Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

self-hosting

Self-hosting FAQ

Straight answers on Kubernetes, air-gapped operation, license expiry, who can read the vault under escrow, and how upgrades work.

Updated Jun 23, 2026

Short, honest answers to the questions operators ask most. Each links to the page with the full detail.

Do I need Kubernetes?

No. VaultTerm is a modular monolith — one application process, not a fleet of services — so the supported deployment unit is Docker Compose, not Helm or Kubernetes. The stack is three containers: the app (API plus web portal on :4000, admin plane on :4100), postgres:16, and redis:7. There is no orchestrator to operate. See Self-hosting overview and Install with Docker Compose.

Can it run fully air-gapped?

Yes. You build a self-contained bundle on a connected host — the app image plus postgres:16 and redis:7, the compose file, and an installer — transfer one tarball, and install on a disconnected host with no network. The license verifies locally against a built-in vendor public key, so there is no activation call, and the over-deployment heartbeat is off unless you set its URL — an air-gapped install never phones home. See Air-gapped install.

What happens when the license expires?

It is not a hard outage. An expired license is honoured through a grace window, then lapses to free-tier limits — a late renewal degrades gracefully rather than taking the install down. The strict cases are different: a missing, malformed, forged, or rolled-back license is fatal at boot under production. See Licensing and activation.

Who can read the vault under managed escrow?

Nobody from a single share. The recovery key is 2-of-3 Shamir-split, so recovery needs two of the three shares — one is never enough. Under managed mode the vendor holds exactly one break-glass share, which alone cannot read or recover anything. Under customer-only mode the vendor holds nothing and is mathematically unable to read or recover the vault. See Backups and recovery.

How do upgrades work?

You move to a newer image and let migrations run on boot. Connected: git pull then docker compose up -d --build. Air-gapped: rebuild the bundle with a new version tag, transfer it, and re-run the installer (your .env is preserved). Migrations are forward-only, so back up the database first — the backup is also your rollback path. See Upgrading.

Is this zero-knowledge?

No, and we do not claim it. VaultTerm is an audited access broker: the server decrypts a secret in memory only for a specific authorized, audited action, under envelope encryption with no plaintext at rest. A self-hosted install keeps that whole boundary on your own infrastructure. See the Security model.

Where do I keep the admin plane?

Off the public internet. The admin/platform plane on :4100 binds to loopback by default — reach it over an SSH tunnel or a trusted private interface, and proxy only :4000 publicly. See Self-hosting overview.

All docs · Ask a question