Credentials and the vault
Your cloud credentials live in a passphrase-sealed vault on your machine. The canvas talks to your clouds directly using them. This guide covers the everyday tasks: unlocking the vault, adding and viewing credentials, and rotating them.
For the security model behind all of this, see Security and the vault.
The vault and the keystore
Section titled “The vault and the keystore”Two pieces matter to you, even if you never see them:
The vault is your passphrase-sealed key identity. It owns the RSA keypair used to encrypt and decrypt credentials. It has three states: uninitialized, locked, and unlocked.
The keystore is where encrypted credential blobs live at rest on disk.
You create the vault once. After that, you unlock it with your passphrase each time you launch the app.
stateDiagram-v2
[*] --> Uninitialized
Uninitialized --> Locked: Create vault (set passphrase)
Locked --> Unlocked: Unlock (enter passphrase)
Unlocked --> Locked: Lock or close app
Locked --> [*]
Unlock the vault
Section titled “Unlock the vault”On launch, if the vault is locked, the unlock screen blocks the rest of the app until you enter your passphrase. Once unlocked, the private key lives in memory until you lock the vault or close the app.
The vault status control in the top bar shows the lock state and lets you lock the vault on demand. Locking it clears the private key from memory.
Add a credential
Section titled “Add a credential”Use the connections surface to add a provider credential. Saving a credential encrypts it with the vault’s public key and stores the encrypted blob in the keystore. The plaintext credential is never written to disk.
See Connect a provider for the per-provider steps.
View saved credentials
Section titled “View saved credentials”The connections list shows the providers you have saved credentials for. The plaintext of a credential is not held in the UI; it is decrypted on demand when a provider call needs it.
Rotate a credential
Section titled “Rotate a credential”To rotate a credential, add the new one and delete the old one.
- Save the new credential for the same provider.
- Delete the old credential from the connections list.
- The next Plan and Apply uses the new credential.
You do not need to re-lock or recreate the vault to rotate a credential. The vault guards the key that encrypts credentials, not the credentials themselves.
Change your passphrase
Section titled “Change your passphrase”What is gated by the vault
Section titled “What is gated by the vault”While the vault is locked, you can save a credential, but you cannot:
- Run Plan or Apply. Both need to read your live infrastructure, which requires the private key.
- Make catalog calls that need authenticated access.
- Open a project canvas that needs to fetch live state.
Unlocking the vault re-enables all of these.
- Security and the vault for envelope encryption and why keys never leave the machine.
- Connect a provider for the new-user walkthrough.
- Organizations and projects for where projects come from.