Team vaults¶
Screenshot placeholder — team vault in the sidebar.
A shared encrypted store. Each member has their own copy of the vault key, wrapped under their public key — the server only relays ciphertext.
Creating¶
Settings → Vaults → + New team vault (Teams plan or higher).
- Pick a name (e.g.
ops,support). - The vault is created server-side and a vault key is generated locally.
- Invite members — see Members. Their copy is wrapped under their public key at invite-time.
What's in a team vault¶
Same as a personal vault — hosts, identities, keys, snippets, folders, tags — visible to every member with read access.
Permission model¶
Per-vault role per member. See Roles.
Leaving / removing¶
Removing a member revokes their copy of the vault key. Any data they already saw locally is, of course, already saw — rotate any secrets on real systems after a member leaves.
Rotation after offboarding
The vault key is unchanged on removal. For high-sensitivity vaults, follow up with Settings → Vault → Rotate key to re-encrypt under a fresh key. All remaining members get a re-wrapped copy automatically.