Vault
The Vault keeps SSH passwords and private keys encrypted on your machine. Only you hold the passphrase and recovery key — Zync never stores vault secrets on its servers.
Why use the Vault
Without the Vault, connection secrets live in your local Zync data folder. The Vault adds an extra layer: credentials are encrypted at rest with Argon2id key derivation and AEAD record encryption. Hosts reference vault entries by stable identity, so rotating a key does not break your connection list.
- Encrypted at rest — Passwords and keys are not stored in plaintext connection files.
- Recovery key — Generate and store offline before relying on the Vault for production hosts.
- Revision history — Rotated credentials keep prior revisions; restore an older revision from the Vault UI.
- Remember on device — Optional OS keychain cache so you do not re-enter the passphrase every session.
Your data stays local
Set up the Vault
Open Vaults in the primary sidebar. On first use, Zync prompts you to:
- Choose a vault passphrase — use a strong passphrase you can remember.
- Save the recovery key offline — losing both passphrase and recovery key means local vault data cannot be recovered.
- Optionally enable Remember on this device to cache unlock material in the OS keychain.
Shared or untrusted machines
Store credentials in the Vault
When creating or editing a connection, choose to store the password or private key in the Vault instead of inline on the host record. Zync recommends Vault storage for production hosts.
Existing plaintext credentials can be migrated into the Vault during normal connection workflows. After migration, hosts reference the vault entry by durable credentialId — rotating or restoring a credential revision does not require re-linking every host manually.
Google Vault Sync vs Sync & Backup
Zync exposes two related but distinct encrypted-cloud flows:
| Surface | Purpose | Where in the app |
|---|---|---|
| Local Vault | On-device encrypted credential store (passphrase + recovery key) | Vaults sidebar → Local Vault profile |
| Google Vault Sync | Encrypted backup/restore of the vault itself to your Google Drive | Vaults sidebar → Google Vault Sync profile |
| Sync & Backup | Encrypted workspace collections — hosts, tunnels, snippets, settings (and vault snapshots in collections) | Dedicated Sync & Backup sidebar tab |
All three use your Google account when cloud backup is enabled; Zync does not host vault or workspace data. Manual upload/restore today — see Sync & Backup for workspace collections.
Unlock and connect
Vault-backed connections behave differently from plaintext hosts for safety:
- Opening a tab does not auto-connect — you must reconnect explicitly after unlock.
- Connect and test flows prompt for vault unlock instead of failing silently.
- If a second Zync instance is already running with the vault open, another instance shows Vault In Use — focus the existing window rather than creating a duplicate vault.
Troubleshooting
- Forgot passphrase — Use your recovery key to reset access. Without recovery key, vault data cannot be decrypted.
- Vault In Use — Another Zync window holds the vault lock. Switch to that window or quit the other instance.
- Stale credential reference — Zync self-heals missing
credentialIdlinks on load; if a host still fails, re-assign the credential in the connection form. - Need credentials on another machine — Use encrypted Google Drive sync to restore a backup collection — do not copy raw vault files manually unless you know what you are doing.
Architecture and operator details: VAULT.md on GitHub.