ShellYard

Shared credentials

Team and Enterprise add SHAREDCRED (Space-wide shared credentials) and GROUPKEY (narrowed to a group within a Space) under per-Space customer-managed CMK. One-click CMK rotation re-encrypts every shared credential. Enterprise crypto is identical to Team.

Caveat

Team and Enterprise feature. Free and Pro have a Personal vault only — there's no Shared Space to share into.

Sharing a credential into a Shared Space without re-encrypting it per member.

Why this exists

A personal vault is easy — your credentials are encrypted under a key only you can decrypt. The hard part is sharing: when five engineers need to use the same vault entry for acme-prod-postgres, you don’t want to encrypt the same secret five different ways.

ShellYard’s answer: encrypt shared credentials under the Space’s CMK, gate KMS Decrypt permissions on Space membership, and let AWS enforce who can read what.

SHAREDCRED — Space-wide sharing

Mark a credential as shared into a Space:

  1. Right-click → Share into Space → pick the target Space
  2. ShellYard re-encrypts the credential under the Space’s CMK and writes a SHAREDCRED row
  3. Every member of that Space can now kms:Decrypt and read the secret
  4. Adding a new Space member: they get access automatically on next login
  5. Removing a member: KMS revokes their Decrypt permission within seconds

The credential’s metadata (host, port, type, notes, tags) is searchable to every member; the secret payload only decrypts for current members.

GROUPKEY — narrower than Space-wide

Sometimes you need to share with a subset of a Space — the network-ops group within a 30-person MSP Space, for example. GROUPKEY narrows SHAREDCRED to a Group:

  1. Create a Group inside the Space (Space settings → Groups → New)
  2. Assign members
  3. Share a credential with Share into Group instead of Share into Space
  4. Only Group members can decrypt — other Space members see the credential’s metadata but cannot read the secret

Groups can have their own folder ACLs (read / write / admin), so a credential shared with the network-ops group can have read-only access for one sub-group and read-write for another.

CMK rotation

Space settings → Rotate CMK — generates a new key version and re-encrypts every SHAREDCRED in the Space under the new version. One click, no downtime, no per-credential dialog.

Useful for periodic rotation (compliance), or as part of offboarding when a former member’s KMS audit access needs to be invalidated.

Move semantics

A credential lives in exactly one (Space, optional Group) at a time. Moving a credential between Spaces or between Groups re-encrypts the row under the destination’s keys and wipes the source. There is no “share = copy” — the source row no longer exists after a move. The audit log captures vault.shared.move-in, vault.shared.move-out, and vault.shared.move-space with the prior and current scope.

Tier behavior

  • Free / Pro — Personal vault only; there is no Shared Space to share into. Pro syncs the Personal vault cross-machine; Free is device-local.
  • Team — SHAREDCRED + GROUPKEY with per-Space customer-managed CMK and the Group-DEK gate. Cryptographic erasure on Space offboarding via kms:ScheduleKeyDeletion.
  • Enterprise — Identical crypto to Team. Adds per-Space audit-log filtering and export, larger document / Space byte caps, unlimited version retention, and custom annual contracts.

See also