectors API keys (OpenAI, Anthropic, Google, OpenRouter, ...), vault-password unlock with idle auto-lock, recovery key, and optional WP login-password auto-unlock.<\/li>\n<\/ul>","raw_excerpt":"Encrypts WordPress AI Connectors API keys (OpenAI, Anthropic, Google, OpenRouter) at rest with XChaCha20-Poly1305 + Argon2id.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/320119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=320119"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/presents111"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=320119"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=320119"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=320119"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=320119"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=320119"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=320119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}