Credential Vault

What The Vault Is

YeePilot Vault is a local encrypted store for secrets and operational access data. It is designed for end users who want secure local handling of credentials without leaving them in plain text files or shell history.

The main encrypted file is:

~/.yeepilot/vault.json.enc

Supported Unlock Methods

YeePilot currently supports:

• password
• pin
• yubikey
• yubikey+pin

The vault also generates a recovery key during initialization. Store that recovery key offline. It is shown once and is meant for recovery, not daily use.

Initialize The Vault

yeepilot vault init --method password
yeepilot vault status

During initialization, YeePilot shows your recovery key. Save it somewhere offline and safe before continuing.

Unlock And Lock

Verify that unlocking works:

yeepilot vault unlock --method password

Clear process-local unlocked state in CLI mode:

yeepilot vault lock

In the TUI, the everyday commands are:

/unlock
/lock

Inspect Entries Safely

List entry metadata:

yeepilot vault list --unlock-method password

Inspect one entry's metadata:

yeepilot vault showmeta my-server --unlock-method password

These commands are designed to show metadata, not dump secrets casually into the terminal.

Add Another Unlock Method

yeepilot vault add-method --unlock-method password --method yubikey

Make a different method the primary one:

yeepilot vault primary --method pin

Rotate the recovery key:

yeepilot vault rotate-recovery --unlock-method password

SSH Trust And Test Connections

Scan and trust a host key:

yeepilot vault trust-host example.com:22

Trust a host with an expected fingerprint:

yeepilot vault trust-host example.com:22 SHA256:...

Test a connection using a tier-2 vault entry:

yeepilot vault connect my-server --unlock-method password

Portable Vault Bundle

Export an encrypted portable bundle:

yeepilot vault portable export backup.ypbundle

Import a portable bundle:

yeepilot vault portable import backup.ypbundle

Use this carefully. Import is intended as a backup-and-replace style workflow.

TUI Vault Actions

Useful interactive commands include:

• /vault status
• /vault init <password|pin|yubikey|yubikey+pin>
• /vault list
• /vault showmeta <name>
• /vault add-method <method> [primary]
• /vault primary <method>
• /vault rotate-recovery
• /vault autolock <duration|off>
• /vault copy <name>
• /vault pwgen <name> [length]
• /vault import-ssh <name> <host> <user> <keyfile> [port]
• /connect <entry>
• /connect trust <host[:port]> [fingerprint]
• /portable export|import <bundle.ypbundle>

Client + Vault Locking

The vault can also work together with the client lock state.

Important settings:

vault:
  enabled: false
  start_locked: true
  auto_lock_duration: 15m
  bruteforce_protection_enabled: true
  wipe_on_bruteforce_enabled: false
  wipe_after_failures: 15

For most users:

• keep bruteforce_protection_enabled: true
• keep autolock enabled
• leave wipe-on-bruteforce off unless you fully understand the recovery consequences

Best End-User Advice

• initialize the vault before you urgently need it
• keep at least one dependable unlock method
• store the recovery key offline
• verify SSH fingerprints before trusting a new host
• use autolock on machines you leave unattended