diff --git a/docs/coming-soon/_category_.json b/docs/coming-soon/_category_.json
new file mode 100644
index 0000000..d6872b5
--- /dev/null
+++ b/docs/coming-soon/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "Coming Soon",
+ "position": 7,
+ "link": {
+ "type": "doc",
+ "id": "coming-soon/index"
+ }
+}
diff --git a/docs/coming-soon/index.md b/docs/coming-soon/index.md
new file mode 100644
index 0000000..b0db0a5
--- /dev/null
+++ b/docs/coming-soon/index.md
@@ -0,0 +1,18 @@
+---
+id: index
+title: Coming Soon
+sidebar_position: 1
+---
+
+# Coming Soon
+
+These features are currently in **early access** and will be fully available in upcoming releases.
+
+## Hub 1.5.0
+
+- [User & Group Management](/hub/user-group-management) — Manage users, groups, roles, and permissions directly in Hub
+- Emergency Access {/* TODO: Replace with link once docs are created */}
+
+## Desktop 1.19.0
+
+- [Files-in-use](/desktop/files-in-use) — Prevent accidental overwrites when multiple users edit the same file in a shared vault
diff --git a/docs/desktop/files-in-use.md b/docs/desktop/files-in-use.md
new file mode 100644
index 0000000..0543721
--- /dev/null
+++ b/docs/desktop/files-in-use.md
@@ -0,0 +1,60 @@
+---
+id: files-in-use
+title: Files in Use
+sidebar_position: 18
+---
+
+# Files in Use
+
+:::info
+This feature is only available for [Cryptomator Hub](/docs/hub/introduction.md) vaults.
+:::
+
+When multiple people work in a shared vault, two users might try to edit the same file at the same time.
+The **Files in Use** feature helps prevent accidental overwrites in this situation.
+
+## When This Feature Applies {#when-this-feature-applies}
+
+You can run into concurrent edits when:
+
+- a Cryptomator Hub vault is used by multiple team members
+- the vault is synced across multiple devices
+- the vault is accessed over a network share
+
+If another user is currently editing a file, Cryptomator can block opening that file for writing on your side.
+
+:::note
+The usage information is passed with the files being edited.
+Therefore, it requires either the vault residing on shared storage (for example, a network share) or file synchronization.
+In the latter case, it takes around 10s until the status is synchronized to other devices (depending on the sync app).
+:::
+
+## What You Will See {#what-you-will-see}
+
+If a file is currently in use by someone else, Cryptomator shows a notification in the app.
+This means another device or user has an active edit session for that file.
+
+
+
+## What You Can Do {#what-you-can-do}
+
+In most cases, the best action is to wait until the other person finishes editing and then try again.
+
+You can also choose to ignore the use status and continue.
+Use this only if you are sure it is safe, because forcing access can overwrite someone else's newer changes.
+
+We recommend the following sequence when receiving a "File is in use" notification:
+1. Ask the person shown in the notification whether they are still editing the file.
+1. If they already closed the file but it is still shown as "in use", use "Ignore Use Status".
+1. Open a file marked as in use without checking with teammates only in exceptional situations.
+1. In that case, create a backup copy first to avoid losing edits.
+
+## Stale Use Status {#stale-use-status}
+
+The use status is cleared after some time without file updates (around 10 min).
+If this happens, access is possible again.
+This helps in cases such as device sleep, crashes, or interrupted sessions.
+
+## Related Topics {#related-topics}
+
+- [Synchronization Conflicts](/docs/desktop/sync-conflicts.md)
diff --git a/docs/hub/admin.md b/docs/hub/admin.md
index 202df67..9b63635 100644
--- a/docs/hub/admin.md
+++ b/docs/hub/admin.md
@@ -80,6 +80,24 @@ The following events are logged:
- **Reset User Account** – A user [reset their account](your-account.md#reset-account).
- **User Keys Change** – A user changed their keys. This happens when, e.g., the user [finished the account setup](your-account.md#account-setup) or when the `Account Key Changed`.
