Vaults and devices

Vaults

A vault is a synced root folder plus its full history — the unit of sharing and keying in Manifa. Every vault has its own random Vault Key (VK), wrapped to each member's Account Master Key. Create one with:

mani vault create my-project ~/code/my-project

A vault tracks a chain of snapshots — immutable, content-addressed commits of the whole tree — so "what does this vault look like" always has a precise answer. See the sync model for how snapshots advance.

Accounts vs. devices

Your account is one identity, one Account Master Key, and a set of enrolled devices — each device holds its own local keypair, generated on enrollment, whose private half never leaves it (kept in the OS keystore: Keychain on macOS, secret-service on Linux — see Platforms for OS-specific details). The AMK is wrapped separately to each device's public key, so any enrolled device can unwrap it independently.

This is also why Manifa has two separate secrets, and it's worth being explicit about why:

  • Login (email + one-time code, or Google) proves who you are to the server. It gates account access but the server can fully see and control it.
  • Master password wraps your Account Master Key and never reaches the server. It's the thing that actually makes your data unreadable to anyone but you.

Signing in does not, by itself, decrypt anything. See the zero-knowledge model for the full key hierarchy.

Enrollment

A fresh device gets access to your account via mani device enroll, in one of two ways:

  • Approval from an existing device — the new device requests access; an already-trusted device approves it and wraps the AMK to the new device's public key. No secrets are retyped.
  • Password + recovery code — used when this is the only device you have left (e.g. first re-install after losing everything else).

Once enrolled, a device can mani clone any vault it's been given access to.

Revocation

mani device revoke <device>

Revoking a device immediately:

  1. Deletes that device's wrapped copy of the AMK — it can no longer unwrap anything new.
  2. Rotates the Vault Key for every vault the device had access to. New writes use the new VK; remaining devices keep reading old history through an epoch-aware key ring, not a single overwritten secret.

A revoked device retains whatever it already downloaded locally — revocation prevents future access, it doesn't reach into a device and delete data already on disk.

Listing devices

mani device ls

Shows every enrolled device, its platform, and enrollment time — useful before revoking the right one.