What is FyVault?

FyVault is a runtime secret execution layer that isolates your credentials from application processes — they flow through your infrastructure without entering application memory.

The Problem

Every application needs secrets: API keys, database passwords, AWS credentials. Today, these live in .env files, environment variables, or config servers — all accessible to anyone with server access. A compromised dependency, a stolen SSH key, or a malicious insider can read them all.

The Solution

FyVault replaces real secrets with placeholders. The actual credentials are:

1. 1Encrypted in your browser before upload (zero-knowledge — our servers never see plaintext)
2. 2Isolated in kernel memory on your server (inaccessible to application processes)
3. 3Injected transparently at the network layer — your code never changes

Your application code doesn't change. Your .env files contain only placeholders. If an attacker gets root on your server, they find only placeholders — extracting real secrets requires kernel-level access, a significantly higher bar.

Supported Secret Types

API Keys (e.g. OpenAI, Stripe)

Your app sends a request with a placeholder like Authorization: FYVAULT::openai. The FyVault agent transparently replaces the placeholder with the real key before the request leaves your server. Your app never sees the real key.

Database Credentials (e.g. PostgreSQL, MySQL)

Your app connects to localhost:5433 with no password. FyVault transparently injects the real credentials and connects to your actual database server using native database protocol support.

AWS Credentials

The AWS SDK calls credential_process = fyvault-shim aws. The shim securely provides temporary credentials to the SDK. The raw access key never enters your application's memory.

Architecture

The FyVault cloud is only involved at boot time. After the device receives and securely stores its encrypted secrets, the cloud connection closes. Everything runs offline from that point.

Next Steps