+
+#### Emergency Access {#event-type-emergency-access}
+
+:::info Early Access
+This feature is currently in **early access** and will be fully available in an upcoming release.
+:::
+
+- **Emergency Access Setup** – A vault owner set up or updated Emergency Access for a vault (for example by assigning council members and key shares in Vault Details).
+- **Emergency Access Settings Updated** – An admin changed global Emergency Access settings in Admin.
+- **Emergency Access Recovery Started** – A council member started an Emergency Access recovery process.
+- **Emergency Access Recovery Approved** – A council member approved a running recovery process by submitting their recovered key share.
+- **Emergency Access Recovery Completed** – A council member completed a recovery process after enough key shares were collected.
+- **Emergency Access Recovery Aborted** – A council member aborted a running recovery process.
+
+:::note
+When a council member starts a process, they automatically contribute their own key share. This logs both `Emergency Access Recovery Started` and `Emergency Access Recovery Approved`.
+:::
+
#### Legacy {#event-type-legacy}
- **Claim Vault Ownership** – A user claimed vault ownership. This event is logged when a vault created with hub pre 1.3.0 is claimed by the vault creator using the `Vault Admin Password`.
@@ -132,3 +150,26 @@ If a user resets their account, their [User Key Pair](/docs/security/hub.md#user
Additionally, any existing trust chains that included the user will be broken, requiring re-verification to restore trust.
:::
+
+## Emergency Access
+
+This configuration defines default Emergency Access values for new or updated vaults.
+
+
+
+Enable `Enable Emergency Access` and configure:
+
+* `Required Keys`: Number of required key shares
+* `Keyholders`: Default council members (only activated users)
+* Optional: `Let vault owners choose different keyholders`
+* Optional: `At least` (minimum members if owners can choose a different council)
+
+:::warning
+A council without redundancy (`Required Keys == number of council members`) is possible, but not recommended.
+:::
+
+:::info Enterprise Feature
+The following Audit Log feature is available only in the **Enterprise Edition**:
+
+- Emergency Access Audit Logs
+:::
diff --git a/docs/hub/emergency-access.md b/docs/hub/emergency-access.md
new file mode 100644
index 0000000..3964b51
--- /dev/null
+++ b/docs/hub/emergency-access.md
@@ -0,0 +1,124 @@
+---
+id: emergency-access
+title: Emergency Access
+sidebar_position: 9
+---
+
+# Emergency Access
+
+:::info Early Access
+This feature is currently in **early access** and will be fully available in an upcoming release.
+:::
+
+:::info Enterprise Feature
+Visit [cryptomator.org](https://cryptomator.org/hub/) for more information about Enterprise features.
+:::
+
+Emergency Access allows a defined council to restore access to a vault using key splitting based on **Shamir's Secret Sharing**. A process can only be completed once enough council members approve it.
+
+## Define Emergency Access During Vault Creation
+
+When creating a new vault, there is a dedicated step called `Define Emergency Access Conditions`. For the full vault creation workflow, see [Vault Management](vault-management.md#create-a-vault).
+
+## Define Emergency Access for Existing Vaults
+
+For existing vaults, Emergency Access can be configured or updated in `Vault Details`. See [Setup/Fix Emergency Access Council](vault-management.md#emergency-access-council).
+
+## Start a Recovery Process
+
+There are two process types:
+
+1. `Change Permissions`: Change vault owners/members
+2. `Change Council`: Change Emergency Access council and threshold
+
+Open the `Emergency Access` page, select the vault, and start the desired process type.
+
+
+
+Only one running process per type is allowed for a vault.
+
+### Change Permissions
+
+When starting `Change Permissions`, you select:
+
+* future `Owners`
+* future `Members`
+
+Users that are no longer part of the selected set are shown as `Removed`.
