Skip to content
tusky/ai

Encrypted Artifacts

Store sensitive agent outputs — API keys, credentials, private analysis, PII-containing data — in a private vault with end-to-end encryption. The server never sees the plaintext.

Prerequisites

Section titled “Prerequisites”
  • MCP server configured and connected to your agent
  • TUSKYDP_PASSWORD set in the MCP config (required for private vault encryption)

Tools used: tusky_vault_create, tusky_file_create, tusky_file_read

Workflow

Section titled “Workflow”

1. Create a private vault

Section titled “1. Create a private vault”

Private is the default visibility, so no flag is needed:

tusky_vault_create({ name: "sensitive-artifacts" })

2. Store sensitive content

Section titled “2. Store sensitive content”

The MCP server encrypts it automatically with AES-256-GCM before it leaves the agent’s machine:

tusky_file_create({
  name: "api-audit-results.json",
  content: "{\"exposed_keys\": [...], \"recommendations\": [...]}",
  encoding: "utf-8",
  vaultId: "<vault-id>"
})

3. Store binary artifacts

Section titled “3. Store binary artifacts”

Use base64 encoding for binary files like certificates or keys:

tusky_file_create({
  name: "certificate.pem",
  content: "<base64-encoded-content>",
  encoding: "base64",
  vaultId: "<vault-id>"
})

4. Read back

Section titled “4. Read back”

Decryption is transparent — the MCP server handles it automatically:

tusky_file_read({ fileId: "<file-id>" })

When to use this

Section titled “When to use this”
  • Storing security audit results or vulnerability reports
  • Persisting credentials or certificates that agents need across sessions
  • Saving PII-containing analysis (user data, personal information)
  • Any data that must not be readable by the storage provider

Security properties

Section titled “Security properties”
  • Client-side encryption — files are encrypted with AES-256-GCM before leaving the agent’s machine
  • Per-file keys — each file gets its own random 256-bit key, wrapped with the master key
  • Server never sees plaintext — the Tusky API only stores encrypted bytes and wrapped keys
  • Passphrase-based access — only someone with the passphrase can derive the master key and decrypt

See the encryption guide for the full cryptographic details and key hierarchy.

Encryption guide Full cryptographic details and key hierarchy.
Agent Memory Persist conversation context across sessions.