Last reviewed against v0.9.0
source:
internal/vault/local, internal/vault/awskms, internal/kmsadmin/ Vault storage by tier
Free uses the OS keychain. Pro and Team use AWS-managed KMS-wrapped DynamoDB. Enterprise uses per-Space customer-managed KMS keys.
The vault has different storage and key models depending on the plan.
Free
OS keychain (macOS Keychain, Windows Credential Manager, libsecret on Linux). Secrets never leave the device.
Pro / Team
Cloud KMS-wrapped DynamoDB:
- Each credential is envelope-encrypted with an AWS-managed CMK in ShellYard’s account
- Ciphertext stored in DDB
- Decryption happens on the client after a
kms:Decryptcall
Cross-device sync. Keys at this tier are ShellYard-managed.
Enterprise
Per-Space customer-managed CMK:
- Each Space gets its own KMS key (provisioned via
App.SpaceProvisionKMS) - Disabling one customer’s key cryptographically erases just their data
- See Cryptographic erasure