+
+
+
+
+### Change Council
+
+When starting `Change Council`, you select:
+
+* the new council members that should hold emergency key shares
+
+The required keys are defined by the configuration in the [Admin settings](admin.md#emergency-access).
+
+
+
+:::note
+When starting a process, the initiating user usually adds the first key share automatically.
+:::
+
+## Approve a Recovery Process
+
+In the `Emergency Access` vault list, a running process shows a split process button.
+If a council member has not yet added their share, the right side of the button shows `Approve now`.
+
+
+
+Hover (or click) the **left side** of the process button (the segment ring area) to open the process details popover.
+This popover shows:
+
+* process type and required key shares
+* current progress
+* process council members
+* per-member status (`Added` / `Pending`)
+
+
+
+To approve, click the **right side** of the process button (`Approve now`) to open the `Approve Emergency Access` dialog.
+In this dialog, review the process details and click `Approve` to submit your key share.
+
+
+
+After submitting your share, the button shows `Waiting for other approvals`. You can track the ongoing process progress in the same process button and its details popover.
+
+## Complete a Recovery Process
+
+As soon as enough shares are available, the process button in the `Emergency Access` vault list shows `Complete now`.
+
+
+
+Click `Complete now` to open the `Complete Emergency Access` dialog. In this dialog, review the process details and click `Complete Process` to finalize the recovery process.
+
+
+
+Results by type:
+
+* `Change Permissions`: Vault roles are updated and required access grants are redistributed
+* `Change Council`: The recovery key is re-split using the new council configuration
+
+After successful completion, the process is removed.
+
+## Abort a Recovery Process
+
+Running processes can be canceled in the dialog using `Abort this Process`.
+
+
+
+
+## Typical States and Notes
+
+The following warning states can appear in the Emergency Access list:
+
+* `No Vault Council Member anymore`: The user is still part of a running process but no longer part of the current vault council
+* `Broken Emergency Access`: Too few valid shares remain (for example after council members reset their accounts)
+* `No Redundancy`: No fault tolerance in the council
+
+## Audit Log Events
+
+See [Emergency Access Audit Log events](admin.md#event-type-emergency-access).
diff --git a/docs/hub/user-group-management.md b/docs/hub/user-group-management.md
index ec11037..bbbbf21 100644
--- a/docs/hub/user-group-management.md
+++ b/docs/hub/user-group-management.md
@@ -6,69 +6,185 @@ sidebar_position: 3
# User & Group Management
-Users and groups are managed in [Keycloak](https://www.keycloak.org/), a powerful, open source identity and access management solution.
-In the default configuration Cryptomator Hub provides its own Keycloak instance, but you can also integrate an existing instance.
+:::info Early Access
+This feature is currently in **early access** and will be fully available in an upcoming release.
+:::
-You can access the Keycloak management interface over the admin section of Hub.
+Users and groups are managed directly in the Cryptomator Hub admin interface. As an administrator, you can create, edit, and delete users and groups, assign roles, and manage group memberships.
-
+Access the user and group management from the navigation bar in the admin area.
-There you can perform all users or groups related tasks, such as
-[creating new users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide),
-[deleting users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-deleting-user_server_administration_guide) or
-[manage groups](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-managing-groups_server_administration_guide).
+## User Management {#user-management}
+
+### User List {#user-list}
+
+The user list displays all users in your Hub instance. You can search for users by name or email and see key metrics for each user:
+
+- Number of accessible **vaults**
+- Number of **group** memberships
+- Number of registered **devices**
+
+
+
+### Create User {#create-user}
+
+To create a new user, click the "Create User" button in the user list. Fill in the following fields:
+
+- **Profile Picture URL**: Optional URL to a profile picture
+- **First Name**: The user's first name
+- **Last Name**: The user's last name
+- **Username**: A unique identifier for the user (cannot be changed later)
+- **Email**: The user's email address
+- **Roles**: Assign roles to the user (see [Roles](#roles))
+- **Password**: Set an initial password for the user
+
+
+
+After creation, the user can log in with their credentials and complete the [account setup](your-account.md#account-setup).
