Vault

The Vault keeps SSH passwords and private keys encrypted on your machine. Only you hold the passphrase and recovery key — Zync never stores vault secrets on its servers.

Why use the Vault

Without the Vault, connection secrets live in your local Zync data folder. The Vault adds an extra layer: credentials are encrypted at rest with Argon2id key derivation and AEAD record encryption. Hosts reference vault entries by stable identity, so rotating a key does not break your connection list.

  • Encrypted at rest — Passwords and keys are not stored in plaintext connection files.
  • Recovery key — Generate and store offline before relying on the Vault for production hosts.
  • Revision history — Rotated credentials keep prior revisions; restore an older revision from the Vault UI.
  • Remember on device — Optional OS keychain cache so you do not re-enter the passphrase every session.

Your data stays local

Zync is a desktop app, not a hosted SSH service. Vault data lives on your machine unless you explicitly enable encrypted sync to your own Google Drive. See Sync & Backup.

Set up the Vault

Open Vaults in the primary sidebar. On first use, Zync prompts you to:

  1. Choose a vault passphrase — use a strong passphrase you can remember.
  2. Save the recovery key offline — losing both passphrase and recovery key means local vault data cannot be recovered.
  3. Optionally enable Remember on this device to cache unlock material in the OS keychain.

Shared or untrusted machines

Do not enable remember-on-device on shared computers. Anyone with access to your unlocked OS session may connect to vault-backed hosts without re-entering the passphrase until cache expiry or Forget device.

Store credentials in the Vault

When creating or editing a connection, choose to store the password or private key in the Vault instead of inline on the host record. Zync recommends Vault storage for production hosts.

Existing plaintext credentials can be migrated into the Vault during normal connection workflows. After migration, hosts reference the vault entry by durable credentialId — rotating or restoring a credential revision does not require re-linking every host manually.

Google Vault Sync vs Sync & Backup

Zync exposes two related but distinct encrypted-cloud flows:

SurfacePurposeWhere in the app
Local VaultOn-device encrypted credential store (passphrase + recovery key)Vaults sidebar → Local Vault profile
Google Vault SyncEncrypted backup/restore of the vault itself to your Google DriveVaults sidebar → Google Vault Sync profile
Sync & BackupEncrypted workspace collections — hosts, tunnels, snippets, settings (and vault snapshots in collections)Dedicated Sync & Backup sidebar tab

All three use your Google account when cloud backup is enabled; Zync does not host vault or workspace data. Manual upload/restore today — see Sync & Backup for workspace collections.

Unlock and connect

Vault-backed connections behave differently from plaintext hosts for safety:

  • Opening a tab does not auto-connect — you must reconnect explicitly after unlock.
  • Connect and test flows prompt for vault unlock instead of failing silently.
  • If a second Zync instance is already running with the vault open, another instance shows Vault In Use — focus the existing window rather than creating a duplicate vault.

Troubleshooting

  • Forgot passphrase — Use your recovery key to reset access. Without recovery key, vault data cannot be decrypted.
  • Vault In Use — Another Zync window holds the vault lock. Switch to that window or quit the other instance.
  • Stale credential reference — Zync self-heals missing credentialId links on load; if a host still fails, re-assign the credential in the connection form.
  • Need credentials on another machine — Use encrypted Google Drive sync to restore a backup collection — do not copy raw vault files manually unless you know what you are doing.

Architecture and operator details: VAULT.md on GitHub.