Secrets

Security perspective on Argus MCP secrets management — encryption, providers, and log redaction.

Secrets management is a critical security layer in Argus MCP. Sensitive values like API keys, tokens, and credentials are stored encrypted and referenced indirectly in configuration — they never appear in plaintext in config files or logs.

How It Works

  1. Secrets are stored via argus-mcp secret set <name> <value>
  2. Config files reference secrets with the secret: prefix: token: "secret:my_api_key"
  3. At startup, Argus resolves all secret: references from the configured provider
  4. Log redaction automatically masks resolved secret values in all output

Providers

ProviderStorageBest For
file (default)Fernet-encrypted JSON at ~/.argus/secrets.encDevelopment, single-machine
envEnvironment variablesCI/CD, containers
keyringOS keychain (macOS Keychain, GNOME Keyring, Windows Credential Locker)Desktop development

Note:

For the full configuration reference including provider setup, strict mode, resolution process, SecretStore API, and CLI commands, see Configuration — Secrets Management.

Security Properties

  • Encryption at rest: File provider uses Fernet (AES-128-CBC + HMAC-SHA256)
  • Log redaction: All resolved secret values are automatically masked in logs and audit events
  • Strict mode: When strict: true, missing secrets cause a startup failure instead of a warning
  • No plaintext storage: Secret values never appear in config.yaml or environment when using the secret: reference pattern

Recommendations

  • Use the file provider with strict: true for production
  • Rotate secrets regularly using argus-mcp secret set to overwrite
  • Use keyring provider on developer workstations for OS-level protection
  • Enable audit logging to track secret resolution events