Conduit

Credentials

Conduit provides flexible credential management within the encrypted vault. Credentials can be stored inline on connection entries or as standalone reusable entries.

Credential Types

Credentials use a typed system with a type selector in the credential form. The following types are supported:

  • Generic — the default type for username/password, SSH private key, and Windows domain credentials. Suitable for SSH, RDP, VNC, and web sessions.
  • SSH Key — stores the private key alongside the public key and SHA-256 fingerprint. Auto-populated when generating keys with the built-in SSH Key Generator. Displays a read-only public key with copy button and fingerprint in the credential form.

Each credential is stored encrypted in the vault. Type badges are shown in the credential list and credential picker so you can quickly identify non-generic credentials.

SSH Key Generator

Conduit includes a built-in SSH Key Generator accessible from Tools > SSH Key Generator (Cmd/Ctrl+G) or via the inline generate button next to private key fields in entry and credential forms.

  • Key types — Ed25519 (recommended), RSA (2048/4096 bits), or ECDSA (P-256, P-384, P-521).
  • Passphrase encryption — optional AES-256-CBC passphrase protection with confirmation.
  • Comment field — optional identifier added to the public key.
  • Output — OpenSSH-format public key (ready for authorized_keys), PEM-format private key, and SHA-256 fingerprint.
  • Use Private Key — inserts the generated key directly into the credential form.

Standalone Credentials

Create reusable credential entries that can be linked to multiple connection entries. This is useful when the same credentials are used across many servers — update the credential in one place and every linked connection uses the updated value.

Linked credentials are fully supported by context menu actions. Right-click any connection entry that has a linked credential and you can use Copy Username, Copy Password, and Auto-type just as you would with inline credentials. There is no need to store credentials directly on the entry to use these actions.

Credential Picker

When editing a connection entry, use the credential picker to link an existing standalone credential instead of entering credentials inline. This keeps your credentials centralized and easy to maintain.

Conduit also provides a quick-access Credential Picker that opens as a tray popup with Cmd/Ctrl+Shift+Space, letting you search and copy credential fields without opening the main window.

TOTP (One-Time Passwords)

Generic credentials support optional TOTP-based one-time password generation. This allows you to store MFA secrets alongside your passwords and generate time-based codes directly within Conduit.

Generic credentials only

TOTP is available on generic credentials. SSH key credentials do not support TOTP since they use key-based authentication.

Setup Methods

There are two ways to add a TOTP secret to a credential:

  • Import QR code image — select a QR code image file (PNG, JPG, GIF, BMP, or WebP) and Conduit will automatically extract the TOTP secret, issuer, account label, and other parameters from the embedded otpauth:// URI.
  • Manual entry — enter the Base32-encoded secret key directly along with optional metadata (issuer, account label, algorithm, digits, and period).

TOTP Parameters

Conduit stores the full set of TOTP parameters for compatibility with any provider:

  • Secret — the Base32-encoded shared secret.
  • Issuer — the service name (e.g., “GitHub”, “AWS”).
  • Account label — your username or email for the service.
  • Algorithm — SHA-1 (default), SHA-256, or SHA-512.
  • Digits — 6 (default) or 8 digit codes.
  • Period — time step in seconds (default 30).

Using TOTP Codes

When a credential has TOTP configured, the entry dashboard displays a live TOTP code with a circular countdown timer showing the remaining validity period. Click the code to copy it to your clipboard.

Security

TOTP secrets are encrypted alongside passwords using AES-256-GCM within the vault. They follow the same zero-knowledge architecture as all other credential data — secrets are decrypted only when needed and never leave your device unencrypted.

TOTP data is included in team vault sync, so team members with access to a shared credential also receive the TOTP configuration.

MCP Integration

The MCP credential tools include a has_totp flag on credential metadata, allowing AI agents to determine whether a credential has TOTP configured without accessing the secret itself.

Context Menu Actions

Right-click any credential entry or any connection entry with credentials (inline or linked) to access quick credential actions:

  • Copy Username — copies the username to your clipboard.
  • Copy Password — copies the password to your clipboard.
  • Auto-type — types credentials into the focused field (see below).

These actions resolve the credential automatically, whether it is stored inline on the entry or linked from a standalone credential in the vault.

Auto-Type

Choose Auto-type from the right-click context menu to open a submenu with three options:

  • Type Username — types the username into the focused field.
  • Type Password — types the password into the focused field.
  • Username → Tab → Password — types the username, sends a Tab keystroke to advance to the next field, then types the password — all in one action. This is ideal for login forms where the username and password fields are adjacent.

In-Session Typing

When a Conduit session is active (RDP, SSH, VNC, Web, or local shell), auto-type sends keystrokes directly to that session. A 2-second countdown gives you time to click into the target field before typing begins.

Global Typing (External Apps)

When no session is active, auto-type sends keystrokes to whatever application is currently focused on your desktop — a browser login form, another terminal app, or any other text field. A 3-second countdown gives you time to switch to the target app and click the right field.

Global typing uses OS-level keystroke simulation: AppleScript on macOS and PowerShell SendKeys on Windows.

macOS: On first use, Conduit will prompt you to grant Accessibility permission. The app is automatically added to the list in System Settings → Privacy & Security → Accessibility — you just need to toggle it on.

Tags

Organize credentials with tags for easy filtering and identification. Tags help you quickly find the right credential when managing a large number of entries.

Security

Credentials are only decrypted when actively used for a connection. MCP credential reads require explicit user approval via an in-app dialog, ensuring that AI agents cannot silently access your secrets.

Import

Credentials can be imported from Devolutions Remote Desktop Manager (.rdm files) with automatic decryption, or from Conduit export files (.conduit-export) with passphrase-based decryption. This makes migrating from other tools or transferring between vaults straightforward.

Vault & SecurityCredential Picker