+
+### Edit User {#edit-user}
+
+To edit a user, navigate to the user's detail page and click "Edit". You can modify:
+
+- Profile Picture URL
+- First Name
+- Last Name
+- Email
+- Roles
+- Password (set a new password)
:::note
-Subgroups are not supported at this time.
+Username cannot be changed after user creation.
:::
-## Connect External IAM {#connect-external-iam}
+### Delete User {#delete-user}
-Alternatively to the in-house administration, you can also connect Keycloak to other identity and access management solutions (IAM) to keep your user management centralized.
-You can either only synchronize existing users and groups from your IAM (using LDAP or Active Directory) or completely delegate the authentication process to your IAM via OpenID Connect or SAML.
+To delete a user, you can either click the delete button in the user list or navigate to the user's detail page and click on the options button next to the "Edit" button, then select "Delete". A confirmation dialog will appear. Deleting a user will:
-Setting up LDAP synchronization is described in the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#_ldap).
-For OpenID Connect and SAML, the Keycloak documentation provides [general information](https://www.keycloak.org/docs/latest/server_admin/#_identity_broker).
-A good step-by-step guide for connecting Microsoft Entra with OpenID Connect can be found [here](https://dev.to/andremoriya/keycloak-azure-active-directory-4cg4).
+- Remove the user from all groups
+- Revoke access to all vaults
+- Delete all registered devices
-:::note
-With `LDAP`, all users and groups are imported and synchronized with Keycloak, so they are available immediately after setup.
-With `OpenID Connect` or `SAML`, users are unknown to Keycloak and Hub *until they log in for the first time*.
+:::warning
+This action cannot be undone.
:::
+### User Details {#user-details}
+
+The user detail page shows comprehensive information about a user:
+
+- **Groups**: All groups the user is a member of
+- **Accessible Vaults**: Vaults the user has access to (directly or through group membership)
+- **Devices**: All registered devices of the user
+- **Legacy Devices**: Devices registered with older Hub versions (see [Legacy Devices](your-account.md#legacy-devices))
+
+
+
+## Group Management {#group-management}
+
+Groups allow you to organize users and grant vault access to multiple users at once.
+
+### Group List {#group-list}
+
+The group list displays all groups with:
+
+- Number of **members**
+- Number of accessible **vaults**
+
+
+
+### Create Group {#create-group}
+
+To create a new group, click the "Create Group" button. Fill in:
+
+- **Profile Picture URL**: Optional URL to a group picture
+- **Name**: A descriptive name for the group
+
+
+
+### Edit Group {#edit-group}
+
+To edit a group, navigate to the group's detail page and click "Edit". You can modify the group name and profile picture URL.
+
+### Delete Group {#delete-group}
+
+To delete a group, you can either click the delete button in the group list or navigate to the group's detail page and click on the options button next to the "Edit" button, then select "Delete". A confirmation dialog will appear. Deleting a group will:
+
+- Remove all members from the group
+- Revoke group-based vault access (users may still have direct access)
+
:::warning
-Regardless of your choice, your Keycloak instance always contains two local users: `admin` and `syncer`. **Do not edit or delete them!** The first one is for administration tasks and the second one is used to synchronize users and groups between Keycloak and Hub.
+This action cannot be undone.
+:::
+
+### Group Details {#group-details}
+
+The group detail page shows:
+
+- **Members**: All users who are members of this group
+- **Accessible Vaults**: Vaults the group has access to
+
+
+
+### Manage Group Members {#manage-group-members}
+
+From the group detail page, you can:
+
+- **Add Members**: Click "Add Member" to search for and add users to the group
+- **Remove Members**: Click the remove button next to a member to remove them from the group
+
+
+
+:::note
+Subgroups are not supported at this time.
:::
## Roles {#roles}
-There are four different roles in Cryptomator Hub:
+There are three roles in Cryptomator Hub:
-* **user**: A user can open vaults and manage their own account.
