# Credential Vault for Confluence - User Guide > Published by **CowboyMSP** - https://cowboymsp.com - support@cowboymsp.com Credential Vault is a secure password and MFA manager that lives directly inside your Confluence Cloud pages. Credentials are encrypted in your browser before being stored - nobody else can read them, including Atlassian or CowboyMSP. --- ## Table of contents 1. [Getting started](#getting-started) 2. [The vault interface](#the-vault-interface) 3. [Vault ownership and roles](#vault-ownership-and-roles) 4. [Adding credentials](#adding-credentials) 5. [Templates](#templates) 6. [Viewing and using credentials](#viewing-and-using-credentials) 7. [Tags](#tags) 8. [Categories](#categories) 9. [Search, sort, and filter](#search-sort-and-filter) 10. [Pinning, duplicating, and editing](#pinning-duplicating-and-editing) 11. [Bulk actions](#bulk-actions) 12. [Archive (soft delete)](#archive-soft-delete) 13. [Password history](#password-history) 14. [Settings](#settings) 15. [Activity log](#activity-log) 16. [Locking and auto-lock](#locking-and-auto-lock) 17. [Import and export](#import-and-export) 18. [Transfer vault ownership](#transfer-vault-ownership) 19. [Recovery if you forget your PIN](#recovery-if-you-forget-your-pin) 20. [Plans and licensing](#plans-and-licensing) 21. [Keyboard shortcuts](#keyboard-shortcuts) 22. [Frequently asked questions](#frequently-asked-questions) 23. [Security summary](#security-summary) --- ## Getting started ### Adding the vault to a page 1. Open any Confluence page and click **Edit**. 2. Type `/Credential Vault` in the editor body. 3. Select **Credential Vault** from the macro menu. 4. Click **Save** or **Publish** the page. The vault macro can be added to any page. Each page has its own independent vault, with its own PIN, entries, templates, and settings. ### Protecting your vault page in Confluence Anyone with edit access to the Confluence page can delete the page (and the vault macro along with it). Use one of the following Confluence-native protections: **Option 1 - Page Restrictions (simplest):** On the page, click the lock icon (or the more-actions menu, then Restrictions). Set view and edit so only specific users or groups can change the page. Admins keep full access. Built into Confluence Cloud with no extra setup. **Option 2 - Space Permissions:** In Space Settings, then Permissions, remove the "Delete Pages" permission from all users except admins and space admins. This protects every page in the space, not just the vault page. ### Creating your PIN The first time you open the vault on a new page, you are prompted to create a PIN. - Minimum **8 characters** for new vaults (longer is stronger). - A live strength meter (Weak / Fair / Good / Strong) shows as you type. - Your PIN is used to derive your encryption key. It is **never stored anywhere** - only a salted SHA-256 hash is kept for verification. - **Write your PIN down before you continue** - if you forget it, your credentials cannot be recovered. See [Recovery](#recovery-if-you-forget-your-pin). A yellow warning banner is shown on the first-time setup screen to remind you of this before you proceed. Enter your PIN, confirm it, and click **Create vault**. The user who creates the vault becomes the **vault owner** - see [Vault ownership and roles](#vault-ownership-and-roles). --- ## The vault interface ``` +-------------------------------------------------------------+ | Credential vault [+ Add] [Archive] [Settings] [Lock] | 12 entries | | Auto-locks after 10 min of inactivity | +-------------------------------------------------------------+ | Search name, username, URL, category... [x] | | [All] [Work] [Personal] [Finance] Sort: A to Z | | [Expand all] [Select] [Shortcuts] | +-------------------------------------------------------------+ | * GitHub [Work] [MFA] [pin] [dup] [edit] | | AWS Console [Cloud] [MFA] [pin] [dup] [edit] | | Personal Gmail [Email] [pin] [dup] [edit] | +-------------------------------------------------------------+ ``` [SCREENSHOT: Full unlocked vault view showing the header (+ Add, Archive count, Settings gear, Lock), the auto-lock notice strip, the search bar with active category pills, the sort dropdown, and three to five expanded and collapsed entry cards.] ### Header controls | Button | Action | |---|---| | **+ Add** | Open the templates picker, then the new credential form. Disabled at the free-tier limit. | | **Archive (count)** | Open the Archive screen (only shown when there are archived entries). | | **Settings (gear)** | Open Settings - Change PIN, Activity log, Auto-lock, Archive retention, Theme, Password generator, Categories, Templates, Import / Export, Transfer ownership. | | **Lock** | Lock the vault immediately. All decrypted data is cleared from memory. | --- ## Vault ownership and roles Each vault has one **owner**, set automatically to the Atlassian account of the user who first creates the vault. Everyone else with page access is a **regular user**. | Action | Owner | Regular user | |---|---|---| | Unlock with PIN | Yes | Yes | | View, copy, reveal entries | Yes | Yes | | Add, edit, archive entries | Yes | Yes | | Restore archived entries | Yes | Yes | | Permanently delete entries | Yes | No (must archive instead) | | Change PIN | Yes | No | | Change auto-lock timeout | Yes | No | | Change archive auto-delete window | Yes | No | | Import from CSV | Yes | No | | Export to CSV | Yes | No | | Manage shared templates | Yes | No | | Transfer vault ownership | Yes | No | | Manage personal "My view" templates | Yes | Yes | | Manage personal theme and generator preferences | Yes | Yes | Owner-only actions appear in Settings but are disabled (greyed out) for regular users, with a small "Owner only" label next to them. [SCREENSHOT: Settings panel viewed by a regular (non-owner) user, showing Change PIN, Auto-lock, Auto-delete, Import, Export, and Transfer ownership rows in the disabled (greyed) state with the "Owner only" badge.] --- ## Adding credentials Click **+ Add** in the header. You are first shown the **template picker** - choose a template to pre-fill common fields, or click **Blank** to start empty. See [Templates](#templates) for details. ### Credential fields | Field | Required | Description | |---|---|---| | Name / site | Yes | Label for this entry (for example "GitHub" or "AWS Console - Prod"). | | Category | No | Tag the entry as Work, Personal, Finance, Email, Cloud, Servers, Network, DevOps, Social, Other, or any category your owner has added. | | URL | No | Login URL or address. A protocol picker offers https, http, rdp, ssh, vnc, sftp, ftp, ftps, smb, ldap, ldaps, mysql, mssql, postgresql, mongodb, redis, telnet, smtp, smtps, imap, imaps. Dangerous protocols (javascript, data, vbscript, file) are blocked. | | Username or email | Yes | The login username or email address. | | Password | Yes | The account password. | | MFA secret | No | The base32 TOTP key for two-factor authentication. See [Setting up MFA codes](#setting-up-mfa-codes). | | Tags | No | One or more freeform tags (comma-separated, lowercase, hyphenated). Searchable and filterable. | | Notes | No | Multi-line notes - recovery codes, account numbers, hints. | Click **Save** to encrypt and store the entry. You see a "Saving" indicator briefly while the encrypted blob is written to Forge KV storage. [SCREENSHOT: Add credential modal showing the Name, Category dropdown, URL row with the protocol-select pill on the left, Username, Password (with Generate, Reveal, Check breaches buttons), MFA secret, Tags input with two example chips, and Notes textarea.] ### Password generator Click **Generate** next to the password field to create a strong random password. The generator uses the browser's cryptographic random number generator (`crypto.getRandomValues`). Generator preferences are configurable in **Settings > Password Generator**: - **Include** toggles for uppercase (A-Z), lowercase (a-z), digits (0-9), and symbols (#$!). - **Length** slider from **8 to 99 characters** (default 20). - At least one character class must remain enabled. The generated password is automatically revealed in the field so you can see and copy it before saving. ### Password strength meter As you type or generate a password, four coloured segments and a label appear: - Red - Weak (too short or too simple) - Amber - Fair (some complexity, could be stronger) - Blue - Good (solid length and variety) - Green - Strong (long and diverse character mix) ### Checking for known breaches (Have I Been Pwned) Click **Check for breaches** below the password field to verify whether the password appears in a known data breach. **How it works (k-anonymity):** Only the first 5 characters of a SHA-1 hash of your password are sent to the Have I Been Pwned API. The full hash and the actual password never leave your browser. The API returns a list of hash suffixes that match; your browser checks locally whether your password is in that list. - **Not found** - the password does not appear in any known breach. - **Found in N