The vault is Rumus’s encrypted local store for everything sensitive: SSH host records, private keys, saved username / password pairs, command snippets, and known-host fingerprints. It’s built on Stronghold, an open-source secrets engine, and locked with a secret key that only you ever see. When the vault syncs to the cloud, it does so as ciphertext only — Rumus servers cannot read your secrets.Documentation Index
Fetch the complete documentation index at: https://www.rumus.ai/docs/llms.txt
Use this file to discover all available pages before exploring further.
What’s in the vault
The vault is split into a handful of typed stores, each visible as a tab in Settings → Vaults:| Tab | Contents |
|---|---|
| Hosts | Saved SSH hosts (see SSH host management) |
| Keychains | Private SSH keys with optional passphrases |
| Accounts | Username / password pairs |
| Snippets | Reusable shell scripts you can call across terminals |
| Known Hosts | Trusted SSH host keys (see Host groups & known_hosts) |
Set up the vault
The vault initializes the first time you do something that needs it — usually when you click Remote Connection to add your first host.Generate (or recover) a secret key
Choose:
- Create a new secret key — Rumus generates a cryptographically random key and prompts you to download it as a
secret-key.txtfile (formatRM-XXXX-XXXX-...). - Recover an existing key — paste a key string or upload a previously downloaded key file. Use this when setting up a new device that should share the vault from another.
Set a 6-digit PIN
The PIN is a convenience layer for unlocking the vault during normal use. Pick a 6-digit code.
How the secret key and PIN work together
- The secret key is the actual encryption key. It’s needed for the very first setup on a device, and any time you want to recover or migrate.
- The PIN is a fast-unlock code derived from the secret key. Once set up, you only need the PIN to unlock the vault on this device session-to-session.
Unlocking and locking
The vault unlocks automatically the first time you need it in a session (e.g. opening a remote tab) — Rumus prompts for your PIN if it isn’t already unlocked. Lock it manually from Settings → Vaults → Lock vault when you step away. After locking, any vault-touching operation will prompt for the PIN again.Failed PIN attempts
Repeated wrong PINs are rate-limited. After several failed attempts in a row, you’re forced to wait before trying again. This isn’t optional and isn’t configurable — it’s part of the threat model: a casual attacker shouldn’t be able to brute-force a 6-digit PIN.Backing up the secret key
The single most important thing to do after setup. If your hard drive dies, your laptop is stolen, or you reinstall the OS:- With a backup — install Rumus on a new device, choose Recover existing key, paste or upload the backup, and the vault is yours again.
- Without a backup — the encrypted data in the cloud is unreadable. You’d start over.
- A password manager (1Password, Bitwarden, etc.) — the secret-key file is small enough to attach.
- A second physical location — printed and sealed in an envelope, or a USB stick in a drawer.
Reset the vault
If you decide to start over, Settings → Vaults → Reset vault wipes both the local vault and the synced cloud copy. There’s a confirmation prompt. Use this when:- You’ve lost the secret key and accept losing the data.
- You want to switch to a fresh secret key.
- You’re handing off the device.
Vault questions or stuck on setup? Ask in the Rumus community — for anything sensitive (lost key, decryption issues), reach out to support directly.
Privacy
- Everything in the vault is encrypted on your device before it ever touches Rumus’s servers.
- The secret key never leaves your device — Rumus has no copy and cannot help you recover one you’ve lost.
- The PIN doesn’t leave your device either — it’s used to derive a local unlock token, not transmitted.
Next steps
Vault sync & recovery
Bring your vault to a new device, and resolve sync conflicts.
SSH host management
The biggest user of the vault — your saved SSH targets.