# Vaults At Cerby, vaults are protected spaces for storing and managing your account data and sensitive information (secrets). They provide an additional layer of security by implementing encryption and access controls, ensuring that only authorized users can access the stored data. You can create additional local vaults to leverage a Zero-Knowledge architecture. The following are the characteristics of Cerby's vault strategy: * **Cloud vault:** Cerby stores and manages the encryption keys, and all automated tasks are supported. * **Local vault:** Users hold the encryption keys in trusted devices, which are not accessible to Cerby. This vault strategy has limited automated tasks. When you no longer need a vault, you can disable it. With this status, users and teams with shared access to the vault cannot add more items (accounts or secrets). Still, the existing items remain active and accessible to them. *** ## User visibility When creating a vault, you can choose its visibility and determine whether it should be the default vault. The visibility options are the following: * **User visibility:** The vault is only accessible to specific users via an access share. * **Workspace visibility:** Vault access is automatically shared with all the workspace users. {% hint style="warning" %} **IMPORTANT:** Currently, Cerby only supports vaults with workspace visibility; in a future release, user visibility will be supported. {% endhint %} *** ## Default vault Selecting a default vault makes it the predetermined vault when adding accounts and secrets to your workspace. It is also where all the items are stored when you migrate them to Cerby from your enterprise password manager (EPM), such as [LastPass](https://help.cerby.com/cerby-web-app/item-importer/migrate-from-lastpass-to-cerby) and [1Password](https://help.cerby.com/cerby-web-app/item-importer/migrate-from-1password-to-cerby), via the **Password Manager Importer**. *** ## Recovery key After creating a vault, you can generate a recovery key. With this key, you can regain access to encrypted vaults if all the devices with the private keys are lost or unavailable. For more information about recovery keys, read the article [Generate and manage the recovery keys for your vault](https://help.cerby.com/setup-and-admin/vault-management/generate-and-manage-the-recovery-keys-for-your-vault). *** ## Trusted sessions on devices Setting up a trusted session on a device is a requirement for creating a vault. With this setup, you ensure that all interactions with the Cerby platform come from authorized devices that meet corporate security standards. In local vaults, trusted sessions on any of your devices are vital because they hold the corresponding encryption and decryption keys to access and decrypt the data of your accounts and secrets stored in your vaults. Also, encryption and decryption operations happen decentralized on such devices. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.cerby.com/getting-started/concepts/credential-management/vaults.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.