Crystor

Free · Open source · Local-first · MCP-native

Your AI agents can read
everything on your computer.

Asking it nicely isn't access control.

One agent today, several tomorrow. They read your files, browse the web, and take instructions from strangers' emails. An agent that can read everything can leak anything.

Crystor is an encrypted vault on your computer. Drop your important files in like any folder. From the outside there's only sealed data. Your agent connects to Crystor's MCP server, running locally, instead of touching the filesystem. When it needs something, it asks:

❯ "What did I pay in taxes last year?"

❯ "Find the subletting clause in my lease."

❯ "Pull every receipt from the March trip."

Crystor passes through the pages that answer, nothing more, and writes every access to a log you can read. Sync is optional, free, and rides your own Dropbox, iCloud, or Google Drive, still encrypted, so not even their AI can read it.

brew install crystor
Download View source Free · Open source

A locked vault with a small service window

Today it's all or nothing. Block the AI, or hand it everything (tax returns, medical letters, the note with your passwords) and hope for the best. Agents do get tricked into quietly sending files out, and you'd never know. Crystor replaces the gamble with a window.

1 · THE VAULT

Your files stay locked

The vault lives on your computer, encrypted file by file. Sync through Google Drive, Dropbox, or OneDrive if you like. They store your files without ever being able to read them.

2 · THE WINDOW

Your AI asks at the window

"Find the 2024 tax documents." Crystor finds them on your machine and passes just those pages through, not the folder and not the drive.

3 · THE LOGBOOK

Every peek gets a receipt

A logbook you can read: what was shared, with which AI, when. Grant folders per AI, and shut the window on any AI, any time.

access-log.txt
2026-04-12 14:32:07 claude read 3 paragraphs · 2024-return.pdf scope: taxes/ 2026-04-12 14:32:41 claude read 1 page · lease-agreement-2023.pdf scope: home/ 2026-04-13 09:14:02 openclaw search "insurance renewal date" · 0 files sent 2026-04-13 09:15:19 chatgpt denied scope: medical/ (not granted to this AI)

The vault that's smart but blind

Encrypted files are usually dumb files: no search, no previews, no answers. Crystor puts the intelligence inside the lock, so the vault stays useful and your files never get unlocked anywhere but your device.

Vault · locked storage

Every file is encrypted on your device before it goes anywhere. Your cloud holds sealed blobs it can't read. Open, published format, so no lock-in.

Local index · private search

Search, tagging, and summaries are built on your device, never on a server. That's how an encrypted vault can still answer questions.

Keyhole · one door for every AI

An open standard (MCP), so any assistant or agent can ask. Per-folder, opt-in, revocable, and every access is logged.

Built for people who already gave AI too much

If an agent runs on your machine, or a chatbot reads your folders, you've already felt it.

Local agents: OpenClaw, Hermes, Claude Code

Your agent reads files, runs commands, and takes instructions from the open internet. Between it and everything you own: nothing. Crystor gives it a scoped, logged place to ask. Zero trust, applied to your own agents: nothing is visible by default, and every grant is scoped, logged, and revocable.

Cloud assistants: ChatGPT, Claude

A connector grants a whole source, with no record of what got read. Crystor makes access question-sized: these folders, this AI, a receipt every time.

What Crystor does, and what it doesn't

What it does: encrypts your files at rest, indexes them on your device, and scopes, logs, and lets you revoke every AI's access. The log shows exactly what left the vault, to whom, and when. Now the honest part, what it doesn't do:

  • The keyhole controls what leaves, but it isn't a sandbox. A hostile program already running with your privileges is a problem no vault can solve. What Crystor adds is a narrower opening and a record of what goes through it.
  • Past the door, the provider's rules apply. Once a snippet reaches a third-party model, that provider's retention governs it. The log keeps this honest: you always know exactly what went where.
  • Don't trust us, check. The core is open source (crypto, vault format, index, keyhole) and the format spec is published. Read the code.

Get Crystor

The vault, local search, the keyhole, and sync through your own cloud: all free, open core. Give your AI a keyhole, not your house keys.

~ zsh
$ brew install crystor && crystor init && claude mcp add crystor
brew install crystor

Available for macOS, Windows, and Linux.

No analytics, no phoning home. The website sets no cookies. See the privacy policy, it's short.