sos - vault#sos#sos#sos#sos
Minimum Requirements back to the blog Minimum Requirements

FAQ

What is a "sosreport"?

A diagnostic tarball produced by Red Hat's sosreport command on a Linux host. It bundles logs, configuration, and system state from the moment the command runs. sos-vault ingests these tarballs, decrypts and indexes their contents, and lets analysts navigate the resulting case.

Why a "vault"?

A vault is the per-team container for cases. Each vault has its own decryption key material, can be opened or closed independently, and is isolated from other teams' vaults on the same appliance. Sharing happens at the case level, not by handing out keys.

Why ZFS?

The vault disk uses ZFS for transparent compression (compression=lz4), no-atime, and online expansion. Adding a new disk through the Disk Manager page is a non-destructive zpool add — no downtime, no migration.

What happens when my license expires?

Existing users can still sign in and read existing cases. The appliance refuses to create new users while the installed license is expired. Renew through the Customer Portal — the renewal flow extends from the previous expiry, so renewing 30 days early still gives you a full term.

I am moving the appliance to new hardware. What do I do?

Licenses are bound to /etc/machine-id. Get a replacement .lic from the Customer Portal that binds to the new host's machine id, then upload it from Manage License after migration.

What data leaves the appliance?

None by default. Module downloads from the Customer Portal pull module tarballs over HTTPS. Optional LLM model pulls reach upstream model hosts. The sos-vault:capture-server-report command produces a single GPG-encrypted tarball for support; you choose when and how to send it. There is no telemetry, no phone-home, no usage beacon.

Can I run the appliance offline / air-gapped?

Yes. Pre-pull modules and LLM models, then install. Licensing does not require network access once the .lic is uploaded.

Where are case files stored on disk?

Under the ZFS pool mounted at /vault, organised by team and case. Decrypted views during an open vault session are kept on memory-backed storage and disappear when the vault closes.

I forgot the GPG keyring passphrase. What now?

It is not recoverable. The passphrase you entered in installer step 5 unwraps the at-rest encryption key for the vault. Restore from your backups, or rebuild the appliance and re-ingest cases.

Can I use a corporate CA instead of the self-signed cert?

Yes. Upload your fullchain.pem + privkey.pem from Certificate Manager. To also trust an internal root CA at the OS level, upload it under "Corporate Root CA" on the same page.

Minimum Requirements back to the blog Minimum Requirements