🜏 Anubis Vault 🜏

The World's Most Secure Secrets Manager Guardian of Secrets - Protected by Quantum-Resistant Cryptography

╔══════════════════════════════════════════════════════╗
║             🜏  ANUBIS VAULT  🜏                     ║
║         Guardian of Secrets                          ║
║    ═══════════════════════════════════════           ║
║         Quantum Cipher Division                      ║
║    5 Layers of Ultimate Security Protection          ║
╚══════════════════════════════════════════════════════╝

Like Anubis, the ancient Egyptian guardian who protected the gates of the underworld and weighed the hearts of souls, Anubis Vault stands as the ultimate guardian of your digital secrets. No one—not even quantum computers or nation-state actors—can breach its defenses.

🎯 What Makes Anubis Vault Special?

Anubis Vault is not just another password manager. It's a military-grade, quantum-resistant secrets management system designed for developers, security professionals, and anyone who demands the highest level of protection for sensitive data.

🔒 5 Layers of Ultimate Security

Plus:

• ✅ Cryptographic Audit Logs - Blockchain-like tamper-proof audit trail with Merkle trees
• ✅ CI/CD Secrets Injection - Safely inject secrets into build pipelines
• ✅ Zero-Knowledge Architecture - Master password never leaves your device
• ✅ Offline-First - Works completely offline, no cloud dependencies
• ✅ Cross-Platform - macOS, Linux, Windows

🚀 Installation

From crates.io (Recommended)

cargo install anubis-vault

This single command downloads and compiles all security layers in one unified crate:

• ✅ Classical cryptography (XChaCha20-Poly1305, Argon2id)
• ✅ Post-quantum cryptography (ML-KEM-1024, ML-DSA-87)
• ✅ Zero-knowledge proofs (Plonky3)
• ✅ Shamir secret sharing
• ✅ Memory protection
• ✅ Audit logging
• ✅ Clipboard support

No feature flags needed. Everything is included.

From Source

git clone https://github.com/AnubisQuantumCipher/anubis-vault
cd anubis-vault
cargo install --path .

Verify Installation

anubis-vault --version
# Should output: anubis-vault 0.1.0

📖 Quick Start Guide

1. Initialize Your Vault

anubis-vault init

This creates your encrypted vault at ~/.anubis-vault and prompts you to set a master password.

Security Note: Choose a strong master password (20+ characters). This is the only key that can decrypt your secrets.

2. Add Secrets

# Interactive prompt (most secure - doesn't appear in shell history)
anubis-vault add API_KEY

# From command line (less secure - appears in shell history)
anubis-vault add DATABASE_URL --value "postgresql://user:pass@localhost/db"

# From stdin
echo "secret-token" | anubis-vault add GITHUB_TOKEN --stdin

# From file
cat ~/.ssh/id_rsa | anubis-vault add SSH_PRIVATE_KEY --stdin

3. Retrieve Secrets

# Check if secret exists (doesn't show value)
anubis-vault get API_KEY

# Show the secret value in terminal
anubis-vault get API_KEY --show

# Copy to clipboard (doesn't print to terminal)
anubis-vault get API_KEY --clip

# Output as JSON
anubis-vault get API_KEY --format json

4. List All Secrets

# Simple list
anubis-vault list

# Detailed view with metadata
anubis-vault list --long

# JSON output
anubis-vault list --format json

5. Generate Random Secrets

# Generate 24-character random secret
anubis-vault generate

# Custom length (64 characters)
anubis-vault generate --length 64

# Include symbols
anubis-vault generate --length 32 --symbols

# Generate and copy to clipboard
anubis-vault generate --clip

6. Delete Secrets

anubis-vault delete API_KEY

7. View Vault Information

anubis-vault info

Shows:

• Vault location
• Number of secrets
• Creation date
• Last modified date
• Encryption algorithms used
• Security features enabled

🔐 Advanced Features

CI/CD Secrets Injection

The killer feature for developers. Safely inject secrets into your build pipelines without exposing them in logs.

# Inject all secrets as environment variables
anubis-vault inject -- ./deploy.sh

# Inject specific secrets
anubis-vault inject --only API_KEY,DATABASE_URL -- npm run build

# In your script, secrets are available as $API_KEY, $DATABASE_URL, etc.

How it works:

1. Anubis Vault decrypts secrets in memory
2. Sets them as environment variables for the child process
3. Runs your command
4. Automatically zeroizes memory when done
5. Secrets never touch disk or logs

Shamir Secret Sharing (Threshold Recovery)

Split your master password into N shares, requiring M shares to recover. Perfect for backup and multi-party authentication.

# Create 5 shares, require 3 to recover
anubis-vault share --threshold 3 --total 5

# Distribute shares to trusted parties (outputs: share1.txt, share2.txt, ...)

# Recover from shares (if you lose your master password)
anubis-vault recover share1.txt share3.txt share5.txt

Use cases:

• Business continuity: Distribute shares to team members
• Personal backup: Store shares in different physical locations
• Legal compliance: Require multiple approvals for sensitive access

Cryptographic Audit Logs

Every operation (add, get, delete) is logged in a tamper-proof audit trail.

