Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

troubleshooting-faq

FAQ

Straight answers about VaultTerm's security model, self-hosting, air-gapped operation, where keys live, supported platforms today, and how AI is kept private.

Updated Jun 23, 2026

Short, honest answers to the questions people ask most. For definitions of the terms used here, see Core concepts.

Security model

Is VaultTerm zero-knowledge?

No. VaultTerm is an audited access broker, not zero-knowledge, and we say so rather than market a guarantee we cannot keep. The server decrypts a secret in memory only for a specific authorized, audited action — revealing a value, injecting a credential into a session, scanning output for a leak — and then discards the plaintext. No plaintext is kept at rest, and every such action lands in a tamper-evident audit trail. A strict zero-knowledge design would rule out the broker features teams actually need, all of which require the plaintext in memory at the moment of use. See Security model.

Self-hosting

Can I self-host it?

Yes. Self-hosted / on-prem mode runs VaultTerm on your own infrastructure as a Docker Compose unit, including fully air-gapped. It is the same image and the same features as the hosted service; only the configuration differs. See Self-hosting overview and SaaS vs self-hosted.

Does an air-gapped install phone home?

No. An air-gapped install does not need to reach the internet. Entitlements are verified offline from a signed license file, so there is no activation call. The connected heartbeat is opt-in and off by default — an air-gapped deployment simply leaves it off. See Licensing and activation.

Where do my encryption keys live?

VaultTerm uses envelope encryption: each secret is sealed with a per-record data key, and that key is wrapped by a higher master key. Where the master key lives depends on how you configure key management — a local key, or your own HSM via HashiCorp Vault Transit. In on-prem mode the keys are yours, in your own infrastructure. See Cryptography and HashiCorp Vault sync.

Platforms

What platforms are supported today?

Today the web app and the browser extension are shipping. Desktop, mobile, and CLI clients are on the roadmap and not yet generally available. We would rather state this plainly than imply clients that are not yet shipping. See Browser extension overview.

AI

How is AI kept private?

AI is privacy-first and LAN-default. By default, AI runs against a self-hosted Ollama model on your own network, so terminal output and secrets do not leave it. A cloud model is used only behind a redaction gate and only when an organization has opted in — it is not the default path. See AI privacy model and AI overview.

All docs · Ask a question