Cloud Sync

Zero-knowledge sync for vault items, notes, and project metadata across your Macs.

Cloud Sync moves your Vault entries, project notes, and per-project metadata between your Macs without Vibehaus’s server ever seeing the plaintext.

Why it matters

The simpler alternative — server-side encryption — leaves your secrets readable to whoever runs the server. Zero-knowledge sync means a breach of our backend would yield only ciphertext.

How encryption works

  1. The first time you turn Cloud Sync on, the app generates a fresh 256-bit master key and stores it in your iCloud Keychain.
  2. Apple propagates that key to your other Apple devices using the same infrastructure that syncs your Safari passwords. Vibehaus’s servers never see it.
  3. Every Vault label, every Vault value, every note, and every project metadata blob is encrypted on-device with AES-GCM before it leaves the Mac.
  4. The server stores only the encrypted bytes and timestamps. Nothing else.

What syncs

Three things sync between your Macs:

  • Vault entries — encrypted label + value pairs.
  • Notes — encrypted markdown, including formatting, folders, tags, and pinned state.
  • Project metadata — your tags, port assignment, flow steps, last-opened time, and the “inject secrets” toggle for each project.

Local runtime state that’s specific to the current Mac (last-launched process IDs, on-disk file paths) deliberately stays off the wire.

First sign-in on a new device

iCloud Keychain takes anywhere from a few seconds to about 30 seconds to deliver the master key to a freshly-signed-in Mac. Until the key arrives, the server’s encrypted rows look like noise to the new device.

To prevent splitting your Vault in two, Cloud Sync waits up to 30 seconds for iCloud Keychain to catch up, showing an overlay. If the key still hasn’t arrived after the timeout, the app prompts you to sign out and back in — that usually nudges iCloud Keychain into delivering it.

Conflict resolution

When two devices change the same item, last-write-wins by timestamp. The timestamp is set by the server on every upload, so a clock-drifted Mac can’t dishonestly win a merge. Most users will never see a conflict because the writes are sparse and per-item.

Multi-device setup

The expected setup flow is:

  1. Sign in on your primary Mac. Add a few secrets to a project’s Vault. Wait a few seconds for the upload.
  2. Sign in to Vibehaus on the second Mac with the same Apple ID (so the same iCloud Keychain account is in play).
  3. The overlay appears for up to 30 seconds. When it clears, your Vault populates.

The same flow covers a Mac wipe + restore: as long as iCloud Keychain has the key, your data is one sign-in away from being decryptable again.

When decryption fails

If a remote item can’t be decrypted (the master key on this Mac doesn’t match the one used to encrypt that item), Vibehaus counts the failures but does not throw the rest of the items away. The status badge will read “X items couldn’t be decrypted — likely a master-key mismatch with another device”, and you’ll be guided to a sign-out / sign-in cycle.

  • Vault — what’s encrypted before it leaves the device.
  • Troubleshooting — the iCloud Keychain timeout and how to recover.
  • Getting Started — sign in flow that bootstraps the master key.