cryptoseed-mcp
MCP server for CryptoSeed encryption. Gives any MCP-compatible AI agent the ability to encrypt and decrypt text and files using ChaCha20-Poly1305 (symmetric) and X25519+HKDF (asymmetric).
Keys are stored in the macOS Keychain — never on disk in plain text.
Encrypted .seed files are fully compatible with the CryptoSeed iOS app.
Setup
1. Add to Claude Desktop
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"cryptoseed": {
"command": "npx",
"args": ["-y", "cryptoseed-mcp"]
}
}
}
Restart Claude Desktop. The 11 CryptoSeed tools will appear automatically.
2. Or run directly
npx cryptoseed-mcp
Tools
Key management (symmetric)
| Tool | Description |
|---|---|
key_new | Generate a 256-bit key, save to Keychain |
key_list | List saved key aliases |
Identity management (asymmetric)
| Tool | Description |
|---|---|
identity_new | Generate an X25519 keypair, save private key to Keychain |
identity_pubkey | Print public key as base64 (share with senders) |
identity_list | List saved identity aliases |
Encrypt
| Tool | Description |
|---|---|
encrypt_text | Encrypt text with a symmetric key → base64 |
encrypt_file | Encrypt a file → .seed file (CryptoSeed-compatible) |
encrypt_asym | Encrypt a message to a recipient's public key → base64 blob |
Decrypt
| Tool | Description |
|---|---|
decrypt_text | Decrypt base64 ciphertext with a symmetric key |
decrypt_file | Decrypt a .seed file, restore original |
decrypt_asym | Decrypt a message encrypted to your identity |
Agent-to-agent encrypted messaging
This is where it gets interesting. Each agent can have its own identity:
Agent A creates identity: identity_new "agent_a"
Agent A shares pubkey: identity_pubkey "agent_a" → <pubkey_b64>
Agent B encrypts to A: encrypt_asym "<pubkey_b64>" "secret payload" → <blob>
Agent A decrypts: decrypt_asym "agent_a" "<blob>" → "secret payload"
Only Agent A's private key (in its Keychain) can decrypt. The blob can travel through any channel — email, Slack, GitHub, another AI tool — without being readable.
File format compatibility
.seed files produced by this MCP server use the exact same binary format as:
- CryptoSeed iOS app
cryptoseedmacOS CLI
This means a file encrypted here can be decrypted in the iOS app (after importing the key) and vice versa.
Key transfer between tools
This MCP server and the cryptoseed CLI use separate Keychain entries (to avoid binary format conflicts). To use a key from the CLI in the MCP server, use the CLI's export/import commands:
cryptoseed key export mykey # → recovery envelope (base64)
# then in Claude: import the envelope via key_new or a future key_import tool
Requirements
- macOS (Keychain)
- Node.js >= 18