Credential Vault
Use YeePilot Vault for local encrypted secret storage with multi-method unlock and operational SSH trust tooling.
Last updated: March 1, 2026
What Vault Is
YeePilot Vault is a local encrypted secret store used by the client.
Primary file:
~/.yeepilot/vault.json.enc
Vault is locked by default and supports multiple unlock methods with wrapped key material.
Supported Unlock Methods
passwordpinyubikeyyubikey+pinrecovery_key
Initialize and Inspect
bash
yeepilot vault init --method password
yeepilot vault statusUnlock and Lock (CLI)
bash
yeepilot vault unlock --method password
yeepilot vault lockCore Vault Commands
bash
yeepilot vault list --method password
yeepilot vault showmeta <name> --method password
yeepilot vault add-method --unlock-method password --method yubikey
yeepilot vault primary --method pin
yeepilot vault rotate-recovery --unlock-method passwordSSH Trust + Connect
bash
# fingerprint scan
yeepilot vault trust-host example.com:22
# verify and trust
yeepilot vault trust-host example.com:22 SHA256:...
# test connection via vault entry
yeepilot vault connect <entry> --unlock-method passwordPortable Bundle Transfer
bash
yeepilot vault portable export backup.ypbundle
yeepilot vault portable import backup.ypbundleTUI Vault Controls
Useful commands:
/vault status|init|list|showmeta|add-method|primary|rotate-recovery|autolock/unlock [method]/lock/connect <entry>/connect trust <host[:port]> [fingerprint]/portable export|import <bundle.ypbundle>/vault copy <name>(tier-1 only)/vault pwgen <name> [length]/vault import-ssh <name> <host> <user> <keyfile> [port]
Config Keys
yaml
vault:
enabled: false
start_locked: true
auto_lock_duration: 15m
bruteforce_protection_enabled: true
wipe_on_bruteforce_enabled: false
wipe_after_failures: 15Security Notes
- Keep at least two unlock methods configured for resilience.
- Store recovery key offline.
- Use host-fingerprint verification for every new SSH host.
- Keep autolock enabled for long-running sessions.