Key Man Out

Team-Based Organization

Organize secrets by team or family with flexible membership, independent vaults, and compartmentalized access. Learn how Key Man Out supports collaboration without compromising security.

Team-Based Organization

Organize Secrets by Team or Family

Security isn't just about protection—it's about organization. Key Man Out's team-based structure lets you compartmentalize secrets by department, project, family, or any organizational unit that makes sense for your needs.

How Teams Work

The Team Vault Concept

Each team has its own encrypted vault with:

  • Shared encryption key phrase known to team members
  • Independent asset storage isolated from other teams
  • Team-specific guardian assignments per asset
  • Unified audit trail for all team activity
  • Flexible membership with easy invite/remove

Key Principle: Secrets are organized by who needs to share them, not by who owns them individually.

Team Creation and Setup

Creating Your First Team

Simple Setup Process:

  1. Name your team (e.g., "Engineering Department," "Smith Family Trust")
  2. Define purpose (helps organize assets later)
  3. Set encryption key phrase (team members will need this to access)
  4. Invite members via email
  5. Start adding assets

Time to Setup: Under 5 minutes from account creation to first encrypted asset.

Team Encryption Key Phrase

Critical Security Component:

  • One key phrase per team encrypts all team assets
  • Team members must know it to access assets (when vault unsealed)
  • Never stored server-side (only cryptographic hash for verification)
  • Different from user password (user password = account login, key phrase = vault encryption)
  • Can be changed (requires re-encrypting all assets, seamless to users)

Best Practice: Use a strong passphrase (4-6 random words, e.g., "correct horse battery staple mountain cascade") that team members can remember or store securely.

Example Team Structure:

Acme Corp Engineering Team
├── Encryption Key: "whiskey-tango-foxtrot-seven-delta-charlie"
├── Members: CTO, Lead Architect, Senior Devs (5 total)
├── Assets: 23 encrypted secrets
└── Vault Status: Sealed (secure) | Unsealed (accessible)

Team Membership and Roles

Team Member Capabilities

All team members have equal access to team vault:

  • Unseal vault using team key phrase
  • View all assets when vault unsealed
  • Create new assets and assign guardians
  • Become custodian of their own assets
  • Serve as guardian for others' assets
  • Receive notifications for assets they guard

Note: Access to individual assets is still controlled by guardian system—team membership provides vault access, guardianship provides asset access.

Inviting Team Members

Email-Based Invitation:

  1. Team member sends invite to email address
  2. Invitee receives email with secure invite link
  3. Invitee creates account (or logs in if existing user)
  4. Invitee accepts invitation
  5. Inviter shares team encryption key phrase (outside system, for security)
  6. Invitee can now unseal team vault and participate

Security Note: Key phrase is NOT sent via email. This is intentional—inviter must share it through separate secure channel (phone call, in-person, encrypted message). This prevents email compromise from exposing vault encryption.

Removing Team Members

Instant Removal:

  • Any team member can remove another member
  • Removed member loses all access to team vault immediately
  • Removed member's guardian roles automatically revoked
  • Removed member receives notification (transparency + audit)
  • Key phrase remains same (removed member knows it)

After Removal:

If removed member is a security concern:

  1. Change team encryption key phrase (rotates vault encryption)
  2. All assets automatically re-encrypted with new key phrase
  3. All current members notified to use new key phrase
  4. Removed member's old key phrase now useless

Time to Complete: Key rotation takes seconds, happens seamlessly in background.

Multi-Team Organization

Why Multiple Teams?

Separation of Concerns:

  • Engineering Team: Infrastructure credentials, API keys, deployment secrets
  • Finance Team: Bank accounts, tax documents, payroll credentials
  • Executive Team: Board documents, acquisition plans, investor relations
  • Family Team: Estate documents, insurance policies, personal accounts

Benefits:

  • Compartmentalization: Engineering can't see finance secrets (and vice versa)
  • Clear organization: Assets grouped by context, not just ownership
  • Independent encryption: Compromise of one team doesn't expose others
  • Flexible membership: Same person can be in multiple teams with different roles

Personal vs. Team Assets

Use Case Flexibility:

  • Personal Team: Individual's private vault (one-person team)
  • Shared Team: Department or family secrets
  • Project Team: Temporary team for specific initiative
  • Executive Team: C-suite only, highest sensitivity

Example User:

Jane Smith (CTO)
├── Personal Team (Jane only)
│   └── Personal medical records, private accounts
├── Engineering Team (CTO, Lead Architect, 3 Sr Devs)
│   └── AWS credentials, GitHub tokens, deployment keys
├── Executive Team (CEO, CTO, CFO)
│   └── Board documents, financial projections
└── Acme Family Team (Jane, Spouse, Adult Children)
    └── Estate plan, insurance policies, account info

Benefit: Jane has surgical control—right secrets to right people without exposing everything.

