Octuo

Secrets Vault

The Octuo Secrets Vault keeps your credentials encrypted under per-user AWS KMS keys. Plaintext only exists during enrollment and dispense — never at rest on disk in cleartext, never visible to the language model.

⚠ Honest framing — Vault is beta-grade

Octuo's Vault meaningfully reduces credential exposure versus pasting secrets into chat: data is encrypted at rest with per-user envelope keys, and the LLM never sees plaintext. But we do not claim “even we can't read it.” Tutuo, Inc. operates the KMS keys, and a determined operator with the right permissions could in principle decrypt. Treat it as a sensible default for assistant workflows, not a hardware-backed password manager.

What you can store

Anything the assistant needs to log in or call on your behalf:

  • Third-party logins (GitHub, Gmail, vendor consoles)
  • API keys and OAuth tokens
  • SSH private keys and signed certificates
  • Cloud-provider access keys (AWS, GCP, Azure)
  • Service-account JSON blobs
  • Webhook signing secrets

Encryption model

Per-user envelope under AWS KMS

Each Octuo account has its own KMS Customer Master Key. Secrets are encrypted client-side with a per-secret data key, and the data key is sealed under your account's KMS key. Compromising one user's vault does not compromise any other user's.

Plaintext only at enrollment and dispense

Plaintext exists only for the moment you enroll a secret and the moment an explicit dispense call hands it to a tool. It is never written to durable storage, never logged, never serialized into conversation history.

The LLM never sees credentials

The assistant calls a Vault dispense tool that injects the secret directly into the target API call. The model receives a stable handle, never the underlying value — even in tool arguments, even in logs.

Audit log

Every enrollment, dispense, and revocation is logged server-side with the requesting session, tool, and timestamp. You can review it in Octuo at any time.

Where to manage your vault

Enroll, rotate, and revoke secrets from inside the Octuo macOS app.

In Octuo:
Vault

See the Privacy Policy for data-handling specifics and the Acceptable Use Policy for what you may not store.

The Vault ships with Octuo for macOS — there is no separate web login.

Download Octuo