Devices & enrolment

An approver is a person, exercised through their devices. To approve a release, an approver enrols a device, a phone or a laptop, that holds the private capability to approve. That private part stays on the device. It never leaves it, and it never reaches Stillvault.

Enrolling a device

Enrolment is admin-mediated. A member requests a device, and an admin admits it. Before admitting, the admin compares a short fingerprint with the member out-of-band, in person, by call, or over a channel the attacker doesn’t control. The fingerprints must match. This check is what stops a tampered request from slipping a rogue device past the org.

A person can enrol several devices. Any one of them can approve, so a lost phone or a wiped laptop doesn’t lock an approver out.

Removing people and devices

Offboarding is safe by design. When you remove a member or revoke a device, Stillvault first checks every secret that person could approve. If removing them would leave any secret without enough approvers, it warns you before anything changes.

You can then move the affected secrets to a new approver set, so coverage is never silently dropped. See approver groups for how approver sets are defined and reassigned.