KW Knowledge base

Files & vault

Two storage tools serve different purposes:

Mitch Wigham
Updated 24 June 2026 · 6 views

15 · Files & vault

Two storage tools serve different purposes:

  • Files (/files) — object storage for documents and uploads, backed by MinIO. A flat per-tenant file list.
  • Vault (/vault) — a bridge to Vaultwarden (Bitwarden- compatible). It lists Vaultwarden collections, runs an audit-trailed access-request workflow, and links out to the Vaultwarden UI for the actual secrets.

Files

A per-tenant file store backed by MinIO (S3-compatible). All data is written to the configured KWG_DATA_DIR.

Layout

+----------------------------------------------------------+
| Total files  Total size  Images  Documents               |
|----------------------------------------------------------|
| [ Drag & drop or click — max 100 MB ]                     |
|----------------------------------------------------------|
| Search filename…                                  3 files|
|----------------------------------------------------------|
| 📄  onboarding-checklist.pdf  pdf  files  812 KB  3d ago  |
| 🖼  acme-diagram.png          png  files  120 KB  1w ago  |
+----------------------------------------------------------+

📷 Screenshot placeholder: screenshots/files.png

Features

  • Drag-drop (or click) single-file upload.
  • A flat, searchable list — search filters by filename.
  • KPI cards: total files, total size on disk, image count, document count.
  • Per-file Download (via a presigned MinIO URL) and Delete.
  • File rows show a mime-type icon, filename, mime type, bucket badge, size, and upload date.

There are no folders or sub-folders, no in-app preview, no version history, no tokenised share links, and no per-folder permissions — the list is flat and download is the only way to open a file.

Buckets

Storage is split across three MinIO buckets — files (default), documents, and avatars. Each file row shows which bucket it lives in. The Files page uploads to the default files bucket; the other buckets are written by other parts of the platform (e.g. avatars).

Limits

  • 100 MB per file (MAX_FILE_SIZE_MB, configurable). Uploads over the limit are rejected.
  • There is no per-tenant total-storage quota enforced in this module.

Vault

/vault is a bridge page, not an embedded Vaultwarden instance. It shows the connected Vaultwarden instance, the collections in your org, and an access-request workflow. The actual passwords live in Vaultwarden — click Open Vaultwarden ↗ to jump there in a new tab (this uses the instance's configured SSO redirect URL, falling back to the base URL).

If Vaultwarden is not configured for your org, the page shows a warning and the Open Vaultwarden button is hidden — ask an admin to set it up.

Layout

+----------------------------------------------------------+
| 🔐 Vaultwarden  Collections  Memberships  Pending reqs    |
|----------------------------------------------------------|
| My collections                                           |
|   [ Acme prod  MANAGE Owner ]  [ Shared logins  VIEW ]    |
|----------------------------------------------------------|
| Other collections                                        |
|   Beta secrets   owner: Emma   4 members  [Request access]|
|----------------------------------------------------------|
| My requests                                              |
|   Beta secrets   EDIT   PENDING   …            [Cancel]   |
+----------------------------------------------------------+

📷 Screenshot placeholder: screenshots/vault.png

Collections

Vault organises secrets into collections (mapped to Vaultwarden collections). The overview splits them into:

  • My collections — collections you own or are a member of. Each card shows your access level and an Owner badge if you own it.
  • Other collections — collections in the org you can't yet see into; each offers a Request access button.

Collections are created and managed by admins (with a name, optional description, and optional kwGroupKey / externalId mapping). There is no automatic Personal / Team / Per-customer collection layout — the set of collections is whatever admins have created.

Access levels

A membership grants one of three access levels:

Level Meaning
VIEW Read the collection's items
EDIT Read and edit items
MANAGE Full control (collection owners are effectively MANAGE)

Requesting access

Sharing is an access-request workflow, not a move-item action:

  1. On a collection you don't have access to, click Request access.
  2. Pick an access level (VIEW / EDIT / MANAGE) and give a reason.
  3. Submit request — it goes to PENDING.
  4. An approver approves or denies it (optionally with a note). Approval adds you as a collection member at the requested level.
  5. You can Cancel your own request while it's still pending.

The My requests table tracks each request's collection, level, status (PENDING / APPROVED / DENIED / CANCELLED), timestamp, and decision note.

What goes in vault

  • Customer admin passwords (held on the customer's behalf)
  • Service account credentials (smtp, NATS, MinIO...)
  • API keys (third-party tools)
  • TLS keys / SSH private keys
  • License keys

What does NOT go in vault

  • Customer-personal passwords (data minimisation — they should rotate their own)
  • Anything the customer hasn't asked us to hold

Two-factor & recovery

Vaultwarden 2FA and master-password recovery are managed inside Vaultwarden itself, independently of the portal. 2FA is strongly recommended. If you forget your Vaultwarden master password, portal admins cannot recover it — recovery is via your Vaultwarden recovery phrase.

Permissions

Action Role
View / upload files (/files) ADMIN / SUPER_ADMIN (page is admin-guarded)
Delete a file ADMIN / SUPER_ADMIN
View the Vault overview & request access any authenticated user
See into a collection's items collection membership (VIEW/EDIT/MANAGE)
Approve / deny access requests collection owner / approver
Configure the Vaultwarden instance admin

Common workflows

Share a file with a colleague

  • Files → upload the file → send them the download link from the file's Download action.

Get access to a customer's credentials

  • Vault → find the collection under Other collectionsRequest access → pick a level and give a reason → wait for an approver.

Rotate after offboarding

  • When a staff member leaves, an admin removes their collection memberships in Vaultwarden / via the collection members API.
  • Any password that person could see: rotate it.

See also

Still need help?

Log a support ticket and the team will pick it up from this page.