βββ βββ βββββββ βββββββββ βββ ββββββββββββββ βββ βββ βββ ββββββ βββ ββββββ βββββββββ
βββ βββββββββββ βββββββββ βββ ββββββββββββββββ ββββ βββ ββββββββββββββ ββββββ βββββββββ
βββ ββββββ ββββ βββ βββββββ ββββββ βββββββ βββ ββββββββββββββ ββββββ βββ
ββββ βββββββ βββ βββ βββββββ ββββββ βββββ ββββ βββββββββββββββ ββββββ βββ
βββββββ βββββββββ βββ βββ βββββββββββ βββ βββββββ βββ βββββββββββββββββββββββ
βββββ βββββββ βββ βββ βββββββββββ βββ βββββ βββ βββ βββββββ βββββββββββ
OMEGA PROTOCOL ACTIVE Β· AAD CONTEXT BINDING Β· ZERO PLAINTEXT STORAGE
WordPress stores API keys in plaintext. Every plugin, every theme, every integration dumps credentials directly into wp_options β readable by anyone with database access.
VGT Key Vault closes this gap.
A cryptographic key management system that seals every API key with AES-256-GCM + AAD Context Binding before it ever touches the database. Even with full database access, an attacker retrieves nothing but cryptographically worthless ciphertext β mathematically bound to the key identifier.
Built as the cryptographic backbone of the VisionGaiaTechnology Sentinel ecosystem β and now available as a standalone open-source solution for any WordPress installation.
Standard WordPress Plugins:
API Key entered β stored as plaintext in wp_options
DB dump by attacker β all credentials compromised
Plugin stores key_value β readable by any other plugin
VGT Key Vault:
API Key entered β AES-256-GCM encrypted with AAD
DB dump by attacker β ciphertext only β worthless
Inter-plugin access β one authenticated API call
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VGT KEY VAULT PROTOCOL β
βββββββββββββββββββββ¬ββββββββββββββββββββ¬ββββββββββββββββββββββ€
β CRYPTO KERNEL β REGISTRY KERNEL β ADMIN KERNEL β
β β β β
β AES-256-GCM β O(1) Hash Map β Glassmorphism UI β
β GCM Auth Tag β Auto-Migration β Key Injection Form β
β AAD Binding β Auto-Heal β Vault Dashboard β
β HKDF Key Derive β Index Registry β Delete with Nonce β
β Random IV β β Status Alerts β
βββββββββββββββββββββ΄ββββββββββββββββββββ΄ββββββββββββββββββββββ
Standard AES-256-GCM encrypts data. VGT Key Vault goes further with AAD (Additional Authenticated Data) β binding every ciphertext to its identifier:
WITHOUT AAD (standard encryption):
encrypt("sk-groq-xxx") β Ciphertext_A
Attacker copies Ciphertext_A to option "vis_api_key_other"
decrypt(Ciphertext_A) β "sk-groq-xxx" β (Ciphertext Swapping works)
WITH AAD (VGT Key Vault):
encrypt("sk-groq-xxx", context="vis_api_key_groq") β Ciphertext_A
Attacker copies Ciphertext_A to option "vis_api_key_other"
decrypt(Ciphertext_A, context="vis_api_key_other") β FAIL β
(GCM Authentication Tag mismatch β manipulation mathematically impossible)
This eliminates an entire class of credential-swapping attacks that most developers have never even heard of.
