Skiff can now run as a shared vault for a whole team, not just one person, while staying fully self-hosted. No cloud, no external identity provider.
Team mode
Choose Personal or Team at setup. Personal works exactly as before.
In team mode, multiple people sign in with their own username and password, sharing one encrypted vault.
Admins can add members, reset passwords, and disable accounts.
A full audit log records logins, host connections (who connected where, as which user), and host/user changes.
Migrating in
Upgrade an existing personal vault to team mode in place from Settings → Team. your hosts and credentials carry over untouched.
New backup / restore: export an encrypted vault and restore it onto a fresh instance, so you can move from a laptop to a team server.
Security
Each member stores their own copy of the shared key, sealed with a key derived from their password (argon2id). The shared key never touches disk unencrypted.
Forgotten passwords are recoverable by an admin reset no cloud backdoor.
See SECURITY.md for the full crypto design.
Note: Team mode is a shared vault every member can access every host. Per-host role-based access control is not included.
Self-hosted, open source, AGPL-3.0. Feedback and issues welcome.