Credential Vault
The Credential Vault is a built-in secrets manager for your Auris tenant. It stores passwords, API keys, SSH keys, certificates, database credentials, and other sensitive values under AES-256-GCM field-level encryption. Secrets never leave the server in plaintext — the vault decrypts a credential only when a user explicitly requests it through the Console or API, and every such access is recorded in the audit log.
Access the Vault from the Console sidebar: Vault.
Vault Lock and PIN
Every user in your tenant has their own vault session. The vault starts in a locked state. Before accessing any credentials, the user must unlock it with a numeric PIN.
Setting a PIN
Open PIN settings
Go to Vault and click Set PIN in the top bar (or Vault → Settings → PIN).
Enter a PIN
Enter a PIN between 4 and 8 digits. The PIN is stored as a bcrypt hash — Auris never stores it in plaintext.
Confirm and save
Re-enter the PIN to confirm and click Save PIN. The vault is now protected.
Unlocking the Vault
When you navigate to any Vault page while locked, an unlock dialog appears. Enter your PIN and click Unlock. After five consecutive failed attempts within 15 minutes, the vault enforces a 15-minute lockout — you cannot attempt further unlocks until the lockout expires.
Locking the Vault
Click Lock Vault in the top bar at any time. The vault immediately requires the PIN again before any credential can be accessed or revealed. A PIN must be set before you can lock — calling lock without a PIN returns an error.
Changing the PIN
Go to Vault → Settings → Change PIN. You must supply the current PIN before setting a new one.
If you forget your vault PIN, an administrator can reset the PIN field on your user account from Console → Users → [your user]. This clears the old PIN hash. You will then need to set a new PIN the next time you open the Vault.
Credential Types
The Vault supports the following credential types. Each type stores a different set of secret fields, all encrypted in the same encryptedData blob.
| Type | Stored Secret Fields | Typical Use |
|---|---|---|
| Login | username, password, url | Website logins, application accounts |
| API Key | apiKey | Third-party service API keys, tokens |
| SSH Key | privateKey, username | Server access, Git remotes |
| Certificate | privateKey, data (PEM/DER) | TLS certificates, code signing |
| Wi-Fi | password, data (SSID/security) | Network credentials |
| Database | username, password, url | Database connection strings |
| Server | username, password, url | RDP, SFTP, Bastion hosts |
| Custom | data (free-form JSON) | Any secret not covered by the above types |
In addition to secret fields, every credential has metadata fields that are stored unencrypted for display purposes: name, tags, notes summary, expiry date, and health status.
Creating and Managing Credentials
Creating a Credential
Go to Credentials
In the Vault sidebar, click Credentials and then New Credential.
Choose a type
Select the credential type from the dropdown. The form adjusts to show the relevant secret fields for that type.
Fill in the details
| Field | Required | Description |
|---|---|---|
| Name | Yes | A recognizable label (e.g. “Production DB – main”) |
| Type | Yes | One of the types listed above |
| Folder | No | Place the credential in a folder for organization |
| Tags | No | Comma-separated labels for filtering |
| Notes | No | Free-text notes. Stored encrypted. |
| Expiry | No | Date after which the credential is flagged as expiring |
| Secret fields | Type-dependent | Password, API key, private key, etc. |
Save
Click Save. The credential is encrypted immediately on write.
Editing a Credential
Open any credential from the list and click Edit. Metadata fields (name, tags, notes, expiry, folder) update immediately. Secret fields are only updated when you supply a new non-empty value — leaving a secret field blank during an edit preserves the existing encrypted value without overwriting it.
Revealing a Secret
Click Reveal on any credential to decrypt and display the secret fields. Reveal is rate-limited to 10 requests per minute per session. Every reveal is recorded in the audit log with the user, timestamp, and IP address.
Click Copy to copy the secret value to the clipboard without displaying it on screen. Copy actions are also audit-logged separately from reveals.
Health Status
The Vault continuously evaluates each credential and assigns one of the following health statuses:
| Status | Meaning |
|---|---|
| Strong | Password meets complexity requirements and has not been reused |
| Weak | Password is too short, too simple, or matches common patterns |
| Reused | The same password appears in more than one credential |
| Old | Password has not been changed in more than 90 days |
| Expiring | The credential’s expiry date is approaching |
| Compromised | The password matches a known breach database entry |
The Overview dashboard shows the overall health score for your vault and a breakdown by issue type.
Folder Organization
Folders help organize credentials and define sharing boundaries. Folders can be nested to any depth.
Creating a Folder
Open Folders
Go to Vault → Folders and click New Folder.
Configure the folder
| Field | Required | Description |
|---|---|---|
| Name | Yes | Display name for the folder |
| Parent folder | No | Place inside an existing folder to create a hierarchy |
| Color | No | Accent color for visual identification (hex, e.g. #6366f1) |
| Icon | No | Icon slug for the folder thumbnail |
Save
Click Create Folder.
Moving a Folder
From the folder list, open the folder menu and click Move. Select the target parent folder. Circular moves (moving a folder into one of its own descendants) are rejected.
Deleting a Folder
Deleting a folder cascades to all credentials inside it. A confirmation dialog lists the number of credentials that will be deleted. This action cannot be undone.
Sharing Folders
Folders can be shared with individual team members. Sharing grants access to all credentials currently in the folder and all future credentials added to it.