// Master Key Derivation via HKDF (not raw salt β proper key derivation)
hash_hkdf('sha256', SECURE_AUTH_KEY, 0, 'vgt_vault_master_domain', AUTH_SALT);
// Encryption with AAD Context Binding
Crypto_Engine::encrypt($api_key, $option_name);
// Decryption β verified against AAD (tamper detection built-in)
Crypto_Engine::decrypt($ciphertext, $option_name);Key Architecture:
- Master key derived via HKDF-SHA256 from WordPress salts β never stored
- Every encryption uses a fresh random IV (
random_bytes) - GCM Authentication Tag appended β detects any modification
- AAD Context ID binds ciphertext to its exact storage location
O(1) Hash Map instead of O(n) Array scan:
[ "vis_api_key_groq" => true ] β isset() lookup: O(1)
[ "vis_api_key_openai" => true ]
[ "vis_api_key_stripe" => true ]
Auto-Migration: Old array format detected β silently upgraded
Auto-Heal: Option missing from DB β removed from index automatically
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VGT Crypto Vault β
β AES-256-GCM Β· Context-Aware AAD Binding β
ββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ€
β Key Injection β Active Cryptonodes (O(1)) β
β β β
β System Identifier β vis_api_key_groq [Term.] β
β [vis_api_key_...] β Hash: K7mX9pQr2nZ... β
β β β
β Plaintext Token β vis_api_key_openai [Term.] β
β [sk-...] β Hash: Lp4vN8kJhFm... β
β β β
β [In Vault versiegeln]β β
ββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ
Every action is protected:
- Nonce verification on all POST requests
manage_optionscapability check before any operation- Confirmation dialog before key termination
Other plugins in your ecosystem retrieve keys with a single authenticated call:
use VGT\Vault\API;
// O(1) retrieval + AES-256-GCM decryption in one call
$api_key = API::get_key('vis_api_key_groq');
// Throws RuntimeException if key missing or tampered
try {
$key = API::get_key('vis_api_key_stripe');
} catch (\RuntimeException $e) {
// Handle missing/compromised key
}No plaintext ever stored. No raw option access. One secure interface.
PHP: 8.0+
WordPress: 6.0+
OpenSSL: enabled (standard on all hosting)
1. Upload & Activate:
WordPress Admin β Plugins β Upload Plugin β ZIP β Install β Activate
2. Store your first API key:
WordPress Admin β VGT Vault β Key Injection
System Identifier: vis_api_key_groq
Plaintext Token: sk-your-key-here
β [In Vault versiegeln]
3. Use in your plugin:
$key = \VGT\Vault\API::get_key('vis_api_key_groq');| Feature | Standard wp_options |
VGT Key Vault |
|---|---|---|
| Database encryption | β Plaintext | β AES-256-GCM |
| Ciphertext Swapping protection | β | β AAD Context Binding |
| Key derivation | β Raw storage | β HKDF-SHA256 |
| Tamper detection | β | β GCM Auth Tag |
| O(1) Registry lookup | β | β Hash Map |
| CSRF protection | β | β wp_verify_nonce |
| Inter-plugin API | β | β Typed facade |
| Auto-Heal registry | β | β |
| DB dump resistance | β Full compromise | β Ciphertext only |
vgt-key-vault/
βββ vgt-key-vault.php β single-file plugin
β
βββ Inline Kernels:
βββ Crypto_Engine β AES-256-GCM + AAD + HKDF
βββ Vault_Registry β O(1) Hash Map + Auto-Migration
βββ Admin_Dashboard β UI + nonce-protected handlers
βββ API β inter-plugin facade
No external dependencies. No composer. No build step.
One PHP file. Drop it in and it works.
β οΈ VGT Key Vault derives its master key from WordPress salts.
If you change AUTH_SALT or SECURE_AUTH_KEY in wp-config.php,
ALL stored ciphertexts become permanently unreadable.
Before migration or salt rotation:
1. Decrypt and export all keys from the Vault Dashboard
2. Rotate salts
3. Re-import keys into the new Vault
Pull requests are welcome. For major changes, please open an issue first.
git clone https://github.com/VisionGaiaTechnology/wpkeyvault
cd vgt-key-vaultFound a vulnerability?
Report via the VGT Sentinel Operative Registry β responsible disclosure is rewarded.
VGT Key Vault is free and open-source under AGPLv3.
If it saved you time, money, or a security incident β consider supporting:
AGPLv3 License Β· Β© 2026 VisionGaia Technology Β· Cologne, Germany
Anyone using and modifying this plugin must publish changes under AGPLv3.
Commercial use permitted. Attribution required.
Built as part of the VisionGaiaTechnology Security Ecosystem
No plaintext. No compromise. No exceptions.
VISIONGAIATECHNOLOGY β WE ARCHITECT THE FUTURE OF SECURITY.