-* **admin**: An admin manages the Keycloak realm, can see the audit log, and can create vaults.
-* **create-vault**: Only users with this role can create vaults. The role is inherited by the `admin` role.
+| Role | Description |
+|------|-------------|
+| **user** | Default role. Can open vaults and manage their own account. |
+| **admin** | Can manage users and groups, view audit logs, and create vaults. |
+| **create-vault** | Allows users to create new vaults. Inherited by the admin role. |
-The `user`, `admin`, and `create-vault` roles are assigned to users or groups via the Keycloak admin console by an existing user with the `admin` role.
+Roles are assigned when creating or editing a user. The `user` role is assigned by default to all users.
### Create Vault Role {#create-vault-role}
-By default, this role is only assigned to the `admin` role. This means that only users with the `admin` role can create vaults. If you want to allow other users to create vaults, you can assign the `create-vault` role to them directly or via a group.
+By default, only users with the `admin` role can create vaults. To allow other users to create vaults, assign the `create-vault` role to them when creating or editing the user.
+
+## User Avatars {#user-avatars}
-If you want that all users can create vaults, assigning the `create-vault` role as transient role to the `user` role. This way, every user will have the `create-vault` role as well.
+Users can have profile pictures displayed throughout Hub (e.g., in vault member lists). As an administrator, you can set the profile picture URL when creating or editing a user.
-To allow all users vault creation, assign `create-vault` as a transient role to the `user` role:
+The avatar can be provided as a URL to an image (e.g., `https://example.com/avatar.png`).
-1. Open the Keycloak admin console.
-2. Select `Realm roles`.
-3. Select the `user` role.
-4. Select `Assign role`.
-5. Select the `create-vault` role.
-6. Apply with `Assign`.
+If no profile picture is set, a generated avatar based on the user's name will be displayed.
-## User Avatars {#user-avatars}
+## Enterprise: External Identity Management {#enterprise-external-iam}
+
+
+
+:::info Enterprise Feature
+Connecting external identity and access management (IAM) solutions is available as an Enterprise feature. This allows you to:
+
+- Synchronize users and groups from LDAP or Active Directory
+- Delegate authentication via OpenID Connect or SAML
+- Keep your user management centralized in your existing IAM
-Cryptomator Hub supports user avatars. As an administrator, you can enable this feature in the administration area by creating a user "picture" profile attribute in the "User Profile" setting in the Realm in Keycloak. See [Keycloak Documentation](https://www.keycloak.org/ui-customization/avatars#_setting_a_picture_attribute_from_the_admin_console) for more information.
+You can access the Keycloak management interface from the admin section of Hub. There you can perform all user and group related tasks, such as
+[creating new users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide),
+[deleting users](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-deleting-user_server_administration_guide) or
+[managing groups](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-managing-groups_server_administration_guide).
+
+Setting up LDAP synchronization is described in the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/#_ldap).
+For OpenID Connect and SAML, the Keycloak documentation provides [general information](https://www.keycloak.org/docs/latest/server_admin/#_identity_broker).
+
+Visit [cryptomator.org](https://cryptomator.org/hub/) for more information about Enterprise features.
-When enabled, users can define their avatar in their Keycloak profile page. The avatar is then displayed in Cryptomator Hub, for example in the vault member list.
-The avatar needs to be provided as a URL (e.g. https://path_to_image.png) or as a Base64 encoded data image (e.g. `data:image/svg+xml;base64,content`).
+:::warning
+Regardless of your IAM setup, your Hub instance always contains two system users: `admin` and `syncer`. **Do not edit or delete them!** These accounts are required for administration and synchronization tasks.
+:::
diff --git a/docs/hub/vault-management.md b/docs/hub/vault-management.md
index aa7107b..45bfee7 100644
--- a/docs/hub/vault-management.md
+++ b/docs/hub/vault-management.md
@@ -25,6 +25,14 @@ Alternatively, you can also access the list by clicking on the `Vaults` tab in t
* As an admin of the Hub instance, you can see all vaults, but you can only access those that you have been granted access to.
