Understanding Vaults in Zero
Understanding Vaults in Zero
In Zero, a vault is your private, encrypted container for structured data. Every table you create and every row you store lives inside a vault. Vaults are fully isolated from one another and saved locally on disk.
What is a Vault?
A vault is a single encrypted SQLite file protected by your master password (or a Recovery Kit you created). Zero only decrypts data when you unlock a session.
- Each vault is stored as a
.dbfile on your device. - You can create multiple vaults for different areas of your life.
- Only one vault is active at a time inside the app; switching changes what you see and edit.
Zero ships with a default vault. Many people add more, for example:
- personal.db — journals, private notes
- work.db — credentials, client records
- archive.db — long-term storage you rarely open
Why use multiple vaults?
- Separation of concerns: keep personal and work data completely apart.
- Smaller blast radius: you can share or back up one vault without exposing the others.
- Performance: large datasets can be split into focused vaults.
Where vaults live on disk
Zero keeps all vault files under its vaults/ folder (managed by the app). A typical layout looks like:
vaults/
├── default.db
├── personal.db
├── work.db
└── vault_index.json ← registry Zero uses to remember vaults
Attachments you store in “file” fields are kept under the app’s media/ folder (or inside the database if you choose “store in DB” for that field). Backups can include media.
What you can do with vaults
| Action | What it does |
|---|---|
| Create | Add a new vault with its own encrypted .db file. |
| Switch | Change the active vault in the UI; tables and rows update accordingly. |
| Rename | Give the vault a clearer name (file name updates safely). |
| Delete | Remove a vault you no longer need. This permanently deletes that vault file. |
| Back up / Restore | Create a full ZIP of all vaults (plus configs and, optionally, media) and restore later. You can restore specific vaults from a backup. |
How encryption relates to vaults
Each row includes a per-row salt; sensitive fields you mark as “encrypted” are stored encrypted at rest. When you unlock Zero with your master password (or a valid Recovery Kit), Zero can decrypt those fields on demand in your session.
- Recovery Kit: optional, but recommended. If you forget your password, the kit can unlock your vaults without re-encrypting data. Keep it offline and secure.
- Session scope: Decryption happens only while you’re unlocked; exported data follows your export settings (e.g., encrypted file fields are handled safely).
Backups & vaults
Use the Backups page to create a full ZIP that contains all vaults, key configs, and optionally the media folder. You can enable automatic backups (daily at a time you pick, or on an interval). Only automatic backups are rotated according to your retention; manual backups are never auto-deleted.
During restore you can choose which vaults to bring back. If “overwrite” is on, the vault file is replaced by the version from the backup.
Tips for managing vaults
- Use clear names like Work, Personal, or Archive.
- Split rarely-used data into a separate vault to keep daily vaults small.
- Back up regularly; consider enabling automatic backups.
- If you rely on encrypted file fields, keep the Recovery Kit safe so you’re never locked out.