DevSafe / Docs
Docs Lockbox Lockbox Overview

Your secrets are visible
to every AI tool.

Lockbox stores secrets in a binary format that AI coding assistants, grep, cat, and ripgrep cannot read. Your API keys stay on your machine but become invisible to anything that reads text.

The problem

Your .env file is plaintext. You know to add it to .gitignore, so it never reaches GitHub. Good. But that does not protect you from AI tools.

When you open a project with an AI coding assistant, the assistant reads your workspace files to build context. That includes .env. Your database password, your Stripe secret key, your AWS credentials: they all land in the AI's context window. Every tool that can read text can read your secrets.

Before Lockbox

AI assistant reads your project. It sees:

After Lockbox

AI assistant reads your project. It sees:

.env (plaintext, visible to AI)
STRIPE_SECRET=sk_live_4eC39HqLyjWDarjtT1zdp7dc
DATABASE_URL=postgres://admin:s3cret@db.example.com:5432/prod
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
.devsafe/lockbox (binary, invisible to AI)
(binary data: not text, not base64, not readable by any text tool)

The .env file is gone. The secrets still exist on your machine, inside a binary lockbox that text-based tools skip entirely. When you need the secrets (to run your app, deploy, or test), Lockbox injects them as environment variables at runtime.

How it works

Lockbox is not encryption alone. Encrypted text is still text. A base64-encoded secret is still readable by grep. Lockbox stores your secrets in a binary format that tools designed to read text (including AI context engines) will not attempt to parse. The secrets are also encrypted with nonce-unique AEAD, so even if something did read the raw bytes, the data is meaningless without your key.

Two layers of protection:

The workflow

1

Import your secrets

Take your existing .env file and import it into the lockbox. This reads every key-value pair, stores them in encrypted binary format, and (optionally) deletes the original .env so no plaintext copy remains.

terminal
$ devsafe lockbox import .env
 imported 12 secrets from .env
 stored in .devsafe/lockbox (binary, AI-invisible)
  tip: run `devsafe lockbox proof` to verify invisibility
2

Run commands with secrets

Instead of sourcing a .env file, wrap your command with lockbox run. Lockbox decrypts your secrets in memory and injects them as environment variables. They exist only for the lifetime of that command. Nothing is written to disk.

terminal
$ devsafe lockbox run npm start
 injected 12 secrets into environment
  server listening on :3000

# secrets are in memory only, never written to a file

This works with any command: devsafe lockbox run docker compose up, devsafe lockbox run pytest, devsafe lockbox run terraform apply.

3

Prove it's invisible

This is the moment that makes it real. The proof command runs every common text-reading tool against your lockbox and shows you what each one sees: nothing.

terminal
$ devsafe lockbox proof

Testing AI visibility of .devsafe/lockbox...

  grep "STRIPE"          ✓ not found
  cat .devsafe/lockbox    ✓ binary, no text output
  ripgrep "SECRET"        ✓ not found
  strings .devsafe/lockbox ✓ no recognizable strings
  file .devsafe/lockbox   ✓ identified as "data" (not text)

 lockbox is invisible to all text tools
 12 secrets stored, 0 secrets exposed
4

Inject into config files

Some tools need secrets in config files, not environment variables. Use placeholders in your config and let Lockbox fill them in at build time.

config.template.json
{
  "database": "{{LOCKBOX:DATABASE_URL}}",
  "stripe": "{{LOCKBOX:STRIPE_SECRET}}"
}
terminal
$ devsafe lockbox inject config.template.json --out config.json
 replaced 2 placeholders
 wrote config.json

The template file (with {{LOCKBOX:...}} placeholders) is safe to commit. The output file (with real values) should be in your .gitignore.

5

Protect MCP configs

MCP (Model Context Protocol) server configs often contain API keys in plaintext JSON. The wrap-mcp command rewrites those configs to pull credentials from Lockbox instead.

terminal
$ devsafe lockbox wrap-mcp
  scanning MCP configs...
 found 3 configs with plaintext credentials
 imported 5 secrets to lockbox
 rewrote configs to use lockbox references

Lockbox vs. Vault

DevSafe has two tools for secrets. They solve different problems and work together.

Lockbox (devsafe lockbox) makes secrets invisible to AI tools on your local machine. It stores them in binary format so nothing that reads text can find them. This is for your daily workflow: developing, testing, and running code without exposing secrets to AI assistants.

Vault (devsafe vault) is encrypted credential storage for sharing across machines or with team members. It uses nonce-unique AEAD to encrypt secrets and stores them in user-owned storage. This is for credential management: syncing secrets between your laptop and your CI server, or sharing a staging database password with a teammate.

They work together naturally. Vault stores and syncs your secrets across machines. Lockbox hides them from AI on each machine. Import from Vault into Lockbox with a single command:

terminal
$ devsafe lockbox import --from-vault my-project
 imported 8 secrets from vault "my-project" into lockbox

Free, no account required

Lockbox works entirely on your machine. No account. No server. No subscription. Install DevSafe and start using it immediately.

Lockbox is free forever.

Local secret storage that protects you from AI tools is not a paid feature. It ships with every DevSafe install. Vault (for syncing and sharing secrets across machines) is also free for individual use.

For agencies and freelancers

When you manage secrets for multiple clients, Lockbox keeps them separated and controlled.

Scope secrets per client

The --project flag creates isolated lockboxes. Each client's secrets live in their own binary store, completely separate from every other client.

terminal
$ devsafe lockbox import .env --project acme-corp
 imported 6 secrets into project "acme-corp"

$ devsafe lockbox run --project acme-corp npm start
 injected 6 secrets (project: acme-corp)

Share credentials safely

Need to give a subcontractor temporary access to a client's staging API? lockbox grant creates a time-limited, single-use credential share. The recipient gets the secrets once. After the time window closes, the grant expires automatically.

terminal
$ devsafe lockbox grant --project acme-corp --expires 24h --keys STAGING_API_KEY,STAGING_DB_URL
 grant created (expires in 24 hours, single use)
  share this link: https://lockbox.devsafe.com/g/abc123

Clean up when a project ends

When a client engagement is over, revoke all credentials at once. No hunting through config files. No "did I remember to rotate that key?"

terminal
$ devsafe lockbox revoke --project acme-corp
  revoking all grants for project "acme-corp"...
 2 active grants revoked
 project lockbox wiped

Collect credentials from clients

Instead of asking clients to paste API keys into Slack or email, send them an intake link. They enter their credentials into a secure form, and the secrets land directly in your project lockbox.

terminal
$ devsafe lockbox intake --project acme-corp --keys STRIPE_SECRET,DB_PASSWORD,SENDGRID_KEY
 intake form created (expires in 7 days)
  send this to your client: https://lockbox.devsafe.com/intake/xyz789
No more secrets in Slack.

The intake link uses end-to-end encryption. Your client's secrets go from their browser directly into your lockbox. Nothing is stored on any server. Nothing passes through plaintext channels.