Lose a passphrase, rotate a passphrase, panic-lock everything
This page covers what to do when keys go wrong. Three scenarios where you'll be glad you read it before you needed it: someone leaks the project passphrase, you forget your own passphrase, or a laptop walks off.
Use your recovery code (you forgot the passphrase)
Remember the recovery code we showed you during
sealrepo init? It's a 30-character code (Crockford Base32, shown in six hyphenated groups) that can unlock the vault (your encrypted repo) without the passphrase. It's a second, independent key wrap created at init — it exists for exactly this moment. It's also the only sealrepo command that works without being signed in: it runs fully offline, no account needed.Unlock with recovery code$sealrepo unlock --recoveryRecovery code: K8MN4-7PQR2-T5VWX-3YZ9A-BCD6E-FGH2J✓unlocked 137 files⚠Your passphrase is unchanged. To set a new one, run: sealrepo rotateKeep it offlineThe recovery code is shown once atinit(or written to.sealrepo-recovery.txtin non-interactive setups). Store it somewhere offline — a password manager or a safe. Anyone who has it can unlock the project.Rotate the passphrase (regularly, or after a leak)
Rotating re-encrypts the master key under a new passphrase. The ciphertext of your files stays the same (re-encrypting megabytes would be slow), only the small key blob changes.
Rotating$sealrepo rotateCurrent passphrase: ●●●●●●●●●●●●New passphrase: ●●●●●●●●●●●●●●●●Confirm new passphrase: ●●●●●●●●●●●●●●●●✓passphrase rotated (recovery code is unchanged)Recovery code stays the sameRotating only re-wraps the master key under the new passphrase. Your recovery code and any cloud-escrow blob are independent wraps and are not changed byrotate. If you rotate because the recovery code itself may have leaked, re-runsealrepo initon a fresh vault.Tell your teamAnyone on the project needs the new passphrase to unlock fromthis point forward. Their old unlocked sessions keep working (they already have the master key in memory), but newsealrepo unlockcalls will need the new passphrase.Lock down the whole project (contractor went rogue)
Laptop stolen. Contractor went rogue. You need to cut every outstanding access code at once.
sealrepo lockdownrevokes all active access codes for the linked project in one shot; every connected watcher re-locks its plaintext within about a second.From any signed-in CLI in the project$sealrepo lockdown⚠This will revoke EVERY active access code for acme-billing.Type "lockdown" to confirm: lockdown✓12 access codes revoked. Connected watchers will re-lock within ~1s.You can also click Lock down on the project page — same effect. Pass
--yesto skip the prompt in scripts.lockdown vs. panicsealrepo lockdownis project-wideand server-side (it revokes everyone's access codes).sealrepo panicis local: it re-locks this machine's working tree and wipes the cached session immediately — the "shut my laptop now" button.Sign a single device out
For the milder case of "I just don't want this laptop paired anymore" — go to Settings → CLI devices on the dashboard. Each row is one paired machine; click Revoke device to kill just that one. Revoking a member from a project also immediately revokes any access codes tied to them.