relicario/user_docs/faq.md

# Frequently Asked Questions

Answers to common questions about how Relicario works, where your data lives, and what happens when things go wrong.

---

## What makes Relicario different? Why does it need two factors just to unlock my vault?

Most password managers protect your vault with a single master password. Relicario requires **two factors** at the same time: your **passphrase** (something you remember) and a **reference photo** (a JPEG you chose during setup that carries a hidden 256-bit secret). Neither one can decrypt your vault on its own — both must be present together.

The result: even if someone steals your passphrase, they cannot open your vault without also having your reference photo. Even if someone steals the reference photo file, they cannot open your vault without knowing your passphrase. For the technical details, see [../docs/CRYPTO.md](../docs/CRYPTO.md).

---

## Where is my data actually stored?

Your vault is a **git repository that you control**. Relicario stores everything — encrypted items, an encrypted index, and settings — as files inside that repo, which you push to your own Gitea or GitHub server. Nothing goes to any server Relicario runs; there is no Relicario-operated cloud. The server only ever receives opaque ciphertext.

---

## Is my reference photo uploaded to the server?

No. Your reference photo (the JPEG that carries the hidden image secret) is your second unlock factor. Relicario adds it to `.gitignore` at vault creation, so it is **never committed** and never pushed to your remote. If you only back up your git repository, you have **not** backed up your second factor.

Keep at least one safe copy of `reference.jpg` somewhere separate — an encrypted external drive, a secure cloud folder of your own choice, or a printed [Recovery QR](recovery.md).

---

## What if I lose my passphrase or my reference photo?

There is no password reset and no backdoor — by design. Here is the hard truth:

- **Lose your passphrase** → your vault is unrecoverable (the recovery QR is also locked by your passphrase).
- **Lose your reference photo AND your recovery QR** (even if you still know your passphrase) → the hidden image secret is gone → unrecoverable.
- **Lose both factors** → your data is gone for good.

See [Recovery](recovery.md) for how to generate a recovery QR while you still have everything, and where to keep it safe.

---

## Can I use Relicario on multiple computers?

Yes. Because your vault is a git repo, you can sync it across machines with:

```
relicario sync
```

This does a `git pull --rebase` then `git push` against your configured remote. You will need to copy your `reference.jpg` to each computer you use (it is never in the repo, so you transfer it manually). You can also register each machine as a named device with `relicario device add`.

---

## Does Relicario work in my browser?

Yes — there is a browser extension. It supports **Chrome/Chromium** (primary) and **Firefox (MV3)**. The extension lets you search your vault, reveal or copy fields, see live 30-second TOTP codes, and autofill login forms. The Chrome-only fullscreen vault tab supports all item types, add/edit/delete, settings, trash, devices, history, backup, and LastPass import.

Install is currently build-from-source (no web-store listing). See [The browser extension](the-browser-extension.md) for step-by-step setup.

---

## Can my team share a vault?

Relicario includes an org vault feature (`relicario org …`) with owner/admin/member roles, collections, per-collection access grants, and a signed audit log. It supports the full set of item types — logins, secure notes, identities, cards, keys, documents, and TOTP — added with `relicario org add <type> --collection <name> …`. The server only sees ciphertext; access is enforced by collection grants.

**Current limitation:** the browser extension does **not** yet support org vaults — there is no org switch, browse, or write support in the extension. Org vault access is CLI-only for now.

---

## How do I generate a strong password?

Use the built-in generator:

```
relicario generate
```

By default (outside a vault) it produces a 20-character random password with a safe symbol set. Inside an initialized vault it falls back to whatever you have set as your generator defaults. You can also generate a BIP39 word passphrase:

```
relicario generate --bip39
```

See [Passwords and generators](passwords-and-generators.md) for all options, including how to save your preferred defaults to the vault.

---

## How do I store 2FA codes (TOTP)?

You can store TOTP secrets in two ways:

1. **Standalone TOTP item** — stores just the authenticator code, separate from a login:
   ```
   relicario add totp --title "GitHub 2FA" --issuer "GitHub" --secret <BASE32>
   ```
2. **Attached to a login** — scan the site's QR code image and attach the TOTP secret directly to an existing login:
   ```
   relicario add login --title "GitHub" --username you@example.com --totp-qr qr.png
   # or add it later:
   relicario edit "GitHub" --totp-qr qr.png
   ```

The browser extension shows live 30-second codes inline for both login and standalone TOTP items. See [TOTP](totp.md) for more detail.

---

## How do I move off LastPass?

Export your data from LastPass as a CSV (LastPass → Account Options → Export), then run:

```
relicario import lastpass /path/to/lastpass-export.csv
```

Each row becomes a new item in your vault. Rows that fail to parse are skipped and reported on stderr. Title collisions are kept as-is (no automatic deduplication).

---

## Is there a mobile app?

Not yet. There are no Relicario mobile apps at this time.

---

## Is Relicario free / open source?

Yes. Relicario is free and open source, released under the **GNU General Public License v3.0 or later** (GPL-3.0-or-later). You can read, build, run, and modify it yourself — which is also what lets you verify that your secrets never leave your device. See the `LICENSE` file in the repository for the full terms.

---

**Next:** [Back to the guide index](README.md)