breaches** - the password has been exposed. You should change it. The check is optional and does not block saving. If the API is unavailable, the result is silently skipped. ### Setting up MFA codes If the account uses two-factor authentication (2FA), you can store the TOTP secret so the vault generates live codes automatically - no separate authenticator app needed. **Where to find your MFA secret:** When enabling 2FA on any website, you are normally shown a QR code to scan. Look for a link near the QR code that says one of: - "Can't scan the QR code?" - "Enter setup key manually" - "Show secret key" That text string (example: `JBSWY3DPEHPK3PXP`) is your base32 TOTP secret. Paste it into the **MFA secret** field. You can also paste a full `otpauth://` URI - the vault parses digits, period, and algorithm from it automatically. [SCREENSHOT: Expanded entry card showing the MFA CODE row with a live 6-digit code, the seconds-remaining counter, the green-to-amber-to-red progress bar at full width, and the eye-and-copy buttons.] ### Duplicate detection When saving a new entry, the vault warns you if: - The **name** matches an existing entry, or - The **URL** matches an existing entry. You can tick "Don't warn me again on this device" to skip the warning in future. The warning never blocks saving - it just helps you avoid accidental copies. ### Password reuse warning When saving an entry, the vault checks whether the password is already used by another entry in the same vault. If so, you see a "Password reused" notice naming the conflicting entry. You can save anyway - the warning is informational. --- ## Templates Templates let you pre-fill the new-entry form with sensible defaults for common credential types - MSP-focused presets such as M365 Admin, AWS Console, Windows Server (RDP), Linux Server (SSH), Firewall / VPN, Switch / Router, Database, GitHub, and more. There are three categories of template: | Type | Scope | Who can manage | |---|---|---| | **Built-in** | Same in every vault | Cannot be edited, but each user can hide them from their own grid | | **Admin** | Stored server-side per vault, shared with everyone on the page | Vault owner only | | **Personal (My view)** | Stored in your browser's local storage, visible only to you | Anyone | [SCREENSHOT: Choose a template modal showing the 4-column grid of icons and labels - built-in templates (M365 Admin, M365 User, Azure Portal, AWS Console, Windows Server, Linux/SSH, Firewall/VPN, Switch/Router, Database, GitHub, Email Account, Vendor Portal) and a Blank tile at the end.] ### Choosing a template Click **+ Add** in the header - the **Choose a template** modal opens. Click any tile to start a new entry pre-filled from that template, or click **Blank** to start with empty fields. ### Managing shared (admin) templates Owners only. Open **Settings > Manage templates** to add, edit, rename, change icon, or remove templates that everyone using the vault will see. Built-in templates can be reset back to defaults from this screen. ### My view (personal templates and hidden tiles) From the **Choose a template** modal, click the **My view** icon (top-right) to open your personal customisation screen. There are three tabs: - **Hidden** - tick built-in templates you want hidden from your personal grid. - **My templates** - create, edit, or delete templates that only you see (stored in your browser). - **Sort order** - choose how templates are ordered for you: A to Z, Z to A, Team first, or Mine first. Hidden templates and personal templates are stored in `localStorage` - they follow your browser, not your Atlassian account. [SCREENSHOT: My view modal on the "My templates" tab showing one or two personal templates with edit and delete buttons and the "+ New personal template" action at the top.] --- ## Viewing and using credentials Click any entry row to expand it. Opening an entry records a **last used** timestamp shown at the bottom of the expanded card. ### Copying fields Every field has a small **copy button** on the right. Clicking it copies the value to your clipboard silently - no reveal required. A toast confirms what was copied. | Field | Behaviour | |---|---| | Username | Always visible; copy button on right. | | URL | Shown as a clickable link; copy button on right. | | Password | Hidden by default. Click the eye to reveal, or copy to clipboard without revealing. | | MFA code | Hidden by default (rendered as bullets). Click the eye to reveal, or copy to clipboard without revealing the digits. | | Notes | Shown; copy button on right. | | Tags | Shown as chips inside the expanded card. | The recommended workflow is to **always use the copy button** - you rarely need to reveal the password or MFA code at all. ### MFA countdown timer When an MFA secret is stored, a live 6-digit code is displayed with: - A countdown showing seconds remaining in the current 30-second window. - A progress bar that turns amber at 10 seconds and red at 5 seconds. - Automatic refresh every 30 seconds. ### Re-add to authenticator (QR code) Click the QR-code button inside an expanded entry to open a printable QR code suitable for scanning into any standard authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and so on). The raw secret or `otpauth://` URI is also shown below the QR code for manual entry. [SCREENSHOT: Re-add to Authenticator modal showing the generated QR code centred in the modal, the entry name and username, and the secret-or-URI text block beneath it with a copy button.] --- ## Tags Tags are freeform labels you can attach to any entry to make it easier to find. Unlike Categories (which come from a fixed list managed by the owner), tags are typed in by the user. **Adding tags:** In the entry form, type a tag in the **Tags** input and press Enter or comma. Tags are lower-cased automatically and spaces become hyphens (`Prod Server` becomes `prod-server`). Each tag is shown as a chip you can remove with the small x. **Searching tags:** Tags are searchable. Typing in the main search bar matches against entry name, username, URL, category, notes, and any tag. --- ## Categories Entries can be tagged with a category to help organise your vault as it grows. **Default categories:** Work - Personal - Finance - Email - Cloud - Servers - Network - DevOps - Social - Other. ### Assigning a category When adding or editing an entry, choose a category from the dropdown. You can also choose "None" to leave it uncategorised. ### Filtering by category When your vault has entries with categories assigned, a row of **category pills** appears below the search bar. Click a category to show only matching entries. Click **All** to return to the full list. The active filter is highlighted with the category's colour. ### Managing categories (owner only) Open **Settings > Manage categories** to add or remove categories and **drag-and-drop** to reorder them. Changes apply immediately. --- ## Search, sort, and filter The search bar appears whenever the vault has entries. ### Multi-tag search - Type any text and press **Enter** to convert it into a search chip - this allows multiple search terms (AND logic). The list narrows further with each chip. - Backspace in an empty search input removes the last chip. - Click the **x** chip control to remove an individual chip; click the search bar's **x** to clear everything. Searches match against entry name, username, URL, category, notes, and tags. ### Sort options | Sort option | Description | |---|---| | A to Z | Alphabetical by name (default). | | Z to A | Reverse alphabetical. | | Category | Grouped by category in the category-list order. | | Newest first | Most recently created entries at top. | | Oldest first | Original creation order. | | Recently used | Entries you opened most recently appear first. | **Pinned entries always appear at the top** of the list within their sort order. See [Pinning, duplicating, and editing](#pinning-duplicating-and-editing). ### Combining filters Search chips, category filter, and sort all work together - only entries matching all active filters are shown, then sorted. --- ## Pinning, duplicating, and editing Each entry header (collapsed or expanded) shows these icon buttons on the right: | Icon | Action | |---|---| | Star | **Pin to top.** Pinned entries always appear at the top regardless of sort. Click again to unpin. | | Duplicate | Open a pre-filled copy of the entry. The name is prefixed with "(copy)". Useful for multiple accounts on the same service. | | Pencil | Edit the entry. All fields can be changed. The Modified timestamp updates on save. | | Archive | Move the entry to the Archive (soft delete). See [Archive](#archive-soft-delete). | | Expand or collapse | Toggle this entry's expanded view. | [SCREENSHOT: Entry card row showing the star (filled = pinned), duplicate, edit pencil, archive box, and chevron expand button on the right.] ### Timestamps Each entry tracks four timestamps shown at the bottom of the expanded card: | Timestamp | When it updates | |---|---| | **Created** | When the entry