FAQ
What is a "sosreport"?
A diagnostic tarball produced by Red Hat's sosreport command
on a Linux host. It bundles logs, configuration, and system state from the
moment the command runs. sos-vault ingests these tarballs, decrypts and
indexes their contents, and lets analysts navigate the resulting case.
Why a "vault"?
A vault is the per-team container for cases. Each vault has its own decryption key material, can be opened or closed independently, and is isolated from other teams' vaults on the same appliance. Sharing happens at the case level, not by handing out keys.
Where does the vault live on disk?
In a plain directory (default /vault), configurable from the
Disk Manager page. No ZFS is required. Put that directory on
whatever storage suits you — the system disk, a dedicated volume, or a
network share (NFS/CIFS) mounted by the OS — and grow it using your normal
filesystem tooling.
What happens when my license expires?
Existing users can still sign in and read existing cases. The appliance refuses to create new users while the installed license is expired. Renew through the Customer Portal — the renewal flow extends from the previous expiry, so renewing 30 days early still gives you a full term.
I am moving the appliance to new hardware. What do I do?
Licenses bind to the host fingerprint (machine-id + DMI identifiers). On the
new host, open Manage License → Generate License Request,
copy the SOSV1. key, verify it at sos-vault.com, and order a
replacement .lic from the Customer Portal — then upload it
from Manage License.
What data leaves the appliance?
None by default. Module downloads from the Customer Portal pull module
tarballs over HTTPS. Optional LLM model pulls reach upstream model hosts.
The sos-vault:capture-server-report command produces a single
GPG-encrypted tarball for support; you choose when and how to send it.
There is no telemetry, no phone-home, no usage beacon.
Can I run the appliance offline / air-gapped?
Yes. Pre-pull modules and LLM models, then install. Licensing does not
require network access once the .lic is uploaded.
Where are case files stored on disk?
Under the /vault directory, organised by team and
case. Decrypted views during an open vault session are kept on
memory-backed storage and disappear when the vault closes.
I forgot the GPG keyring passphrase. What now?
It is not recoverable. The passphrase you entered in installer step 5 unwraps the at-rest encryption key for the vault. Restore from your backups, or rebuild the appliance and re-ingest cases.
Can I use a corporate CA instead of the self-signed cert?
Yes. Upload your fullchain.pem + privkey.pem from
Certificate Manager. To also trust an internal root CA at
the OS level, upload it under "Corporate Root CA" on the same page.
Do administrators have to use two-factor authentication?
Yes — admin accounts must enrol in offline TOTP 2FA on first sign-in
(redirected to Settings → Security). It is optional for
non-admin users. If an admin is locked out, reset 2FA for that account with
php artisan 2fa:disable <email|username|id> (see the
Troubleshooting Guide), or turn off
auth.two_factor_required_for_admins to make it optional.
We are behind an internet proxy. What needs configuring?
Nothing for normal use — the web UI and command-line upload are
LAN-local. Only the appliance's outbound calls (Jira/ITSM, Telegram, remote AI,
the AI-model download) and docker image pulls need the proxy. Set
HTTPS_PROXY and NO_PROXY in
/opt/sos-vault/.env and run systemctl restart sos-vault;
configure the docker daemon's proxy separately for image pulls. SMTP mail is not
HTTP and does not go through the proxy. See the Administration Guide for details.