Asset Management

Assets are the core of Key Man Out - secure containers for storing sensitive information that can be accessed by designated team members with appropriate permissions.

Understanding Assets

What is an Asset?

An asset is a structured container that can store multiple types of information, with sensitive content encrypted using your team's vault key phrase:

• Name: A descriptive identifier (not encrypted)
• Website: Optional URL to the related service or application (not encrypted)
• Instructions: Rich text notes with formatting support (not encrypted)
• Secret: Encrypted sensitive text (passwords, API keys, etc.) - encrypted with vault key phrase
• File Attachments: Encrypted files of any type - encrypted with vault key phrase

Each asset belongs to exactly one team. The secret content and file attachments are encrypted using that team's vault key phrase, while metadata (name, website, instructions) is stored unencrypted to enable organization and browsing without unsealing the vault.

Asset Components Explained

Name (Required)

• A clear, descriptive title for easy identification
• Examples:
  • "Gmail Account - john@example.com"
  • "AWS Root Account Credentials"
  • "Safe Deposit Box Instructions"
  • "Company Server SSH Keys"

Website (Optional)

• URL of the service or application
• Examples: https://mail.google.com, https://aws.amazon.com, https://github.com
• When provided, Key Man Out automatically attempts to fetch the brand logo for visual identification

Instructions (Optional)

A rich text editor for detailed notes and instructions:

Supported formatting:

• Headings (H1, H2, H3, etc.)
• Bold, italic, underline
• Bulleted and numbered lists
• Blockquotes for highlighting important information
• Code blocks for technical details
• Links

Example use cases:

• Step-by-step recovery procedures
• Account setup instructions
• Emergency contact information
• Notes about security questions
• Recovery code storage

Secret (Optional)

The most sensitive field, designed for passwords and confidential text:

• Encrypted client-side with your team's vault key phrase before transmission
• Hidden by default in the edit form - you must explicitly click "Edit Secrets" to view or modify
• Requires unsealed vault - you must enter the vault key phrase to view or edit secrets
• Access is logged - viewing the secret creates an audit trail
• Custodian notification - the asset owner is notified when someone accesses the secret
• Supports multi-line text for storing multiple passwords or keys together

Example use cases:

• Login passwords
• API keys and tokens
• Credit card information
• Social Security or tax ID numbers
• Encryption keys
• Recovery codes

File Attachments (Optional)

Upload encrypted files to the asset:

• Multiple file support - attach as many files as needed
• Any file type - documents, images, PDFs, spreadsheets, etc.
• Client-side encryption - file content is encrypted with your vault key phrase in your browser before upload
• Individual download - download files one at a time
• Bulk download - download all attachments at once
• File metadata stored - name, size, and type are preserved (not encrypted, for browsing)

Example use cases:

• PDF copies of important documents
• Photos of physical keys or access cards
• Backup codes as image files
• Configuration files
• Certificates and licenses

Creating Assets

Prerequisites

Before creating an asset:

1. You must be a member of a team
2. The vault must be unsealed (you must enter the team key phrase)
3. You must have at least Member permissions

Creation Process

1. Navigate to your team dashboard (vault must be unsealed)
2. Click "New Asset" or the "+" button
3. Fill in the asset form:
   • Name (required): Enter a descriptive name
   • Website (optional): Add the URL if applicable
   • Instructions (optional): Use the rich text editor for notes
   • Secret (optional):
     • Click "Edit Secrets" to reveal the secret field
     • Enter sensitive text (will be encrypted on save)
     • Click "Hide" if you want to hide it again without saving
   • Attachments (optional):
     • Click "Choose Files" or drag and drop
     • Select one or more files from your device
     • Files will be encrypted when you save
4. Click "Create Asset"

After Creation

Once created, the asset:

• Appears in your team's asset list
• Shows the brand logo (if a website URL was provided) or initials
• Can be edited, viewed, or deleted by appropriate team members
• You are automatically assigned as the Custodian (owner)

Viewing Assets

Asset List View

Assets are displayed in an accordion-style list on your team dashboard:

• Alphabetically sorted by name
• Brand logos or initials for visual identification
• Expandable cards - click to expand and see details
• Quick actions - Edit, Delete, View Secret buttons

Individual Asset View

Click on an asset name to open the detailed view:

Header Section

• Asset name (large, prominent)
• Website URL (if provided) as a clickable link
• Brand logo or initials icon

Website Section

Shows the website URL with an "Open Website" button that opens in a new tab

Instructions Section

Displays the formatted rich text instructions with proper styling:

