Vault User Manual

This guide walks through the most common workflows: setting up Vault, adding your first credential, backing up securely, and restoring on a new device. Each section includes an annotated diagram (rendered with Mermaid) to visualize the process.

📱 Tip: Perform these steps on a device running Android 11 or newer for best compatibility with biometrics and SAF file pickers.

1. First-time setup

flowchart TD
    A[Install Vault APK] --> B[Open app]
    B --> C{Biometric available?}
    C -- Yes --> D[Enroll biometric unlock]
    C -- No --> E[Use device credential unlock]
    D --> F[Set optional master passphrase]
    E --> F
    F --> G[Vault home ready]

Install the signed APK from the project’s GitHub Release or your own build.
Launch the app; grant biometric permission when prompted.
(Optional) Define a strong master passphrase (passphrase manager recommended).
You are taken to the empty vault screen.

2. Add a credential

sequenceDiagram
    participant U as You
    participant V as Vault UI
    participant K as Android Keystore

    U->>V: Tap "Add Entry"
    V->>U: Prompt for title, username, password, notes
    U->>V: Provide details + tags
    V->>K: Encrypt using AES-GCM (DEK wrapped by Keystore)
    K-->>V: Encrypted payload
    V-->>U: Entry saved confirmation

Tap Add Entry (floating action button).
Enter the service name, username, password (generate via built-in generator if needed), and optional notes.
Assign tags or mark as favorite for quick access.
Save—Vault encrypts the entry immediately and stores it locally.

3. Use Bluetooth HID typing

flowchart LR
    Start[Open entry] --> Mode{Need to type password on paired device?}
    Mode -- Yes --> HID[Enable HID typing mode]
    HID --> Pair[Confirm device pairing]
    Pair --> Type[Vault types username/password securely]
    Type --> Done[Session ends automatically]
    Mode -- No --> Copy[Use local reveal/copy]

Open an entry and choose Type via Bluetooth.
Confirm the paired device connection.
Vault emulates a keyboard and types the credentials—no clipboard exposure.
Session ends automatically after typing or upon cancellation.

4. Create a secure backup

flowchart TD
    A[Menu → Back up vault] --> B[Choose destination via SAF]
    B --> C[Enter backup passphrase]
    C --> D[Argon2id derives backup key]
    D --> E[AES-GCM encrypts vault]
    E --> F[Write encrypted .vaultbackup file]
    F --> G[Verify and confirm to user]

From the overflow menu, select Back up vault.
Android’s Storage Access Framework picker appears—choose local storage, SD card, or your private cloud folder.
Enter a strong backup passphrase (store it offline).
Vault encrypts the data and writes a .vaultbackup file to the chosen location.
Copy that file to at least one additional secure location.

5. Restore from backup (new device)

sequenceDiagram
    participant U as You
    participant V as Vault
    participant SAF as Storage Access Framework

    U->>V: Tap "Restore backup"
    V->>SAF: Launch file picker
    SAF-->>U: Let user choose .vaultbackup file
    U->>V: Provide backup passphrase
    V->>V: Argon2id + AES-GCM decrypt and validate
    V-->>U: Merge entries + success summary

Install Vault on the new device and open it.
Choose Restore backup from the onboarding screen or overflow menu.
When the SAF picker opens, navigate to your backup file.
Enter the backup passphrase. Vault decrypts and merges entries.
Confirm that everything looks correct and create a fresh backup right away.

6. Maintain your security posture

Schedule monthly backups and test restores on a spare device or emulator.
Review failed unlock attempts in system logs if you suspect tampering.
Keep Android security patches up to date.
When contributing code, run ./gradlew test lintVitalRelease before submitting.

Need more help?

Visit the Features overview for deeper technical details.
Open an issue on GitHub with reproducible steps and logs.
Consult the in-repo documentation for developer-specific information.