The short version
- Askimo never stores your sensitive data (like API keys) in plain text.
- Your data is stored locally on your device and encrypted before it is written to disk.
- The same protection applies across Askimo: both the CLI and the Desktop app.
- The goal is practical security: protect what matters without hype.
What Askimo keeps (and what it doesn’t)
To work properly, Askimo needs a few things:
- API keys for the AI providers you choose (for example OpenAI or a local Ollama server).
- Optional preferences and command recipes that help you work faster.
Askimo does not:
- Upload your files to our servers.
- Send analytics or tracking data in the background.
Askimo only talks to the services you configure, and only when you tell it to.
Encryption at rest: what that means
When Askimo saves sensitive information, it encrypts it first so it is unreadable without a key. If someone opens the file directly, they will see random-looking data, not your API keys.
- We use a modern encryption method (AES-256-GCM) that includes integrity protection.
- A small installation-specific key on your device is used to encrypt and decrypt your data.
- This key is stored in your Askimo directory with strict file permissions.
If your system keychain is available, Askimo prefers to use that. If not, it falls back to the encrypted local file approach described above. In both cases, your keys are never stored in plain text.
Where it lives
- All configuration and encrypted data live under your user’s Askimo folder.
- The encryption key file is created with restrictive permissions (owner only).
- Encrypted blobs cannot be read without that local key, so copying them to another machine will not automatically decrypt them.
Same model across the product
This protection model is shared across Askimo. Both:
- The command-line tools, and
- The Desktop app
use the same local, encrypted storage approach. The behavior should feel consistent no matter how you use Askimo.
A practical threat model (in plain words)
What this does aim to protect:
- Your saved credentials from simple snooping or accidental access, like opening a config file in a text editor.
- Situations where multiple people can access the same machine account or file system.
What this does not promise:
- If your computer account is fully compromised (for example, malware running as you), local files and memory may still be accessible.
- If you run untrusted plugins or scripts, they can do anything you allow them to do.
- Incidents on the provider side (for example issues at OpenAI or other APIs) are outside Askimo’s control.
We prefer clear boundaries over marketing claims. The goal is to make everyday use safer by default.
Tips we recommend
- Use your operating system’s keychain when Askimo offers that option.
- Keep the Askimo folder private and out of source control.
- Rotate your API keys if you ever think they were exposed.
- Avoid hardcoding secrets in scripts. Use environment variables or Askimo’s secure storage instead.
A note for curious developers
For those who want more technical detail:
- Encryption uses AES-256-GCM with a random IV and an authentication tag to prevent tampering.
- Keys are generated once per installation and stored with owner-only permissions.
- If loading or decrypting the stored data fails, Askimo fails safely rather than returning partial or corrupted data.
In closing
Security in Askimo is designed to be simple and respectful:
- Your secrets stay on your machine.
- They are encrypted at rest.
- They are never stored in plain text.
We will keep improving this over time and we welcome feedback, bug reports, and ideas from the community.