Master Lock
The master lock is the cockpit’s primary trust mechanism. This page documents its exact behavior.
States
The workspace is always in one of three states:
| State | What it means |
|---|---|
| Locked | Workspace is encrypted on disk. No decrypted data is in memory. |
| Unlocked | Decrypted state lives in memory for this session. UI is interactive. |
| Nuked | The vault has been explicitly destroyed via Control Room. |
Manual lock
Hit Lock workspace in the Command Deck at any time. The shell:
- Discards decrypted state from memory
- Returns to the unlock screen
- Leaves the encrypted vault file intact on disk
You can re-enter the master passphrase to bring the workspace back.
Idle auto-lock
The cockpit watches for input idle time. Default auto-lock is set conservatively — adjust in Control Room. When idle threshold is exceeded, the workspace returns to the locked state automatically.
Nuke / reset
For threat-model situations where the device may be compromised, Control Room exposes an explicit nuke action. This action destroys the encrypted vault file. It is not the same as locking — there is no recovery from a nuke.
Use a backup bundle (see Backup & Recovery) if you may want to restore later.