Vault, passphrase, and recovery

Your Onnoir library is protected locally. This page explains the safety model before you store important writing in it.

Before you start

During first launch, the current desktop beta creates a local encrypted vault and protects it with the system keychain on that device. Onnoir also shows a recovery key. Save that key before continuing. Onnoir cannot recover it through an account.

Some lower-level or restored vault flows may refer to a passphrase. Treat any passphrase with the same care as the recovery key: store it outside Onnoir, and do not expect Onnoir to reset it for you.

Step-by-step

1. Create the local library from first launch.
2. Save the recovery key in a password manager, printed emergency sheet, or encrypted external location.
3. Confirm the recovery-key acknowledgement only after you have stored the key.
4. Let Onnoir open the library.
5. Create and verify a .onbk backup after your first useful note.
6. If Onnoir later cannot open the library from the system keychain, paste the recovery key into the recovery screen.

What to expect

On the same device, unlock may feel automatic because the system keychain can open the local vault. That is local device behavior, not cloud recovery. If the keychain entry is removed, the device is replaced, or you restore from backup onto another device, recovery material matters.

Safety notes

Losing both the keychain access and recovery material can make the encrypted library unrecoverable. Onnoir does not have a hosted copy of your vault key, passphrase, recovery key, note text, or backup.

Troubleshooting

If recovery-key unlock fails, check for missing characters, extra spaces, or a key from a different library. If the app reports vault corruption or restore failure, use a verified .onbk backup rather than deleting local files.

Related docs

• Start here
• Backups, restore, and snapshots
• Privacy and local data
• Troubleshooting