:::
+:::note Emergency Access Status in Vault List (Enterprise only, early access)
+In the `Vault List`, owners can see the Emergency Access status directly via badges:
+
+* `Council missing`: No council is configured on the vault
+* `Broken Emergency Access`: Too few valid shares remain (for example after council members reset their accounts)
+* `No Redundancy`: No fault tolerance in the council
+:::
+
## Create a Vault {#create-a-vault}
:::note
@@ -37,6 +45,25 @@ Fill out the form and continue the process by clicking the `Next` button in the
+If the [Emergency Access](emergency-access.md) feature is enabled, the following step appears:
+
+Here, the conditions for Emergency Access are defined for the new vault.
+If the administrator allows custom council selection, you can adjust the default council.
+Select the council members who should participate in emergency recovery and review the example recovery scenario.
+Click `Next` to continue to the recovery key step.
+
+:::info Early Access
+Emergency Access is currently in **early access** and will be fully available in an upcoming release.
+:::
+
+:::info Enterprise Feature
+Visit [cryptomator.org](https://cryptomator.org/hub/) for more information about Enterprise features.
+:::
+
+
+
+
+
In the next step, the vault *recovery key* is displayed.
It can [restore access to the vault data](vault-recovery.md) in case of an emergency, e.g. if Cryptomator Hub is down.
Store it at a safe location, tick the checkbox and complete the setup by clicking the `Create Vault` button at the bottom
@@ -75,9 +102,11 @@ Open the [vault details](#vault-details) page to manage a vault.
* `Shared with` members list
* `Update Permissions` button (only clickable if necessary)
-* `Edit Vault Metatdata` button
+* `Edit Vault Metadata` button
* `Download Vault Template` button
* `Show Recovery Key` button
+* `Setup Emergency Access Council` button (Enterprise only and only visible if necessary)
+* `Fix Emergency Access Council` button (Enterprise only and only visible if necessary)
* `Archive Vault` button
### Share a Vault {#share-a-vault}
@@ -116,6 +145,10 @@ Download the vault template only once! If you download it multiple times, you wi
To show the vault recovery key, click on the `Show Recovery Key` button in the [vault details](#vault-details). It shows the same recovery key shown during vault creation. You can use it to [restore access to the vault data](vault-recovery.md) in case of an emergency, e.g. if Cryptomator Hub is down. Store it at a safe location.
+### Setup/Fix Emergency Access Council {#emergency-access-council}
+
+To configure [Emergency Access](emergency-access.md) for a vault, click `Setup Emergency Access Council` in the [vault details](#vault-details). If Emergency Access is already configured but needs correction, click `Fix Emergency Access Council`. This opens a dialog where you define the council members and confirm with `Grant`.
+
### Archive Vault {#archive-vault}
To archive the vault, click on the `Archive Vault` button in the [vault details](#vault-details). It archives the vault and removes it from the "accessible" vault list.
diff --git a/src/pages/index.module.css b/src/pages/index.module.css
index 62e2b29..73cabfb 100644
--- a/src/pages/index.module.css
+++ b/src/pages/index.module.css
@@ -1,3 +1,20 @@
+.announcementPill {
+ display: inline-block;
+ padding: 0.4rem 1rem;
+ margin-bottom: 1rem;
+ border-radius: 2rem;
+ background-color: rgba(255, 255, 255, 0.15);
+ color: white;
+ font-size: 0.9rem;
+ text-decoration: none;
+}
+
+.announcementPill:hover {
+ background-color: rgba(255, 255, 255, 0.25);
+ color: white;
+ text-decoration: none;
+}
+
.heroLogo {
width: 160px;
height: 160px;
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index b6b2340..96ed669 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -15,7 +15,12 @@ function HomepageHeader() {
return (