# View audit log
anubis-vault audit

# Verify audit log integrity
anubis-vault audit --verify

# Export audit log
anubis-vault audit --export audit.json

How it works:

• Blockchain-like chain of cryptographic hashes
• Each entry is signed with Ed25519
• BLAKE3 Merkle tree for efficient verification
• Impossible to tamper without detection

Post-Quantum Encryption

Protect against quantum computer attacks using NIST-approved post-quantum algorithms.

Automatically enabled for all secrets. No configuration needed.

• ML-KEM-1024 (Module-Lattice-Based Key Encapsulation Mechanism)

  • Quantum security level: 256 bits
  • Resistant to Shor's algorithm
  • NIST FIPS 203 standard

• ML-DSA-87 (Module-Lattice-Based Digital Signature Algorithm)

  • Quantum-resistant signatures
  • NIST FIPS 204 standard

Zero-Knowledge Proofs

Prove you have access to a secret without revealing it. Powered by Plonky3 ultra-fast STARKs.

# Generate a proof of access (without revealing the secret)
anubis-vault prove API_KEY

# Verify the proof
anubis-vault verify-proof proof.json

Use cases:

• Prove you have credentials without exposing them
• Privacy-preserving authentication
• Compliance audits without data disclosure

Memory Protection

Secrets are locked in physical RAM and automatically zeroized.

Automatically enabled on all platforms:

• Unix/Linux: mlock() prevents swap to disk
• Windows: VirtualLock() locks pages in memory
• All platforms:
  • Core dumps disabled (RLIMIT_CORE = 0)
  • Automatic memory zeroization on drop
  • Constant-time operations (timing attack resistant)

Custom Vault Location

# Use environment variable
export ANUBIS_VAULT_PATH=~/projects/my-vault.anubis
anubis-vault add SECRET

# Or command-line flag
anubis-vault --vault ~/projects/my-vault.anubis add SECRET

🛡️ Security Architecture

Cryptographic Algorithms

Classical Cryptography

Post-Quantum Cryptography

Zero-Knowledge Proofs

Threat Model

✅ Protected Against:

• Brute-force attacks (Argon2id makes it computationally infeasible)
• Quantum computer attacks (ML-KEM-1024, ML-DSA-87)
• Memory dumps (mlock + zeroization)
• Swap attacks (memory locking)
• Core dumps (disabled via RLIMIT_CORE)
• Timing attacks (constant-time operations)
• Tampering (Poly1305 MAC + Ed25519 signatures)
• Rainbow tables (unique salts per secret)
• Side-channel attacks (constant-time crypto)

❌ NOT Protected Against:

• Physical access to unlocked device (use full-disk encryption)
• Keyloggers (use hardware security keys)
• Compromised operating system (use secure boot)
• $5 wrench attack (use Shamir sharing to distribute trust)

Vault File Format

+------------------------+
| Magic Bytes (4B)       |  "ANBS" (Anubis)
+------------------------+
| Format Version (4B)    |  0x00000001
+------------------------+
| KDF Parameters         |  Argon2id salt (32B) + params
+------------------------+
| PQ Public Key (1568B)  |  ML-KEM-1024 public key
+------------------------+
| Encrypted Master Key   |  XChaCha20-Poly1305 encrypted
+------------------------+
| Secret Count (4B)      |  Number of secrets
+------------------------+
| Secret 1 Encrypted     |  Nonce (24B) + Ciphertext + Tag (16B)
+------------------------+
| Secret 2 Encrypted     |
+------------------------+
| ...                    |
+------------------------+
| Audit Log              |  Merkle tree + signatures
+------------------------+

Security Guarantees

Computational Security:

Breaking Anubis Vault would require:

• 2^256 operations to brute-force the master password (with 64 MiB RAM per attempt)
• 2^256 quantum operations against ML-KEM-1024
• 2^256 classical operations against XChaCha20-Poly1305

Time to crack (assuming 1 trillion attempts per second):

• Classical computer: 3.67 × 10^59 years
• Quantum computer: 3.67 × 10^59 years
• Age of universe: 1.38 × 10^10 years

Verdict: Computationally infeasible to crack, even with future quantum computers.