• Headings, lists, and text formatting preserved
• Code blocks rendered with syntax highlighting
• Blockquotes styled distinctly
• Links are clickable

Secret Section

• Shows "View Secret" button if a secret exists
• Clicking triggers:
  1. Decryption of the secret using the team key
  2. Access logging (timestamp, user, location)
  3. Email notification to the asset custodian (if you're not the custodian)
  4. Display in a modal popup

Secret Viewer Modal:

• Decrypted secret text with proper formatting
• "Copy to Clipboard" button for easy use
• Access tracking information (who, when)
• Security warning about notification
• "Close" button

Attachments Section

If files are attached:

• List of all files with names and sizes
• "Download" button for each individual file
• "Download All Attachments" button for bulk download
• "Delete" button for each file (Team Owners only)

Files are automatically decrypted when downloaded.

Editing Assets

Opening the Edit Modal

1. Navigate to the asset's detail page
2. Click the "Edit" button (pencil icon)
3. The edit modal opens with current asset data

Edit Form

The edit form mirrors the creation form with all existing data pre-filled:

Auto-Save Feature

Key Man Out includes intelligent auto-save to prevent data loss:

How it works:

• Edits are automatically saved to your browser's local storage every few seconds
• Works even if you close the browser or lose internet connection
• Each asset has a separate auto-save storage
• Auto-saved data expires after 8 hours

When auto-saved data exists:

• "Unsaved Changes" indicator appears
• Closing the edit modal shows a warning
• Navigating away from the page prompts confirmation
• Returning to edit automatically restores your draft

Managing auto-saved data:

• "Discard Changes" button permanently deletes the auto-save draft
• Saving the asset clears the auto-save data
• Closing and reopening the edit modal restores your progress

Note: Auto-saved data is stored only in your browser and is never transmitted to servers until you explicitly save.

Editing the Secret

The secret field has special handling:

1. By default, the secret is hidden when you open the edit modal
2. Click "Edit Secrets" to reveal the secret field
3. The secret is fetched and decrypted (this access is logged)
4. You can now view and modify the secret
5. Click "Hide" to hide it again (only if there are no unsaved changes)

Important notes:

• Viewing the secret for editing logs access and may send notifications
• You cannot hide the secret if you've made unsaved changes to it
• Saving the form automatically hides the secret again

Adding/Removing Attachments

Adding new files:

1. Click the file input or drag files into the upload area
2. Select one or more files
3. Files are staged for upload (not uploaded yet)
4. Click "Update Asset" to encrypt and upload the files

Removing existing files:

1. Team Owners can click the "Delete" button next to each attachment
2. Confirm deletion
3. The file is permanently removed from the asset

Saving Changes

Click "Update Asset" to:

1. Encrypt any new secret text client-side
2. Encrypt any new file attachments client-side
3. Send encrypted data to the server
4. Clear the auto-save draft
5. Update the asset display
6. Show a success notification

Deleting Assets

Deletion Process

From the asset detail page:

1. Click the "Delete" button (trash icon)
2. A confirmation modal appears
3. Click "Delete" to confirm, or "Cancel" to abort

Important:

• Asset deletion is immediate and permanent
• All associated data is destroyed:
  • Asset metadata (name, website, instructions)
  • Encrypted secret
  • All encrypted file attachments
  • Access logs and history
• This action cannot be undone

Who Can Delete Assets?

• The asset Custodian (creator/owner)
• Team Owners
• Team Admins (if they are also the Custodian)

Tip: Before deleting, consider if the information might be needed in the future. Download any attachments and copy any necessary information.

Brand Logos and Icons

Automatic Logo Fetching

When you provide a Website URL, Key Man Out:

1. Extracts the domain name (e.g., google.com from https://mail.google.com)
2. Attempts to fetch the brand logo using BIMI (Brand Indicators for Message Identification)
3. If found, displays the logo next to the asset
4. Logos are cached for performance

Fallback Icons

If no logo is available:

• The system generates initials from the asset name
• Example: "Gmail Account" → "GA"
• Displayed in a colored circle for visual identification

Logo Updates

• Logos are fetched when the asset is created or when the website URL is changed
• If a logo fails to load, it falls back to the initials icon
• You can trigger a re-fetch by editing the asset and saving again

Access Notifications

When Are Notifications Sent?

