What’s in the vault
The vault is split into a handful of typed stores, each visible as a tab in Settings → Vaults:| Tab | Contents |
|---|---|
| Hosts | Saved SSH hosts (see SSH host management) |
| Keychains | Private SSH keys with optional passphrases |
| Accounts | Username / password pairs |
| Snippets | Reusable shell scripts you can call across terminals |
| Known Hosts | Trusted SSH host keys (see Host groups & known_hosts) |
Set up the vault
The vault initializes the first time you do something that needs it — usually when you click Remote Connection to add your first host.Generate (or recover) a secret key
Choose:
- Create a new secret key — Rumus generates a cryptographically random key and prompts you to download it as a
secret-key.txtfile (formatRM-XXXX-XXXX-...). - Recover an existing key — paste a key string or upload a previously downloaded key file. Use this when setting up a new device that should share the vault from another.
Set a 6-digit PIN
The PIN is a convenience layer for unlocking the vault during normal use. Pick a 6-digit code.
How the secret key and PIN work together
- The secret key is the actual encryption key. It’s needed for the very first setup on a device, and any time you want to recover or migrate.
- The PIN is a fast-unlock code derived from the secret key. Once set up, you only need the PIN to unlock the vault on this device session-to-session.
Unlocking and locking
The vault unlocks automatically the first time you need it in a session (e.g. opening a remote tab) — Rumus prompts for your PIN if it isn’t already unlocked. It stays unlocked until you quit the app. To force a re-lock, quit and reopen Rumus. (A dedicated “Lock vault” button isn’t surfaced today.)Failed PIN attempts
Repeated wrong PINs are rate-limited. After several failed attempts in a row, you’re forced to wait before trying again. This isn’t optional and isn’t configurable — it’s part of the threat model: a casual attacker shouldn’t be able to brute-force a 6-digit PIN.Backing up the secret key
The single most important thing to do after setup. If your hard drive dies, your laptop is stolen, or you reinstall the OS:- With a backup — install Rumus on a new device, choose Recover existing key, paste or upload the backup, and the vault is yours again.
- Without a backup — the encrypted data in the cloud is unreadable. You’d start over.
- A password manager (1Password, Bitwarden, etc.) — the secret-key file is small enough to attach.
- A second physical location — printed and sealed in an envelope, or a USB stick in a drawer.
Reset the vault
If you decide to start over — lost secret key, fresh start, handing off the device — use Settings → Account → Reset Vault. The reset is email-confirmed and wipes both the local vault and the synced cloud copy. See Reset vault for the full flow. Reset is destructive and not undoable. Make sure that’s what you actually want.Vault questions or stuck on setup? Ask in the Rumus community — for anything sensitive (lost key, decryption issues), reach out to support directly.
Privacy
- Everything in the vault is encrypted on your device before it ever touches Rumus’s servers.
- The secret key never leaves your device — Rumus has no copy and cannot help you recover one you’ve lost.
- The PIN doesn’t leave your device either — it’s used to derive a local unlock token, not transmitted.
Next steps
Vault sync & recovery
Bring your vault to a new device, and resolve sync conflicts.
SSH host management
The biggest user of the vault — your saved SSH targets.