Vaults
A vault is an encrypted container that holds a collection of secrets. Every secret in CloudKeep lives inside exactly one vault, and each vault has its own encryption key. This means compromising one vault does not expose the contents of another.
What Are Vaults?
Think of vaults as secure folders. You might create one vault for personal passwords, another for your startup's production infrastructure, and a third shared with your DevOps team. Each vault is independently encrypted and can have its own set of members and permissions.
Personal vs Shared Vaults
| Feature | Personal Vault | Shared Vault |
|---|---|---|
| Owner | You | Organisation or group |
| Members | Only you | Multiple team members |
| Encryption | Derived from your master key | Shared vault key distributed via public-key encryption |
| Use case | Individual credentials | Team secrets, service accounts, shared infrastructure |
Creating a Vault
- 1
Open Vaults
Navigate to the Vaults page in the sidebar. - 2
New Vault
Click New Vault. - 3
Name and describe
Enter a descriptive name (e.g., "AWS Production") and an optional description. - 4
Customise appearance
Choose an icon and colour for quick visual identification. - 5
Create
Click Create. The vault key is generated in your browser and encrypted with your master key before being sent to the server.
Editing a Vault
Open a vault and click the Settings icon (gear) to change its name, description, icon, or colour. These metadata fields are not encrypted — only the secrets inside the vault are encrypted.
Deleting a Vault
Deleting a vault permanently removes it and all secrets it contains. This action cannot be undone. To delete:
- Open vault settings.
- Scroll to the Danger Zone.
- Type the vault name to confirm, then click Delete Vault.
If you want to keep the secrets, move them to another vault before deleting.
Vault Permissions
Shared vaults support four permission levels. Permissions are enforced server-side and cannot be bypassed by a malicious client.
| Role | View Secrets | Add/Edit Secrets | Manage Members | Delete Vault |
|---|---|---|---|---|
| Read | Yes | No | No | No |
| Write | Yes | Yes | No | No |
| Admin | Yes | Yes | Yes | No |
| Owner | Yes | Yes | Yes | Yes |
Managing Vault Members
Admins and owners can invite other CloudKeep users to a shared vault:
- 1
Open Members
Open the vault and go to Members. - 2
Invite
Click Invite Member and enter the user's email. - 3
Set permissions
Select a permission level (Read, Write, or Admin). - 4
Key exchange
The invited user's public key is fetched automatically, and the vault key is encrypted for their key pair and stored on the server.
You can change a member's role or remove them at any time. When a member is removed, the vault key is rotated automatically to ensure the removed member cannot decrypt future secrets.
Best Practices
- Separate by environment — keep production, staging, and development secrets in different vaults.
- Least privilege — grant only the minimum permission level each member needs.
- Use descriptive names — "AWS Production" is more useful than "Vault 3".
- Review members regularly — remove people who no longer need access.
- Avoid mega-vaults — splitting secrets across focused vaults limits the blast radius of a compromised key.