was first saved. | | **Modified** | When the entry was last edited and saved. | | **Password changed** | When the password value was last changed (separate from edits to other fields). | | **Last used** | When the entry was last expanded (opened) in the vault. | Hover any timestamp for the full date and time. Timestamps are included in CSV exports. --- ## Bulk actions Click **Select** in the toolbar to enter selection mode. A checkbox appears on every entry; tick the ones you want to act on. - The toolbar shows **Delete N** (which archives the selected entries in bulk). - Click **Cancel** to leave selection mode without changes. Bulk delete moves the entries to the Archive, where they can be restored before being auto-purged. Only the vault owner can hard-delete from the Archive. --- ## Archive (soft delete) Clicking the archive icon on an entry **soft-deletes** it - the entry is hidden from the main list but still encrypted and stored. You can restore it before it is auto-purged. ### Opening the archive When at least one entry is archived, an **Archive** button appears in the header showing the count. You can also reach it from **Settings > View archive**. [SCREENSHOT: Archive screen showing two or three archived entries with their original names, when they were archived ("3d ago"), the Restore button on each row, and (for the owner) the red x permanent-delete button.] ### Restoring an archived entry Click **Restore** next to any archived entry. The entry returns to the main list with its Modified timestamp updated. If the name already exists on another live entry, "(restored)" is appended automatically. ### Permanent deletion (owner only) Inside the Archive, the owner sees a small red **x** next to each entry. Clicking it permanently deletes the entry after a confirmation prompt. Regular users cannot hard-delete; the button is hidden for them. ### Auto-delete after N days (owner only) In **Settings > Auto-delete after**, the owner picks a retention window: **Never, 7, 14, 30, 60, 90 (default), 180, or 365 days**. When an entry's `archivedAt` timestamp is older than this window, it is permanently and silently deleted the next time the vault is unlocked. When you archive an entry while auto-delete is enabled, a one-time notice reminds you of the retention window. Tick "Don't warn me again on this device" to suppress that notice in future. --- ## Password history Whenever you change an entry's password, the previous password is added to that entry's **password history**. Up to the last **5 previous passwords** are kept per entry, along with the date each was changed. ### Viewing history Inside an expanded entry, click the clock icon next to the password field to open the **Password history** modal. Each row shows: - When the password was changed (relative time, hover for full date). - The masked password with a reveal toggle and a copy button. - A **Restore** button to set this old password back as the active password. [SCREENSHOT: Password history modal listing three past passwords for an entry, each with a relative date, masked dots, reveal/copy buttons, and a Restore action.] ### Restoring a previous password Clicking **Restore** on a history row sets that old value back as the live password. The current password is pushed into history (so you can undo the restore). If the restored password was already in history, it is removed from the list (since it is now active again). --- ## Settings Click the gear icon in the header to open the Settings panel. Sections in order: | Section | Contents | |---|---| | **Security** | Change PIN (owner only), Activity log, Transfer vault ownership (owner only), Auto-lock timeout (owner only). | | **Archive** | View archive (with count), Auto-delete after N days (owner only). | | **Appearance** | Theme - Light, Auto, Dark. | | **Password Generator** | Toggle character sets (A-Z, a-z, 0-9, #$!), Length 8 to 99. | | **Categories** | Manage categories (owner only), Manage templates (owner only). | | **Data** | Export to CSV (owner only), Import from CSV (owner only). | | **About** | Current auto-lock, encryption details, support links. | ### Change PIN (owner only) 1. Open **Settings > Change PIN**. 2. Enter your **current PIN** to verify. 3. Enter and confirm your **new PIN** (minimum 8 characters; strength meter shown). 