Recovery
This guide covers local recovery for EnvVault.
OS Credential Store Unavailable
Symptoms:
ENVVAULT_KEYRING_UNAVAILABLEENVVAULT_KEYRING_LOCKED- Credential add, credential resolution, or proxy use fails while reading the OS credential store.
Actions:
- Unlock the platform credential store.
- Re-run
envvault doctor. - Re-add affected credentials if the platform credential store entry is missing.
- Do not store credentials in repository files as a fallback.
Corrupt or Missing Local State
Symptoms:
envvault doctorreports config, data, cache, or SQLite integrity errors.- Optional proxies cannot be loaded.
Actions:
- Preserve the existing data directory for investigation.
- Restore from the migration backup if available.
- If recovery is not possible, run
envvault reset --dry-run, thenenvvault reset --yes. - Recreate credentials and optional proxies.
Stale Runtime Lock or Crash
Symptoms:
ENVVAULT_LOCK_TIMEOUT- Doctor reports stale runtime state.
- A previous EnvVault process was killed while starting or stopping local runtime state.
Actions:
- Confirm no active
envvaultprocess is still running for the same user. - Run
envvault doctor. - Run
envvault doctor --repairto remove stale EnvVault runtime locks and temporary files. - Re-run
envvault doctorand investigate any remaining errors before starting another credential operation.
Suspected Secret Exposure
Actions:
- Stop using affected credentials or proxies.
- Rotate affected credentials in the upstream service.
- Re-add the rotated value to EnvVault.
- Scan config, data, cache, logs, audit files, shell history, and temporary directories for the exposure marker.
- Treat any leaked local proxy token as usable until the child process exits or the token expires.
EnvVault cannot revoke application-side writes that already happened with a valid credential.