Skip to Content
Admin ConsoleCredential Vault

Credential Vault

The Credential Vault is a built-in secrets manager for your Auris tenant. It stores passwords, API keys, SSH keys, certificates, database credentials, and other sensitive values under AES-256-GCM field-level encryption. Secrets never leave the server in plaintext — the vault decrypts a credential only when a user explicitly requests it through the Console or API, and every such access is recorded in the audit log.

Access the Vault from the Console sidebar: Vault.


Vault Lock and PIN

Every user in your tenant has their own vault session. The vault starts in a locked state. Before accessing any credentials, the user must unlock it with a numeric PIN.

Setting a PIN

Open PIN settings

Go to Vault and click Set PIN in the top bar (or VaultSettingsPIN).

Enter a PIN

Enter a PIN between 4 and 8 digits. The PIN is stored as a bcrypt hash — Auris never stores it in plaintext.

Confirm and save

Re-enter the PIN to confirm and click Save PIN. The vault is now protected.

Unlocking the Vault

When you navigate to any Vault page while locked, an unlock dialog appears. Enter your PIN and click Unlock. After five consecutive failed attempts within 15 minutes, the vault enforces a 15-minute lockout — you cannot attempt further unlocks until the lockout expires.

Locking the Vault

Click Lock Vault in the top bar at any time. The vault immediately requires the PIN again before any credential can be accessed or revealed. A PIN must be set before you can lock — calling lock without a PIN returns an error.

Changing the PIN

Go to VaultSettingsChange PIN. You must supply the current PIN before setting a new one.

If you forget your vault PIN, an administrator can reset the PIN field on your user account from ConsoleUsers[your user]. This clears the old PIN hash. You will then need to set a new PIN the next time you open the Vault.


Credential Types

The Vault supports the following credential types. Each type stores a different set of secret fields, all encrypted in the same encryptedData blob.

TypeStored Secret FieldsTypical Use
Loginusername, password, urlWebsite logins, application accounts
API KeyapiKeyThird-party service API keys, tokens
SSH KeyprivateKey, usernameServer access, Git remotes
CertificateprivateKey, data (PEM/DER)TLS certificates, code signing
Wi-Fipassword, data (SSID/security)Network credentials
Databaseusername, password, urlDatabase connection strings
Serverusername, password, urlRDP, SFTP, Bastion hosts
Customdata (free-form JSON)Any secret not covered by the above types

In addition to secret fields, every credential has metadata fields that are stored unencrypted for display purposes: name, tags, notes summary, expiry date, and health status.


Creating and Managing Credentials

Creating a Credential

Go to Credentials

In the Vault sidebar, click Credentials and then New Credential.

Choose a type

Select the credential type from the dropdown. The form adjusts to show the relevant secret fields for that type.

Fill in the details

FieldRequiredDescription
NameYesA recognizable label (e.g. “Production DB – main”)
TypeYesOne of the types listed above
FolderNoPlace the credential in a folder for organization
TagsNoComma-separated labels for filtering
NotesNoFree-text notes. Stored encrypted.
ExpiryNoDate after which the credential is flagged as expiring
Secret fieldsType-dependentPassword, API key, private key, etc.

Save

Click Save. The credential is encrypted immediately on write.

Editing a Credential

Open any credential from the list and click Edit. Metadata fields (name, tags, notes, expiry, folder) update immediately. Secret fields are only updated when you supply a new non-empty value — leaving a secret field blank during an edit preserves the existing encrypted value without overwriting it.

Revealing a Secret

Click Reveal on any credential to decrypt and display the secret fields. Reveal is rate-limited to 10 requests per minute per session. Every reveal is recorded in the audit log with the user, timestamp, and IP address.

Click Copy to copy the secret value to the clipboard without displaying it on screen. Copy actions are also audit-logged separately from reveals.

Health Status

The Vault continuously evaluates each credential and assigns one of the following health statuses:

StatusMeaning
StrongPassword meets complexity requirements and has not been reused
WeakPassword is too short, too simple, or matches common patterns
ReusedThe same password appears in more than one credential
OldPassword has not been changed in more than 90 days
ExpiringThe credential’s expiry date is approaching
CompromisedThe password matches a known breach database entry

The Overview dashboard shows the overall health score for your vault and a breakdown by issue type.


Folder Organization

Folders help organize credentials and define sharing boundaries. Folders can be nested to any depth.

Creating a Folder

Open Folders

Go to VaultFolders and click New Folder.

Configure the folder

FieldRequiredDescription
NameYesDisplay name for the folder
Parent folderNoPlace inside an existing folder to create a hierarchy
ColorNoAccent color for visual identification (hex, e.g. #6366f1)
IconNoIcon slug for the folder thumbnail

Save

Click Create Folder.

Moving a Folder

From the folder list, open the folder menu and click Move. Select the target parent folder. Circular moves (moving a folder into one of its own descendants) are rejected.

Deleting a Folder

Deleting a folder cascades to all credentials inside it. A confirmation dialog lists the number of credentials that will be deleted. This action cannot be undone.


Sharing Folders

Folders can be shared with individual team members. Sharing grants access to all credentials currently in the folder and all future credentials added to it.