4. Click **Set new PIN**. All entries are immediately re-encrypted with the new PIN and a fresh per-vault salt. The old PIN will no longer work. You receive a "PIN changed successfully" toast when complete. > **Important:** Write down your new PIN before saving. Like the original, it cannot be recovered if forgotten. [SCREENSHOT: Change PIN modal on the "Choose a new PIN" step with the strength meter at "Strong", the recovery warning box, and the Cancel / Set new PIN footer.] ### Auto-lock timeout (owner only) Choose how many minutes of inactivity before the vault locks. Options: **1, 3, 5, 10 (default), 15, 30, 60 minutes**. The vault shows a **60-second countdown banner** before locking (20 seconds for the 1-minute setting), so you can stay unlocked with one click on **Stay unlocked**. ### Theme Choose Light, Auto (follows your OS preference), or Dark. The setting is stored per browser, per user. ### Password generator preferences Configure the defaults used by the **Generate** button on the entry form. See [Password generator](#password-generator). ### Categories and templates Owners can add, rename, and reorder categories; create and edit shared templates. See [Categories](#categories) and [Templates](#templates). ### Data - Import and export Owners can export the full vault to CSV or import entries from a previously exported CSV. See [Import and export](#import-and-export). ### About The bottom of Settings shows: - Current auto-lock setting. - Encryption: AES-GCM 256-bit, client-side. - Key derivation: PBKDF2 with 200,000 iterations. - TOTP: HMAC-SHA1 via Web Crypto API. - A link to https://cowboymsp.com/credential-vault/ and the support email. --- ## Activity log Open **Settings > Activity log** to see the most recent vault events. The log is **PIN-protected on the server** - opening it requires your PIN hash, so a user who has page access but not the PIN cannot read it. Events logged include: - vault_created - pin_change - add / edit / delete (with entry name) - archive / restore / bulk_archive / archive_purge (auto-deletes) - csv_export / csv_import - ownership_transferred (with the new owner account ID) - restore_password (when an old password is restored from history) Each row shows when, what, and who (display name plus account ID hover). The log is capped at the most recent **2,000 events** per vault to prevent unbounded storage growth. You can export the log to CSV from the modal footer. [SCREENSHOT: Activity log modal showing six to ten rows with relative timestamps on the left, the action description in the middle, and the user display name on the right, plus the Close and Export log buttons in the footer.] --- ## Locking and auto-lock ### Lock immediately Click the lock icon in the header at any time. All decrypted credentials and the session key are cleared from memory; the lock screen returns. ### Auto-lock The vault automatically locks after the configured **idle timeout** (default 10 minutes). Idle means no mouse movement, keystrokes, scrolls, or touch events. A **60-second countdown banner** is shown before the lock fires, with a **Stay unlocked** button. For the 1-minute setting the warning starts at 20 seconds. The vault also locks when you navigate away from the Confluence page or refresh it. To unlock, enter your PIN on the lock screen. --- ## Import and export ### Export to CSV (owner only) 1. Open **Settings > Export to CSV**. 2. Read the security warning carefully. 3. Click **Download CSV** to confirm. The export is generated entirely in your browser - no data is sent to any backend - and the file is downloaded directly. Every export is recorded in the Activity log so other team members can see who exported and when. #### What the export contains | Column | Contents | |---|---| | Name | Entry name. | | Category | Entry category, if set. | | URL | Login URL, if set. | | Username | Username or email. | | Password | Password in plain text. | | MFA Secret (TOTP Key) | Raw base32 TOTP secret. | | Notes | Notes field. | | Created | Date the entry was created. | | Modified | Date the entry was last edited. | | Last Used | Date the entry was last opened. | > **Security notice:** The exported CSV is **not encrypted**. Treat it like a master password list. Store it in a secure location and delete it once you have finished using it. Tags and password history are not currently included in the export. #### Importing MFA secrets into another app The MFA Secret column contains the raw base32 key. This can be entered into any standard authenticator app: - **Google Authenticator** - plus icon, then "Enter a setup key", paste the key. - **Authy** - Add account, "Enter key manually", paste the key. - **Microsoft Authenticator** - plus icon, "Other account", "Enter code manually". - **1Password** - Edit the item, Add field, "One-Time Password", paste the key. - **Bitwarden** - Edit the item, TOTP, paste the key. ### Import from CSV (owner only) 1. Open **Settings > Import from CSV**. 2. Click **Select CSV file** and pick a file exported from Credential Vault. 3. The vault parses the file and shows the entry count. 4. Click **Import N entries** to merge them into the vault. Imported entries are **merged** with your existing credentials - nothing is overwritten. The CSV must include at least the Name, Username, and Password columns. Unsafe URL protocols (`javascript:`, `data:`, `vbscript:`, `file:`) are blanked out silently during import; the credential itself is still saved. On the free tier, an import is blocked if it would push you above the 3-entry limit. --- ## Transfer vault ownership The vault owner can hand off ownership to another Atlassian user on the same site - useful for staff handovers, account closures, or rotating duties. 1. Open **Settings > Transfer vault ownership**. 2. Read the warning carefully - **the change cannot be undone by you**. 3. Click **Continue**, search for the new owner by name (Confluence user search), and select them. 4. Click **Transfer ownership**. [SCREENSHOT: Transfer ownership modal on the search step, showing the search input "rob" with three matching Confluence users in a results list and one selected, plus the red Transfer ownership button.] You lose owner-only rights immediately. The new owner can: - Permanently delete entries from the Archive. - Change the vault PIN, idle timeout, and archive auto-delete window. - Import and export CSV. - Manage shared templates and categories. - Transfer ownership again (to anyone, including back to you). The event is recorded in the Activity log as `ownership_transferred` with both old and new account IDs. --- ## Recovery if you forget your PIN **There is no server-side recovery.** Your PIN is never stored - only a salted SHA-256 hash is kept for verification. Without the correct PIN, the AES-GCM encrypted data cannot be decrypted. ### Before you are locked out, act now 1. If you are still logged in, the **owner** can open **Settings > Change PIN** and set a new PIN they will remember. 2. The owner can export credentials via **Settings > Export to CSV** as a backup before locking. ### If you have already forgotten your PIN Unfortunately, the encrypted credentials cannot be recovered. This is intentional - it means nobody else can recover them either, including Atlassian and CowboyMSP. The owner can recreate the vault on a new page (or have a Confluence admin delete and re-add the macro) and re-enter the credentials from any backup. ### Prevention for the future - Store your vault PIN in your personal password manager (1Password, Bitwarden, LastPass, etc.). - Keep a printed or written copy in a secure physical location. - When prompted on first setup or PIN change, always heed the "write this down" warning. - Owners should export to CSV periodically and store the file securely. --- ## Plans and licensing | | Free | Paid | |---|---|---| | Credential entries | Up to 3 | Unlimited | | PIN encryption (AES-GCM 256) | Yes | Yes | | Change PIN | Yes | Yes | | MFA / TOTP generation | Yes | Yes | | Password generator | Yes | Yes | | Password strength meter | Yes | Yes | | Have I Been Pwned breach check | Yes | Yes | | Categories, tags, search, sort | Yes | Yes | | Pin to top, duplicate, archive | Yes | Yes | | Password history (last 5) | Yes | Yes | | Templates (built-in, admin, personal) | Yes | Yes | | Activity log (last 2,000 events) | Yes | Yes | | Auto-lock with countdown | Yes | Yes | | Light / Auto / Dark theme | Yes | Yes | | CSV import and export | Yes | Yes | | Transfer ownership | Yes | Yes | | QR re-add to authenticator | Yes | Yes | | Any device, any network | Yes | Yes | | 30-day free trial | - | Yes | | Licence required | No | Atlassian Marketplace | ### Free-tier behaviour When you reach the 3-entry free-tier limit, a yellow banner is shown in the vault header. The **+ Add** button is disabled until a licence is active. Existing entries can still be viewed, copied, edited, and archived - you just cannot add new ones. If you exceed the limit from a previous trial that has ended, the same rule applies: existing entries are preserved and editable, but no new entries can be added until you upgrade. --- ## Keyboard shortcuts When the vault is unlocked and no modal is open, the following keyboard shortcuts work: | Key | Action | |---|---| | `/` | Focus the search input. | | `N` | Open the templates picker to add a new entry (disabled at free-tier limit). | | `Esc` | Collapse all expanded entries. | A small **kbd ?