Permission Levels
| Permission | Can View Metadata | Can Reveal/Copy | Can Create/Edit | Can Share/Move/Delete |
|---|---|---|---|---|
| Viewer | Yes | No | No | No |
| User | Yes | Yes | No | No |
| Contributor | Yes | Yes | Yes | No |
| Admin | Yes | Yes | Yes | Yes |
Sharing a Folder
Open the folder
Go to Vault → Folders, click the folder you want to share, and open the Shares tab.
Add a share
Click Share Folder. In the search box, type the name or email of a team member. Select the user from the results.
Choose a permission level
Select the permission level (Viewer, User, Contributor, or Admin).
Send invitation
Click Share. The recipient receives an in-app notification informing them that a folder has been shared with them.
Updating or Revoking a Share
From the Shares tab on any folder, click the permission badge next to a recipient to change their access level, or click Revoke to remove their access entirely.
Sharing is folder-scoped. Individual credentials cannot be shared without placing them in a folder first. If you need to share a single credential with someone, create a dedicated folder for it.
Device Binding
Device binding lets you associate vault access with specific trusted devices. This is used by the audit system to track which device performed a reveal or copy action, and by vault policies that require device trust before allowing secret access.
Registering a Device
Open Devices
Go to Vault → Devices and click Register Device.
Name the device
Provide a friendly name (e.g. “Work MacBook”) and optionally supply a SHA-256 browser fingerprint hash.
Trust the device
A new device starts in Pending status. Click Trust to mark it as trusted.
Device Statuses
| Status | Meaning |
|---|---|
| Trusted | Device is recognized and may be associated with audit entries |
| Pending | Device has been registered but not yet reviewed by an administrator |
| Revoked | Device has been explicitly distrusted |
Revoking a Device
From Vault → Devices, click Revoke next to any device. Revoked devices cannot be associated with new reveal or copy operations.
Access Requests
When a user needs access to a credential or folder they do not currently have permission to, they can submit an access request.
Submitting a Request
From any credential or folder the user can see but not access, click Request Access. Select the permission level needed and provide a reason. The request is sent to the folder or credential owner for review.
Reviewing Requests (Admins)
Go to Vault → Access Requests. Each pending request shows:
- Who is requesting access
- Which credential or folder
- The permission level requested
- The reason provided
- When the request was submitted
Click Approve to grant the requested permission, or Deny to reject it. In both cases the requester is notified.
Vault Policies
Vault policies let an administrator configure security requirements that apply across all vault operations for the tenant.
Go to Vault → Settings → Policy to configure:
| Setting | Default | Description |
|---|---|---|
| Require device trust | Off | When enabled, credentials can only be revealed from a trusted device |
| Require MFA for reveal | Off | When enabled, users must complete an MFA challenge before any credential is decrypted |
| Max reveals per minute | 10 | Rate limit for reveal and copy operations per user session |
| Password rotation days | 90 | Number of days before a credential is flagged as Old |
| Enforce strong passwords | Off | Rejects weak passwords at creation time |
| Allow export | Off | Controls whether users can export credentials as plaintext (CSV/JSON) |
| Enable breach check | Off | Enables HIBP-style breach database checks for password credentials |
Enabling “Require device trust” will immediately block reveals from any device that is not in Trusted status. Ensure all legitimate devices are trusted before activating this setting to avoid locking team members out of the vault.
Audit Log
Every vault operation is recorded. Go to Vault → Audit Log to browse the history.
Logged Actions
| Action | Triggered By |
|---|---|
CREATE | A credential or folder is created |
UPDATE | Metadata or secret fields are changed |
DELETE | A credential or folder is deleted |
REVEAL | A credential’s secrets are decrypted and shown |
COPY | A credential’s secrets are copied to clipboard |
VIEW | A credential’s metadata page is opened |
SHARE | A folder is shared with a user |
MOVE | A credential or folder is moved |
EXPORT | Credentials are exported |
Audit Entry Fields
Each entry records:
- Action — One of the actions above
- Resource — The name and ID of the affected credential or folder
- User — Who performed the action (name denormalized at time of action)
- Timestamp — Precise date and time
- IP Address — Source IP of the request
- Device — If a trusted device was associated with the action
- Risk Score — A 0–100 score computed from contextual signals
Filtering the Audit Log
Use the search bar and action filter to narrow down entries. The default view shows all actions for all users. Entries cannot be deleted or modified — the audit log is append-only.
Overview Dashboard
Go to Vault (the root page) for the vault overview:
- Total credentials — How many credentials are stored
- Total folders — Including shared and personal folders
- Shared folders — Folders with at least one active share
- Trusted devices — Count of devices in Trusted status
- Health score — Percentage of credentials in Strong health (0–100)
- Health breakdown — Count of Weak, Reused, Old, Expiring, and Compromised credentials
- Credentials by type — Distribution chart across all credential types
- Recent activity — The last 10 audit entries across all users in the tenant
Console Navigation
The Vault is organized into the following sections in the Console sidebar:
| Section | Path | Purpose |
|---|---|---|
| Overview | Vault | Health dashboard and recent activity |
| Credentials | Vault → Credentials | Create, search, reveal, and manage credentials |
| Folders | Vault → Folders | Organize credentials and configure sharing |
| Devices | Vault → Devices | Register and manage trusted devices |
| Audit Log | Vault → Audit Log | Paginated history of all vault operations |
| Settings | Vault → Settings | PIN management and vault policy |
Related
- Vault API — REST API reference for programmatic vault access
- Security Settings — Tenant-wide security controls including brute-force protection and MFA
- Users & Roles — Manage the team members who can be granted vault folder shares