_{Official ZPE/YASS documentation}zpe.lib.vault

ZPE About Documentation Tracker Try it ZPE Online ZULE

The Vault plugin provides secure, encrypted and persistent storage for sensitive data within ZPE. It is designed for storing secrets such as API keys, passwords, authentication tokens, and credentials.

Vault encrypts all stored values using strong modern cryptography and saves them securely on disk. Data remains encrypted at rest and can only be accessed after initialising the Vault with the correct passphrase.

Objects

`Vault`

The Vault object provides access to an encrypted key–value store. Before any data can be stored or retrieved, the vault must be initialised using init.

init (string passphrase) ⇒ boolean: Initialises the vault using the given passphrase.

If the vault does not yet exist, it will be created. If it already exists, the passphrase must match the original passphrase used to create it.

Returns true if initialisation succeeds, otherwise false.

Note: This must be called before using any other method.
set (string key, string value) ⇒ boolean: Stores a secret value in the vault under the given key.

The value is encrypted using AES-GCM before being written to disk.

Returns true if the value was successfully stored.
get (string key) ⇒ string | boolean: Retrieves and decrypts the value associated with the given key.

If the key does not exist, or if the vault has not been initialised correctly, the method returns false.
has (string key) ⇒ boolean: Returns true if the vault contains the specified key.

This does not decrypt the value — it only checks for existence.
delete (string key) ⇒ boolean: Removes the specified key and its associated encrypted value from the vault.

Returns true if the key existed and was removed.
list_keys () ⇒ list: Returns a list containing all stored key names.

Only the key names are returned — the encrypted values remain protected.
close () ⇒ boolean: Closes the vault and clears any sensitive key material from memory.

After calling this method, the vault must be reinitialised before secrets can be accessed again.

Returns true on success.

Example

YASS

import "zpe.lib.vault"

vault = new Vault()

vault -> init("my-secure-passphrase")

vault -> set("api_key", "sk_live_123")
vault -> set("database_password", "supersecret")

if (vault.has("api_key"))
  print(vault.get("api_key"))
end if

keys = vault.list_keys()

for (k in keys)
  print(k)
end for

vault -> close()

Security Notes

Uses AES-GCM encryption for confidentiality and tamper protection.
Encryption keys are derived using PBKDF2 with a unique salt.
Secrets are encrypted before being written to disk.
The passphrase is never stored.
Cross-platform (Windows, macOS, Linux).

Back to documentation

Comments

There are no comments on this page.

New comment

Comments are welcome and encouraged, including disagreement and critique. However, this is not a space for abuse. Disagreement is welcome; personal attacks, harassment, or hate will be removed instantly. This site reflects personal opinions, not universal truths. If you can’t distinguish between the two, this probably isn’t the place for you. The system temporarily stores IP addresses and browser user agents for the purposes of spam prevention, moderation, and safeguarding. This data is automatically removed after fourteen days. Your email address is stored so that replies can be sent to your email address.

Comments powered by BalfComment

News

eTraxion

eTraxion (formerly jbTAR) is my latest project. Explore it today and see what it can do.

More information

ZPE 1.14.3

ZPE 1.14.3 (Merchantgate) is available now. There are two new functions, a new trusted plugin security system, bug fixes and new runtime features, a massively improved Converter object and more.