Keychain
Conjra stores your provider credentials in an encrypted local vault.
Storage location
All credentials are stored in ~/.conjra/vault/. Each provider gets its own encrypted file:
~/.conjra/vault/ ├── supabase.enc ├── stripe.enc ├── vercel.enc └── ...Encryption
Credentials are encrypted using AES-256-GCM:
| Parameter | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key derivation | scryptSync |
| Key input | SHA-256 of hostname-platform-arch |
| Salt | conjra-salt-conjra (fixed) |
| IV | 16 random bytes per file |
| Auth tag | 16 bytes (GCM) |
Security model
- Machine-locked: Encryption key is derived from your machine hostname, platform, and CPU architecture. Vault files cannot be decrypted on a different machine.
- No cloud storage: Credentials never leave your machine.
- In-memory only: Credentials are decrypted only when needed for an API call.
- No OS keychain integration: All storage is in
~/.conjra/vault/.
Commands
Adding credentials
conjra add <provider>Viewing connected providers
conjra statusShows masked keys (first 4 + last 4 characters).
Removing credentials
conjra remove <provider>Credential masking
Conjra masks credentials when displaying them: sk_live_abc123def456 becomes sk_l•...•456.