NT² Vault
EN

Cloud sync

Last updated: 28 Jun 2026

Replica batches only—ciphertext on the server, KDF stays local.

Who this is for

Premium subscribers who want cross-device ciphertext replication without manual .nt2backup shuttling—while keeping key derivation and decryption local-first.

What you need

TierNT² Premium (when PREMIUM_SYNC_REQUIRED is on in production)
Vault stateUnlocked; Vault Key DID provisioned
NetworkOnline for enable, register, push, and pull
Feature toggleSync API configured (PUBLIC_API_URL)

Steps

Check Premium status

  1. Open Settings → Vault & sync → NT² Premium (https://se.nt2.me/settings/vault/premium).
  2. Subscribe via Lemon Squeezy checkout or redeem a promo code. Checkout uses your Vault Key DID—complete unlock once before upgrading.
  3. Confirm Premium active before enabling sync in production.

Enable cloud sync

  1. Open Settings → Vault & sync → Cloud sync (https://se.nt2.me/settings/vault/sync).
  2. Review status: cloud registered, last sync time, remote item counts.
  3. Choose Enable cloud sync. NT²:
    • Authenticates with Key DID signature (nonce challenge, session token).
    • Registers your vault: uploads existing vault_meta salt (Plan B escrow), public Key DID material, and optional password verifier—see Salt escrow.
    • Pushes an initial full replica batch (items metadata; attachments follow separately).
  4. Wait for Sync complete; syncEnabled is stored in local vault_meta.

Sync manually or on change

  1. Use Sync now after large imports or when another device made changes.
  2. NT² merges remote tombstones and updates locally—conflicts resolve via replica watermark rules.
  3. Disable cloud sync stops push/pull on this device only; server ciphertext remains until you delete account data through support processes.

Enrolled devices (threshold vaults)

  1. From Cloud sync, open Manage enrolled devices (https://se.nt2.me/settings/vault/enrolledDevices) when visible.
  2. Rename or revoke replicas that should lose device-factor unlock. Revocation may require password rotation to fully invalidate old shares.

Alternatives without Premium cloud

  • LAN sync and WebRTC P2P sessions (desktop host) pull deltas on the same Wi‑Fi without uploading to NT²—see Cloud sync page hints when available.
  • Offline-first users can stay on .nt2backup export/import only.

Tips and common mistakes

  • Enabling sync uploads your existing salt—never a second random salt—or local ciphertext becomes undecryptable.
  • Disabling sync locally does not delete R2 attachment blobs; re-enable later to reconcile.
  • After master password change, export a new recovery kit and confirm cloud sync enrolled the updated replica—retry from Settings → Recovery if a banner appears.
  • Dev builds may show Free (dev: sync open to all)—do not assume production behaves the same.

Related