Use AI with VaultGuard
Two ways to bring AI to your encrypted vault — a built-in Claude chat panel inside Obsidian, or your own agent (Claude Code, Claudian, Cursor) over a scoped MCP bridge. Both run through the same at-rest decryption, per-file permissions, and audit trail as a human user — never against the raw ciphertext on disk.
Built-in AI Chat
Chat with Claude about your vault without leaving Obsidian. Open the panel from the sidebar, connect your Anthropic API key or Claude subscription, and start asking — or have it draft and edit notes for you.
The same gates as you, applied to the AI
Every file the assistant reads or writes runs through the same at-rest decryption and per-file VaultGuard permissions you do. Plaintext is decrypted on demand, writes are re-encrypted with your local key, and every tool call is audit-logged — never against the raw ciphertext on disk.
Bring your key or your subscription
Use your own Anthropic API key, or drive your existing Claude subscription through the official Claude Code CLI. VaultGuard never holds a third-party token, and nothing leaves the device until you send a turn — with no key and no sign-in, the panel makes zero outbound calls.
Confirm before it writes
The assistant proposes edits as reviewable diffs — you approve or skip each write. It can also explain who can access a note and adjust permissions, all behind the same confirmation prompt and audit trail as a manual change.
Setup, providers, and privacy details live in the AI Chat guide (also on GitHub).
Bring your own agent
Prefer to stay in your own tools? VaultGuard ships a built-in MCP server so Claude Code, Claudian, Cursor, and other agents can work in your encrypted vault through the same gates. Three steps to connect:
Install the skill
In Obsidian → Settings → VaultGuard Sync → Agent bridge connections → Install Claude Code skill. Writes a single SKILL.md to ~/.claude/skills/vaultguard/ that teaches Claude Code which tools to use when it sees an encrypted vault — no tokens, no per-user state.
Mint a lease
Run "VaultGuard Sync: Create Agent Bridge Lease" from the command palette. Pick a scope (a folder or the whole vault), a lifetime (30 minutes up to "Until logout"), and a write mode. Persistent leases are gated by a re-auth prompt and survive Obsidian restarts.
Paste the MCP config
The lease modal copies a ready-to-paste mcpServers JSON snippet. Drop it into Claude Code's .mcp.json, Claudian's MCP settings, Cursor, or any MCP-aware client. Your agent now reads, searches, patches, and creates files through VaultGuard's permission gates.
{
"mcpServers": {
"vaultguard": {
"type": "http",
"url": "http://127.0.0.1:47711/mcp",
"headers": { "Authorization": "Bearer agt_..." }
}
}
}Plaintext through the bridge, ciphertext on disk
The MCP server speaks Streamable HTTP at 127.0.0.1, gated by a per-lease bearer token. Every read goes through the same at-rest decrypt path your Obsidian editor uses — no key material ever leaves the device.
Three permission layers, plus an audit trail
Lease scope, lease writeMode (deny/confirm/allow), and your existing per-file VaultGuard permissions all apply. Every tool call fires a structured audit event with the agent name, tool, path shape, and outcome — no plaintext payloads in the audit log.
Persistent without per-day friction
"Until logout" leases are encrypted to disk via the at-rest layer, survive restarts, and auto-revoke when you log out. Rotate the bearer or revoke individual leases from Settings without touching the others.
Full setup walkthrough, including the Claudian-specific slash command pattern and the built-in tool reference, lives in the AI Agent Bridge guide (also on GitHub).
AI agent FAQ
The questions teams ask before they wire an agent into an encrypted vault.
Both. VaultGuard ships a native Claude chat panel inside Obsidian — open it from the sidebar, bring your own Anthropic API key or drive your Claude subscription, and ask about or edit your notes. Every file it touches runs through the same at-rest encryption, per-file permissions, and audit trail you do. If you would rather stay in your own tools, the agent bridge wires Claude Code, Cursor, or Claudian into the same tool surface. The built-in chat is in fact a consumer of that same bridge — one permission and audit boundary, two front ends.
Only when you send a turn, and only the content needed for that turn — to Anthropic, under your own API key or Claude subscription (VaultGuard never holds a third-party token). With no key configured and no subscription signed in, the panel makes zero outbound calls. File reads and writes go through the same at-rest decrypt and permission path as the rest of the plugin; writes are shown as diffs you confirm, and every tool call is audit-logged without the file content.
Yes — VaultGuard ships a built-in MCP (Model Context Protocol) server. Mint a scoped lease from the command palette, paste the generated mcpServers config into your agent's MCP settings, and the agent gets a curated tool surface (list, search, read, apply_patch, create) that runs through the same permission and decrypt path as Obsidian itself. Pointing Claude Code at the raw vault directory still returns ciphertext — that's the point. The bridge is the only intended way for agents to see plaintext.
A SKILL.md at ~/.claude/skills/vaultguard/ that teaches Claude Code (and any agent that loads ~/.claude/skills/) what to do when it encounters an encrypted vault. It tells the model to use mcp__vaultguard__* tools instead of Read/Glob/Grep, explains the three permission layers (lease scope, lease writeMode, file-level VaultGuard permissions), and maps each error to the right diagnostic. The skill carries no tokens or per-user state — install once per machine, rotate leases independently.
Mint the lease as "Until logout (persistent)" instead of a fixed duration. Persistent leases are gated by a re-auth prompt at creation, encrypted to disk via the at-rest cipher, survive Obsidian restarts, and auto-revoke when you log out. The bridge tries to bind to a stable port (127.0.0.1:47711) so the URL pasted into your agent's config keeps working across reloads. You can rotate or revoke any individual lease from Settings → Agent bridge connections.
Three different layers can reject a write, and the error message tells you which one. "Lease does not cover X" means the path is outside the lease's scope — mint a wider one. "Lease is read-only" means writeMode was set to deny — re-mint with confirm. "No WRITE permission for X" means your VaultGuard vault-side permissions don't allow you to write that file — that's separate from the lease, and a new lease won't fix it. The skill encodes this triage so a well-behaved agent will diagnose before suggesting a fix.
Only the bearer token — and only for the lease you minted. The local at-rest key (LAK), recovery code, cloud key lease, refresh token, and Cognito tokens are never reachable through the bridge. Hidden directories (.obsidian/, .trash/, .git/) are blocked even if a scope tries to include them. Every tool call is audit-logged with the agent name, tool, path shape, and outcome — but never the file content, the diff body, or the search query string.