** button is shown next to the sort dropdown - click it to reveal the same list inline. --- ## Frequently asked questions **Can Atlassian read my credentials?** No. Credentials are encrypted in your browser using AES-GCM 256-bit before they are sent to Forge storage. Only encrypted blobs reach Atlassian's servers. Without your PIN, the data cannot be decrypted by Atlassian, CowboyMSP, or anyone else. **What happens if I forget my PIN?** Your credentials cannot be recovered without the PIN. See [Recovery](#recovery-if-you-forget-your-pin). Always store your PIN in a personal password manager. **Can I change my PIN without losing data?** Yes. Open **Settings > Change PIN**. All entries are re-encrypted with the new PIN immediately. Owner only. **How does the breach check work? Does my password get sent anywhere?** Only the first 5 characters of a SHA-1 hash of your password are sent to the Have I Been Pwned API - this is called k-anonymity. Your actual password and the full hash never leave your browser. **Can I use the vault on mobile?** Yes. The vault works in any modern browser, including Confluence's mobile browser experience. **Why does the MFA code sometimes show dashes?** The MFA secret stored for that entry is invalid or incorrectly formatted. Edit the entry and verify the secret is a valid base32 string with no spaces. You can paste a full `otpauth://` URI - the vault parses digits, period, and algorithm from it. **How do I give someone else access to the vault?** Give them the Confluence page URL and the vault PIN. They need Confluence page view access and the PIN to decrypt. **Can I have multiple vaults?** Yes - each Confluence page with the macro added has its own independent vault, PIN, entries, templates, and settings. **Is the CSV export encrypted?** No. The CSV is plain text for portability. Delete it after use. Every export is recorded in the Activity log. **What happens to deleted entries?** They go to the Archive (soft delete). The vault owner can permanently delete archived entries from there. Archived entries are also auto-deleted after the retention window you choose in Settings (default 90 days). **Can I recover an old password if I changed it?** Yes, if it is one of the last 5 passwords for that entry. Click the clock icon next to the password field in the expanded card to open Password history, then click Restore on any row. **What's the difference between Categories and Tags?** Categories come from a fixed list managed by the vault owner (good for shared structure). Tags are freeform per-entry labels you type yourself (good for personal organisation). Both are searchable. **How do I hand the vault over when someone leaves?** The current owner opens **Settings > Transfer vault ownership** and picks the new owner from the Confluence user search. The handover is immediate and audited. **Why is the Change PIN option greyed out for me?** You are a regular user, not the vault owner. PIN, auto-lock, archive retention, import, export, templates, and categories are owner-only. View, copy, add, edit, and archive remain available to everyone with the PIN. --- ## Security summary | Property | Detail | |---|---| | Encryption | AES-GCM 256-bit, client-side only | | Key derivation | PBKDF2 with 200,000 iterations, per-vault random salt | | PIN hash | Salted SHA-256, never the PIN itself | | TOTP generation | HMAC-SHA-1 (default), SHA-256, or SHA-512 via Web Crypto API, entirely in-browser | | Breach checking | k-anonymity via Have I Been Pwned (5-char SHA-1 prefix only) | | Storage | Encrypted blobs in Atlassian Forge KV Storage | | External egress | Only `api.pwnedpasswords.com` is allow-listed in the manifest | | Auto-lock | Configurable 1-60 minutes idle, with 60-second pre-lock warning | | Activity log | PIN-gated read, capped at 2,000 events per vault | | Concurrency | Optimistic version checks and stale-PIN-hash detection on save | | Data scope | Per Confluence page; shared among users with page access | | Page-context safety | Vault operations hard-fail without a page context (no cross-page bleed) | | URL protocol allow-list | Dangerous schemes (javascript, data, vbscript, file) are blocked | --- *Credential Vault for Confluence - built on Atlassian Forge by CowboyMSP* *Support: support@cowboymsp.com - Web: https://cowboymsp.com*