Credential Management
What you'll accomplish: Store and manage credentials securely using the vault, environment variables, and security best practices.
The vault
Hoziron provides a built-in credential vault:
# Initialize (first time)
hoziron vault init
# Store a credential
hoziron vault set MY_SECRET_KEY
# Prompts for the value (not echoed)
# List stored keys (values hidden)
hoziron vault list
# Remove a credential
hoziron vault remove MY_SECRET_KEY
Environment variables
For container deployments, inject credentials via environment variables. Provider and integration keys reference env var names in config:
[providers.anthropic]
api_key_env = "ANTHROPIC_API_KEY" # Reads $ANTHROPIC_API_KEY at request time
This is the recommended pattern for Kubernetes (secrets injected by the orchestrator).
How credentials are resolved
Key principles:
- Credentials are resolved lazily at request time, not at startup
- If an env var is missing when a request needs it, the request fails with a clear error
config.tomlstores the name of the env var, never the value itself- Error messages reference the env var name, never the key value
Vault vs environment variables
| Method | Stored where | Best for |
|---|---|---|
| Vault | $HOZIRON_HOME/vault/ (encrypted at rest) | Bare metal, persistent secrets |
| Environment variables | Process env | Containers, orchestrator-managed |
.env file | $HOZIRON_HOME/.env | Local development |
Security practices
- Never put raw secrets in
config.toml— always useapi_key_envreferences - The vault encrypts at rest; env vars are plain (rely on OS/container security)
- Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.) and inject as env vars
- The key store database has 0600 permissions (owner-only read/write)
Integration credentials
Store credentials for each integration separately:
hoziron vault set POSTGRES_CONNECTION_URL
hoziron vault set CLAIMCENTER_API_KEY
hoziron vault set AWS_ACCESS_KEY_ID
hoziron vault set AWS_SECRET_ACCESS_KEY
Next steps
Related: