Skip to content

Credentials and the vault

Your cloud credentials live in a passphrase-sealed vault on your machine. The canvas talks to your clouds directly using them. This guide covers the everyday tasks: unlocking the vault, adding and viewing credentials, and rotating them.

For the security model behind all of this, see Security and the vault.

Two pieces matter to you, even if you never see them:

The vault is your passphrase-sealed key identity. It owns the RSA keypair used to encrypt and decrypt credentials. It has three states: uninitialized, locked, and unlocked.

The keystore is where encrypted credential blobs live at rest on disk.

You create the vault once. After that, you unlock it with your passphrase each time you launch the app.

stateDiagram-v2
    [*] --> Uninitialized
    Uninitialized --> Locked: Create vault (set passphrase)
    Locked --> Unlocked: Unlock (enter passphrase)
    Unlocked --> Locked: Lock or close app
    Locked --> [*]

On launch, if the vault is locked, the unlock screen blocks the rest of the app until you enter your passphrase. Once unlocked, the private key lives in memory until you lock the vault or close the app.

The vault status control in the top bar shows the lock state and lets you lock the vault on demand. Locking it clears the private key from memory.

Use the connections surface to add a provider credential. Saving a credential encrypts it with the vault’s public key and stores the encrypted blob in the keystore. The plaintext credential is never written to disk.

See Connect a provider for the per-provider steps.

The connections list shows the providers you have saved credentials for. The plaintext of a credential is not held in the UI; it is decrypted on demand when a provider call needs it.

To rotate a credential, add the new one and delete the old one.

  1. Save the new credential for the same provider.
  2. Delete the old credential from the connections list.
  3. The next Plan and Apply uses the new credential.

You do not need to re-lock or recreate the vault to rotate a credential. The vault guards the key that encrypts credentials, not the credentials themselves.

While the vault is locked, you can save a credential, but you cannot:

  • Run Plan or Apply. Both need to read your live infrastructure, which requires the private key.
  • Make catalog calls that need authenticated access.
  • Open a project canvas that needs to fetch live state.

Unlocking the vault re-enables all of these.