🎓 Usage Examples

Example 1: Developer Workflow

# Initialize vault for project
cd ~/my-project
export ANUBIS_VAULT_PATH=./.vault.anubis
anubis-vault init

# Store API keys
anubis-vault add STRIPE_SECRET_KEY
anubis-vault add AWS_ACCESS_KEY_ID
anubis-vault add AWS_SECRET_ACCESS_KEY

# Inject into deployment script
anubis-vault inject -- ./deploy.sh

# In deploy.sh:
# curl -H "Authorization: Bearer $STRIPE_SECRET_KEY" ...

Example 2: Team Secret Sharing

# Create vault with critical credentials
anubis-vault init
anubis-vault add PRODUCTION_DB_PASSWORD

# Create recovery shares (3 of 5 threshold)
anubis-vault share --threshold 3 --total 5

# Distribute shares:
# - share1.txt → Alice
# - share2.txt → Bob
# - share3.txt → Charlie
# - share4.txt → David
# - share5.txt → Eve

# If master password is lost, any 3 people can recover:
anubis-vault recover share1.txt share3.txt share5.txt

Example 3: Audit Compliance

# Enable audit logging (enabled by default)
anubis-vault add HIPAA_ENCRYPTION_KEY
anubis-vault get HIPAA_ENCRYPTION_KEY --show

# View audit trail
anubis-vault audit

# Verify integrity
anubis-vault audit --verify

# Export for compliance review
anubis-vault audit --export compliance-audit-2024.json

Example 4: SSH Key Management

# Store SSH private key
cat ~/.ssh/id_rsa | anubis-vault add SSH_PRIVATE_KEY --stdin

# Retrieve and use
anubis-vault get SSH_PRIVATE_KEY --show | ssh-add -

# Or inject into script
anubis-vault inject -- ssh-add <(anubis-vault get SSH_PRIVATE_KEY --show)

📊 Performance

System Requirements:

• RAM: 128 MiB minimum (for Argon2id)
• Disk: 10 MB for binary + storage for vault file
• Rust: 1.70 or later

🔧 Configuration

Environment Variables

Command-Line Flags

All commands support:

• --vault <path> - Custom vault location
• --quiet - Suppress non-essential output
• --help - Show detailed help

📚 API Documentation

Anubis Vault can be used as a Rust library in your own projects.

[dependencies]
anubis-vault = "0.1"

use anubis_vault::{Vault, Secret};

// Initialize vault
let vault = Vault::new("~/my-vault.anubis")?;
vault.init("my-master-password")?;

// Add secret
let secret = Secret::new("API_KEY", "secret-value");
vault.add(secret)?;

// Retrieve secret
let secret = vault.get("API_KEY")?;
println!("Value: {}", secret.reveal());

// List all secrets
let secrets = vault.list()?;
for secret in secrets {
    println!("{}", secret.name);
}

See docs.rs/anubis-vault for complete API documentation.

🤝 Contributing

Contributions are welcome! This project is part of the Anubis Quantum Cipher security suite.

Development Setup

git clone https://github.com/AnubisQuantumCipher/anubis-vault
cd anubis-vault
cargo build
cargo test

Running Tests

# Unit tests
cargo test

# Integration tests
cargo test --test '*'

# Benchmarks
cargo bench

Code Coverage

cargo tarpaulin --out Html

📄 License

Dual-licensed under MIT OR Apache-2.0.

You may choose either license at your option.

• MIT License: LICENSE-MIT
• Apache License 2.0: LICENSE-APACHE

🌍 Related Projects

Part of the Anubis Quantum Cipher security ecosystem:

• Anubis Rage - Post-quantum file encryption (ML-KEM-1024 + ML-DSA-87)
• Anubis Wormhole - Quantum-secure file transfer with magic wormhole codes
• Quantum Sign - Post-quantum digital signature tool

🙏 Acknowledgments

Built with:

• RustCrypto - Cryptographic primitives
• pqcrypto - Post-quantum cryptography (NIST standards)
• Plonky3 - Ultra-fast STARK proving system
• clap - CLI framework
• Argon2 - Password hashing competition winner

Special thanks to:

• NIST for standardizing post-quantum cryptography
• Polygon Zero for Plonky3 ZK-STARK framework
• Rust community for amazing cryptography libraries

📞 Support

• Issues: GitHub Issues
• Discussions: GitHub Discussions
• Security: See SECURITY.md for vulnerability reporting

🔮 Roadmap

v0.2.0 (Q1 2025)

• Hardware security module (HSM) integration
• Biometric unlock (TouchID, Windows Hello)
• Browser extension for auto-fill
• Mobile apps (iOS, Android)

v0.3.0 (Q2 2025)

• End-to-end encrypted cloud sync
• Multi-device support
• Team vaults with role-based access control
• Yubikey/FIDO2 support

v1.0.0 (Q3 2025)

• Formal security audit by Trail of Bits
• FIPS 140-3 compliance
• GUI application (desktop)
• Enterprise features (SSO, LDAP)

🜏 Guardian of Secrets 🜏

"Like Anubis, the ancient guardian who protected the gates of the underworld and weighed the hearts of souls, Anubis Vault stands watch over your secrets, ensuring they remain hidden from all—even the gods themselves, even quantum computers of the future."

Made with 🔒 by Anubis Quantum Cipher Division

Your secrets are safe. Forever.