Mental model
Concepts
fd0 has a small model: local identity, encrypted vault, scope keys, signed events, one primary server, and optional witnesses. Once those terms are clear, the commands are direct.
identity
Your long-term Ed25519 keypair. The public key appears in cards and event authorship. The private key stays encrypted locally and is held only by the agent after unlock.
vault
The encrypted local file at ~/.fd0/vault.enc. It stores your identity key, pinned cards, per-scope keys, and accepted chain tips.
agent
The local daemon started by fd0 unlock. It signs, decrypts, and serves SSH agent requests without exposing private bytes to normal CLI commands.
scope
A group of secrets with its own encryption key. Adding or removing a member rotates that key.
card
A signed fd0://card/... identity record. Import a card only after checking its safety number out of band.
sync
The event exchange with one configured primary. The server stores ciphertext and signed events; it does not receive plaintext secrets.
witness
An independent observer for transparency-log heads. Witnesses help clients detect server equivocation.