Permission Levels

PermissionCan View MetadataCan Reveal/CopyCan Create/EditCan Share/Move/Delete
ViewerYesNoNoNo
UserYesYesNoNo
ContributorYesYesYesNo
AdminYesYesYesYes

Sharing a Folder

Open the folder

Go to VaultFolders, click the folder you want to share, and open the Shares tab.

Add a share

Click Share Folder. In the search box, type the name or email of a team member. Select the user from the results.

Choose a permission level

Select the permission level (Viewer, User, Contributor, or Admin).

Send invitation

Click Share. The recipient receives an in-app notification informing them that a folder has been shared with them.

Updating or Revoking a Share

From the Shares tab on any folder, click the permission badge next to a recipient to change their access level, or click Revoke to remove their access entirely.

Sharing is folder-scoped. Individual credentials cannot be shared without placing them in a folder first. If you need to share a single credential with someone, create a dedicated folder for it.


Device Binding

Device binding lets you associate vault access with specific trusted devices. This is used by the audit system to track which device performed a reveal or copy action, and by vault policies that require device trust before allowing secret access.

Registering a Device

Open Devices

Go to VaultDevices and click Register Device.

Name the device

Provide a friendly name (e.g. “Work MacBook”) and optionally supply a SHA-256 browser fingerprint hash.

Trust the device

A new device starts in Pending status. Click Trust to mark it as trusted.

Device Statuses

StatusMeaning
TrustedDevice is recognized and may be associated with audit entries
PendingDevice has been registered but not yet reviewed by an administrator
RevokedDevice has been explicitly distrusted

Revoking a Device

From VaultDevices, click Revoke next to any device. Revoked devices cannot be associated with new reveal or copy operations.


Access Requests

When a user needs access to a credential or folder they do not currently have permission to, they can submit an access request.

Submitting a Request

From any credential or folder the user can see but not access, click Request Access. Select the permission level needed and provide a reason. The request is sent to the folder or credential owner for review.

Reviewing Requests (Admins)

Go to VaultAccess Requests. Each pending request shows:

  • Who is requesting access
  • Which credential or folder
  • The permission level requested
  • The reason provided
  • When the request was submitted

Click Approve to grant the requested permission, or Deny to reject it. In both cases the requester is notified.


Vault Policies

Vault policies let an administrator configure security requirements that apply across all vault operations for the tenant.

Go to VaultSettingsPolicy to configure:

SettingDefaultDescription
Require device trustOffWhen enabled, credentials can only be revealed from a trusted device
Require MFA for revealOffWhen enabled, users must complete an MFA challenge before any credential is decrypted
Max reveals per minute10Rate limit for reveal and copy operations per user session
Password rotation days90Number of days before a credential is flagged as Old
Enforce strong passwordsOffRejects weak passwords at creation time
Allow exportOffControls whether users can export credentials as plaintext (CSV/JSON)
Enable breach checkOffEnables HIBP-style breach database checks for password credentials

Enabling “Require device trust” will immediately block reveals from any device that is not in Trusted status. Ensure all legitimate devices are trusted before activating this setting to avoid locking team members out of the vault.


Audit Log

Every vault operation is recorded. Go to VaultAudit Log to browse the history.

Logged Actions

ActionTriggered By
CREATEA credential or folder is created
UPDATEMetadata or secret fields are changed
DELETEA credential or folder is deleted
REVEALA credential’s secrets are decrypted and shown
COPYA credential’s secrets are copied to clipboard
VIEWA credential’s metadata page is opened
SHAREA folder is shared with a user
MOVEA credential or folder is moved
EXPORTCredentials are exported

Audit Entry Fields

Each entry records:

  • Action — One of the actions above
  • Resource — The name and ID of the affected credential or folder
  • User — Who performed the action (name denormalized at time of action)
  • Timestamp — Precise date and time
  • IP Address — Source IP of the request
  • Device — If a trusted device was associated with the action
  • Risk Score — A 0–100 score computed from contextual signals

Filtering the Audit Log

Use the search bar and action filter to narrow down entries. The default view shows all actions for all users. Entries cannot be deleted or modified — the audit log is append-only.


Overview Dashboard

Go to Vault (the root page) for the vault overview:

  • Total credentials — How many credentials are stored
  • Total folders — Including shared and personal folders
  • Shared folders — Folders with at least one active share
  • Trusted devices — Count of devices in Trusted status
  • Health score — Percentage of credentials in Strong health (0–100)
  • Health breakdown — Count of Weak, Reused, Old, Expiring, and Compromised credentials
  • Credentials by type — Distribution chart across all credential types
  • Recent activity — The last 10 audit entries across all users in the tenant

Console Navigation

The Vault is organized into the following sections in the Console sidebar:

SectionPathPurpose
OverviewVaultHealth dashboard and recent activity
CredentialsVault → CredentialsCreate, search, reveal, and manage credentials
FoldersVault → FoldersOrganize credentials and configure sharing
DevicesVault → DevicesRegister and manage trusted devices
Audit LogVault → Audit LogPaginated history of all vault operations
SettingsVault → SettingsPIN management and vault policy

  • Vault API — REST API reference for programmatic vault access
  • Security Settings — Tenant-wide security controls including brute-force protection and MFA
  • Users & Roles — Manage the team members who can be granted vault folder shares