The MCP server provides encrypted credential management for cloud storage providers. Credentials are stored locally with AES-256-GCM authenticated encryption.
Aspect
Implementation
Encryption
AES-256-GCM (authenticated)
Key Derivation
scrypt with OWASP-recommended parameters
Storage
Local encrypted file (./data/credentials.enc)
File Permissions
0600 (owner read/write only)
Memory
Decrypted keys cached with timeout + zeroing
Variable
Required
Description
CREDENTIAL_MASTER_PASSWORD
Yes
Master password for encryption/decryption
CREDENTIAL_STORE_PATH
No
Path to credential store (default: ./data/credentials.enc)
Store new credentials with AES-256-GCM encryption.
Parameter
Type
Required
Description
id
string
Yes
Unique identifier
name
string
Yes
Human-readable name
credentials
object
Yes
Provider-specific credentials (see below)
description
string
No
Optional description
tags
string[]
No
Optional tags
"name" : " Company Google Drive " ,
"clientId" : " xxx.apps.googleusercontent.com " ,
"clientSecret" : " GOCSPX-xxx " ,
"tags" : [ " production " , " google " ]
Retrieve full credentials by ID (including secrets).
Update existing credentials. The id must already exist. Provider type is immutable after creation.
Delete credentials by ID. Cannot be undone.
List all stored credential metadata (no secrets returned).
"clientId" : " xxx.apps.googleusercontent.com " ,
"clientSecret" : " GOCSPX-xxx " ,
"refreshToken" : " 1//xxx " ,
"rootFolderId" : " optional-folder-id "
Field
Required
Description
type
Yes
Must be "googledrive"
clientId
Yes
OAuth2 Client ID
clientSecret
Yes
OAuth2 Client Secret
refreshToken
Yes
OAuth2 Refresh Token
rootFolderId
No
Default folder for operations
"tenantId" : " your-tenant-id " ,
"clientId" : " your-client-id " ,
"clientSecret" : " your-client-secret " ,
"refreshToken" : " refresh-token " ,
Field
Required
Description
type
Yes
Must be "onedrive"
tenantId
Yes
Azure AD Tenant ID
clientId
Yes
Application (client) ID
clientSecret
No
Client secret (for app auth)
refreshToken
No
Refresh token (for delegated auth)
authType
No
"delegated" or "application"
userId
No
User ID (for app-only access)
driveId
No
Specific drive ID
"accessKeyId" : " AKIAIOSFODNN7EXAMPLE " ,
"secretAccessKey" : " wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY " ,
"region" : " eu-central-1 " ,
"pathPrefix" : " documents/ "
Field
Required
Description
type
Yes
Must be "s3"
accessKeyId
Yes
AWS Access Key ID
secretAccessKey
Yes
AWS Secret Access Key
region
No
AWS Region (default: us-east-1)
bucket
Yes
S3 Bucket name
pathPrefix
No
Path prefix for all operations
"accessKeyId" : " minioadmin " ,
"secretAccessKey" : " minioadmin " ,
"endpoint" : " http://minio.example.com:9000 " ,
"pathPrefix" : " generated/ "
Field
Required
Description
type
Yes
Must be "minio"
accessKeyId
Yes
MinIO Access Key
secretAccessKey
Yes
MinIO Secret Key
endpoint
No
MinIO server URL
bucket
Yes
Bucket name
pathPrefix
No
Path prefix
"url" : " https://webdav.example.com/remote.php/dav/files/user/ " ,
"username" : " user@example.com " ,
"password" : " app-password " ,
"basePath" : " /Documents/ "
Field
Required
Description
type
Yes
Must be "webdav"
url
Yes
WebDAV server URL
authType
No
"none", "password", "digest", or "token"
username
No
Username
password
No
Password
token
No
Token for token-based auth
basePath
No
Base path
"host" : " fileserver.example.com " ,
"username" : " domain \\ user " ,
"basePath" : " /Generated/ "
Field
Required
Description
type
Yes
Must be "smb"
host
Yes
SMB server hostname or IP
share
Yes
Share name
username
No
Username
password
No
Password
domain
No
Windows domain
port
No
Port (default: 445)
basePath
No
Base path within share