Conduit

Vault & Security

Conduit stores all connection entries and credentials in an encrypted vault. The vault is a local SQLite database encrypted with AES-256, ensuring your sensitive data is protected at rest.

Master Password

Your master password derives the encryption key used to protect the vault. It is never stored anywhere and cannot be recovered. Choose a strong, memorable password that you will not forget.

Master password cannot be recovered

Your master password cannot be recovered. If you lose it, you will need to create a new vault.

Zero-Knowledge Encryption

Conduit uses a zero-knowledge architecture — your encryption keys are derived from your master password locally on your device and are never transmitted to Conduit servers. This means no one, including the Conduit team, can access your vault data. Even cloud backups are encrypted locally before upload, so the server only ever sees encrypted blobs.

The vault uses AES-256 encryption. Each vault is a per-vault encrypted database stored locally on your machine. Cloud backups use a separate domain-separated AES-256-GCM key, ensuring that backup encryption is independent from vault encryption.

Locking

You can lock the vault manually at any time with Cmd/Ctrl+Shift+L. When locked, the vault requires your master password to unlock again.

Quick Unlock (Biometric)

On macOS, you can unlock personal vaults using Touch ID, Apple Watch, or your system password instead of re-entering your master password every time. This is powered by macOS biometric authentication (LAContext) and stores your master password securely in the macOS Keychain via Electron's safeStorage API.

After your first successful password unlock, Conduit will prompt you to enroll the vault for Quick Unlock. Once enrolled:

  • The unlock dialog will automatically prompt for biometric authentication when the vault is locked.
  • A fingerprint badge appears on biometric-enabled vaults in the Vault Hub.
  • You can manually trigger Quick Unlock from the unlock dialog if the auto-prompt was dismissed.

Quick Unlock can be enabled or disabled in Settings > Security. The setting is only visible on macOS. If you change your vault password, the stored biometric credential is automatically updated. Removing a vault from recents cleans up its biometric data.

Personal vaults only

Quick Unlock is available for personal vaults only. Team vaults use a different key architecture and do not support biometric unlock.

Rename Vault

You can rename any vault via File > Rename Vault from the menu bar. This works for both personal and team vaults:

  • Personal vaults — renames the .conduit vault file on disk.
  • Team vaults — updates the vault name in the cloud. Only vault admins or team admins can rename a team vault.

Team vault permissions

Renaming a team vault requires the vault admin or team admin role. Other team members will see the updated name automatically on their next sync.

Manual Save

Conduit uses SQLite WAL (Write-Ahead Logging) mode for vault storage, which means recent writes may sit in a WAL journal file rather than the main .conduit vault file. The Manual Save feature forces a WAL checkpoint, flushing all pending data into the vault file.

You can trigger a manual save in two ways:

  • Select File > Vault Management > Save Vault from the menu bar.
  • Press Cmd+S (macOS) or Ctrl+S (Windows/Linux).

This is especially useful before manually copying the .conduit vault file, as it ensures the file contains all of your latest changes.

Team vaults save automatically

For team vaults, triggering a manual save shows an informational toast confirming that team vaults are saved to the cloud automatically. There is no local WAL journal to flush.

Entry Types

The vault supports the following entry types:

  • SSH connection entries
  • RDP connection entries
  • VNC connection entries
  • Web session entries
  • Document entries — markdown documents with a built-in editor and live preview
  • Standalone credential entries that can be reused across multiple connections

Multi-Factor Authentication

Conduit supports TOTP-based multi-factor authentication for your Conduit account. Enroll on the website account security page to enable MFA. AAL2 (Authenticator Assurance Level 2) sessions persist across app restarts, so you are not prompted to re-authenticate on every launch.

Team Vault Audit Logs

Every action in a team vault is logged to an immutable audit trail, including entry and folder operations, member changes, permission updates, and vault access events. Team admins can view the full activity log from the Vault Settings dialog.

Audit logs are retained for 2 years and automatically purged after that period. This ensures compliance-ready record keeping while keeping storage manageable.

Related Pages

  • Credentials — credential types, standalone credentials, and organization.
  • Credential Picker — quick-access tray popup for searching and copying credentials.
  • Backup & Restore — local and cloud backup, retention policies, and restore.
CommandCredentials