Team-Based Asset Organization

Organizing Within a Team

Flexible Categorization:

Each asset can be tagged with:

  • Category (Credentials, Documents, Keys, etc.)
  • Subcategory (AWS, GitHub, Legal, Financial, etc.)
  • Custom tags (production, development, client-specific, etc.)
  • Priority level (critical, high, medium, low)

Search and Filter:

  • Filter by category, tag, custodian
  • Search by asset name or description
  • Sort by creation date, last access, priority
  • View only your assets vs. entire team

Team Dashboard

At-a-Glance View:

  • Vault status: Sealed or unsealed (time remaining if unsealed)
  • Asset count: Total secrets in team vault
  • Your assets: Secrets you created/own
  • Guardian roles: Assets you're custodian/gatekeeper/successor for
  • Recent activity: Latest access requests, approvals, denials
  • Pending requests: Awaiting your approval as gatekeeper

Team Activity Feed:

  • Real-time updates on team asset activity
  • Filter by event type (access, approval, denial, creation)
  • Export for compliance reporting

Team Collaboration Patterns

Pattern 1: Engineering Team - Infrastructure Secrets

Team Setup:

  • Members: CTO (team admin), Lead Architect, 3 Senior DevOps Engineers
  • Assets: 45 secrets (AWS, GitHub, databases, APIs, SSL certs)
  • Key Phrase: "engineering-vault-aurora-cascade-phoenix-seven"

Asset Structure:

Production AWS Root
├── Custodian: CTO
├── Gatekeepers: Lead Architect, Outside Security Consultant
├── Successors: Senior DevOps 1, Senior DevOps 2
└── Approval: Time-delay (48 hours) + 2 gatekeepers

Development AWS Account
├── Custodian: Lead Architect
├── Gatekeepers: CTO
├── Successors: All Senior DevOps
└── Approval: Standard (any gatekeeper)

GitHub Organization Owner Token
├── Custodian: CTO
├── Gatekeepers: Lead Architect
├── Successors: Senior DevOps 1
└── Approval: Standard + DNS verification

Collaboration Benefit: Production access has maximum oversight, development access is fast, everyone knows where to find what they need.

Pattern 2: Family Estate Planning

Team Setup:

  • Members: Parents, 2 Adult Children, Family Attorney (5 total)
  • Assets: 12 secrets (will, accounts, insurance, property deeds)
  • Key Phrase: "smith-family-trust-cascade-mountain-legacy"

Asset Structure:

Last Will and Testament
├── Custodian: Parent 1
├── Gatekeepers: Family Attorney, Parent 2
├── Successors: Adult Child 1, Adult Child 2
└── Approval: Time-delay (7 days) + all gatekeepers

Bank Account Credentials
├── Custodian: Parent 1
├── Gatekeepers: Parent 2, Family Attorney
├── Successors: Adult Child 1 (designated financial manager)
└── Approval: Time-delay (72 hours) + 1 gatekeeper

Insurance Policies
├── Custodian: Parent 2
├── Gatekeepers: Family Attorney
├── Successors: All adult children
└── Approval: Standard (attorney approval)

Collaboration Benefit: Family can organize estate while living, children have clear access path after incapacitation, attorney provides professional oversight.

Team Notifications and Communication

What Gets Notified

Team-Level Events:

  • New member joined team
  • Member removed from team
  • Team encryption key phrase changed
  • New asset created in team vault

Asset-Level Events (relevant guardians only):

  • Access requested
  • Access approved/denied
  • Asset accessed successfully
  • Guardian assigned/removed
  • Asset modified or deleted

Notification Channels

Email Notifications (immediate):

  • Critical: Access requests, approvals, actual access events
  • Summary: Daily digest of team activity
  • Admin: Member changes, team settings changes

In-App Notifications:

  • Real-time feed in team dashboard
  • Badge counts for pending approvals
  • Activity timeline for audit

Opt-Out Flexibility:

  • Disable non-critical notifications
  • Keep critical security notifications (cannot disable)
  • Per-team notification preferences

Team Security Best Practices

Key Phrase Management

DO:

  • Use strong passphrase (4-6 random words or longer)
  • Share key phrase through secure channel (not email)
  • Store backup of key phrase in physical safe or trusted password manager
  • Ensure multiple team members know key phrase
  • Rotate key phrase when member leaves with security concerns

DON'T:

  • Don't use easily guessable phrases
  • Don't share key phrase in email or unencrypted chat
  • Don't rely on single person knowing key phrase
  • Don't reuse key phrase across multiple teams

Member Vetting

Before Inviting:

  • Verify email address is correct (typo = wrong person invited)
  • Confirm person needs access to team vault
  • Determine appropriate guardian roles in advance
  • Have plan for key phrase sharing method

After Inviting:

  • Confirm they received and accepted invitation
  • Verify they can unseal vault successfully
  • Assign initial guardian roles
  • Review team's asset access policies with them

Regular Audits

Monthly Review:

  • Who's in the team? (remove former employees/members)
  • What assets exist? (delete obsolete secrets)
  • Who are the guardians? (update for current roles)
  • Any suspicious access? (review audit logs)

Quarterly Deep Dive:

  • Rotate team encryption key phrase (if high-security team)
  • Review all guardian assignments
  • Update access approval workflows
  • Test successor access workflows

Bottom Line: Teams give you surgical organization—right secrets with right people, compartmentalized by context, with complete flexibility to add, remove, and reorganize as your needs evolve.

Learn about Complete Audit Trail →

Intelligent Access Control

Match security to sensitivity with standard approval, time-delayed access, or DNS verification. Learn how Key Man Out provides flexible, intelligent access control workflows.

Complete Audit Trail

Know who accessed what and when with comprehensive logging, email notifications, and suspicious activity detection. Full transparency for every sensitive action.