Email notifications are sent to the asset Custodian when:

1. Someone views the secret (clicks "View Secret")
2. The viewer is not the Custodian themselves

Notification Contents

The email includes:

• Who accessed the secret (name and email)
• When it was accessed (timestamp)
• Which asset was accessed (name)
• Location information (IP address, if available)

Viewing Access Logs

Access logs are stored and displayed in the Secret Viewer Modal:

• User who accessed
• Timestamp of access
• This information helps you track who has viewed sensitive information

Privacy Note: If you are the Custodian viewing your own secret, no notification is sent and you'll see a message confirming this.

Guardian System (Asset-Level Roles)

Assets support a more granular permission system with three specialized roles:

Guardian Roles

Managing Guardians

From the asset detail page, scroll to the Guardians section:

Adding Gatekeepers or Successors

1. Click "Add Guardian"
2. Select the role (Gatekeeper or Successor)
3. Choose a team member from the dropdown
4. Click "Add"

Note: Only the Custodian can add Gatekeepers or Successors, and no approval is required.

Removing Gatekeepers

1. Find the Gatekeeper in the list
2. Click the "Remove" button (trash icon)
3. Confirm removal

Note: Custodians can remove Gatekeepers without approval.

Removing Successors

Special rules apply:

• If no other Successors exist: The Custodian can remove immediately
• If other Successors exist: A removal request is created requiring approval from at least one other Successor
• Removal requests expire after 7 days if not approved

Access Request Workflow (Coming Soon)

Successors can request access to assets using three methods:

1. Standard Approval: Wait for Custodian or another Successor to approve manually
2. Time-Delay: Start a countdown (1-2 hours), auto-approved if no one denies during the delay
3. DNS Verification: Prove domain ownership by adding a TXT record

Note: The full access request workflow is planned but not yet implemented.

Best Practices

Organizing Assets

Use clear, descriptive names:

• ✅ Good: "Gmail Account - john@company.com"
• ❌ Bad: "Email"

Include context in instructions:

• Recovery procedures
• Security question answers (encrypted in secret field)
• Account ownership information
• Special notes about two-factor authentication

Categorize with naming conventions:

• "Company - AWS Root Account"
• "Personal - Bank of America Checking"
• "Family - Home WiFi Password"

Security Best Practices

1. Always seal the vault when finished working
2. Review access logs regularly for unusual activity
3. Rotate secrets periodically and update assets
4. Use strong, unique passwords for each service
5. Enable two-factor authentication on critical accounts and note it in instructions
6. Store recovery codes as secrets or attachments

Attachment Management

• Keep files small when possible for faster encryption/decryption
• Use descriptive filenames before uploading
• Consider PDF format for documents (widely compatible)
• Remove sensitive metadata from files before uploading
• Compress large files before uploading to save space

Instructions Best Practices

Use instructions to document:

• How to use the account or service
• Recovery procedures in case of issues
• Who to contact for help
• Important dates (renewal dates, expiration, etc.)
• Multi-factor authentication setup details
• API rate limits or usage restrictions

Common Questions

Can I move an asset to a different team?

No, assets cannot be moved between teams because each team has a unique encryption key. To "move" an asset:

1. Copy the information from the original asset
2. Create a new asset in the target team
3. Re-enter all the information
4. Re-upload any attachments
5. Delete the original asset (optional)

What happens to my assets if I leave a team?

If you are removed from a team or voluntarily leave:

• You immediately lose access to all team assets
• You cannot view or decrypt any assets
• If you were the Custodian of assets, they remain in the team with the current guardians
• The new team owner should reassign Custodian roles as needed

Can I share an individual asset without sharing the whole team?

Not directly through Key Man Out. All team members can see all team assets. If you need to restrict access:

1. Create a separate team for restricted information
2. Only invite members who should have access
3. Use asset-level guardian roles (Custodian, Gatekeeper, Successor) for finer control

How do I back up my assets?

Best practices for backing up:

1. Download all attachments locally
2. Copy secret text to a secure password manager or encrypted file
3. Export instructions to a document
4. Store the team key phrase in a secure location outside Key Man Out
5. Keep a list of all asset names for recovery reference

What if I accidentally delete an asset?

Unfortunately, asset deletion is permanent and cannot be undone. There is no "trash" or recovery mechanism. This is why confirmation is required before deletion.

To protect against accidental deletion:

• Review the asset name carefully before confirming
• Maintain external backups of critical information
• Limit delete permissions to trusted team members only

Can I see who edited an asset?

Currently, Key Man Out tracks:

• Who created the asset (Custodian)
• Who accessed the secret (access logs)

Full edit history is not yet available but may be added in future updates.