Expand description
Team vault — age-encrypted shared secret store for multi-user environments.
Team vaults use X25519 age encryption so each team member’s public key can decrypt the shared vault independently. Membership and key rotation are tracked in the vault’s metadata.
Functions§
- add_
member - Add a recipient to a team vault. Re-wraps the DEK for all recipients (including the new one).
- add_
member_ with_ access_ profile - Add a recipient to a team vault under an explicit access profile.
- create_
team_ vault - Create a new team vault file encrypted to the given age recipient public keys. Returns the VaultFile and the randomly generated DEK (for the caller to use).
- create_
team_ vault_ with_ access_ profile - Create a new team vault file with an explicit access profile.
- is_
team_ vault - Check if a vault is a team vault (has age recipients).
- members
- List the current team members (recipient public keys).
- remove_
member - Remove a recipient and re-key the vault (generate new DEK, re-encrypt all secrets). The removed member could have cached the old DEK, so all secrets must be re-encrypted.
- remove_
member_ with_ access_ profile - Remove a recipient and re-key the vault under an explicit access profile.
- unwrap_
dek - Open a team vault by unwrapping the DEK with an age identity.