CastFork
Free tool

Stream Key Vault

Paste your stream keys, lock them with a passphrase, and download an encrypted file you control. Everything happens client-side — nothing is ever sent to a server.

No signupClient-side onlyFree

Everything happens in your browser. Your keys and passphrase are encrypted with AES-256-GCM locally and never sent to CastFork or anyone else. If you lose the passphrase, the vault file can’t be recovered — there’s no server-side copy to fall back on.

Paste anything — one key per line works well.

How the encryption works

The privacy guarantee, in detail

AES-256-GCM via your browser's built-in Web Crypto API, with the encryption key derived from your passphrase using PBKDF2-SHA256 at 210,000 iterations and a fresh random salt every time you lock a vault. This runs entirely in JavaScript already loaded in your browser — no server call is made.

No. The plaintext, the derived key, and the passphrase all stay in your browser's memory for the duration of the encrypt/decrypt operation and are discarded when you close or navigate away from the page.

There's no way to recover it. Nothing about your passphrase is stored anywhere, by design — that's what makes the encryption meaningful. Keep it somewhere safe, like a password manager.

A small JSON document: a version number, the random salt and initialization vector used for that specific encryption, and the ciphertext. Without your exact passphrase, the salt and IV alone aren't enough to recover anything.

Once you're ready, add your channels for real

CastFork encrypts every saved channel's credentials at rest on the server too — this tool is for keys you want to keep offline.