Sharing
SyVault supports secure credential sharing within teams through shared folders. Sharing is built on ECDH P-256 key exchange, ensuring that shared secrets are encrypted end-to-end and that the server never has access to plaintext data.
Shared Folders
Shared folders are the primary mechanism for team credential sharing. A shared folder behaves like a regular vault folder, but its encryption key is distributed to multiple users.
Creating a Shared Folder
- In the web vault or desktop app, navigate to the vault where you want to create a shared folder.
- Click New Folder and toggle Shared on.
- Name the folder (e.g., "Engineering - AWS", "Marketing - Social Media").
- Add team members by email address.
- Set permissions for each member.
How Encryption Works
When you create a shared folder, the following cryptographic operations occur:
- Folder Key Generation -- A random 256-bit symmetric key (the Shared Folder Key) is generated.
- Key Wrapping for Creator -- The Shared Folder Key is encrypted with your Account Key using AES-256-GCM.
- Key Distribution via ECDH -- For each recipient:
- SyVault performs an ECDH P-256 key agreement between your private key and the recipient's public key, producing a shared secret.
- The shared secret is passed through HKDF-SHA256 to derive a wrapping key.
- The Shared Folder Key is encrypted with this wrapping key and stored on the server, tagged with the recipient's user ID.
- Recipient Decryption -- When a recipient opens the shared folder, they perform the reverse ECDH using their private key and the sender's public key, derive the same wrapping key, decrypt the Shared Folder Key, and use it to decrypt the folder's records.
Creator Recipient
──────── ─────────
Creator Private Key ─┐ ┌─ Recipient Private Key
│ │
Recipient Public Key ┘ └─ Creator Public Key
│ │
ECDH P-256 ECDH P-256
│ │
Shared Secret ═══════════ Shared Secret
│ │
HKDF-SHA256 HKDF-SHA256
│ │
Wrapping Key Wrapping Key
│ │
Encrypt(Folder Key) Decrypt(Folder Key)
Because ECDH produces the same shared secret regardless of which side initiates the exchange, no real-time communication between users is needed. Key distribution is fully asynchronous.
Permissions
Each member of a shared folder has one of two permission levels:
| Permission | Can View | Can Edit | Can Add | Can Delete | Can Manage Members |
|---|---|---|---|---|---|
| Read | Yes | No | No | No | No |
| Read + Write | Yes | Yes | Yes | Yes | No |
Only the folder owner (creator) and organization admins can manage membership and permissions. Ownership can be transferred to another member.
Adding and Removing Members
- Adding: When a new member is added, the folder owner re-encrypts the Shared Folder Key for the new member using ECDH (as described above). Existing members do not need to take any action.
- Removing: When a member is removed, the Shared Folder Key is rotated. A new Shared Folder Key is generated, all records in the folder are re-encrypted with the new key, and the new key is distributed to remaining members. This ensures the removed member cannot decrypt future changes, even if they retained the old key.
Key rotation on member removal re-encrypts all records in the folder. For folders with hundreds of records, this may take a few seconds. The folder is briefly locked during rotation to prevent conflicts.
Audit Trail
All sharing events are logged in the organization audit log:
- Folder created / deleted
- Member added / removed
- Permission changed
- Key rotation events
- Record added to / removed from shared folder
Admins can review the audit log under Admin > Audit Log with filters for user, action type, and date range.