What Shadow Layers do not protect against

Shadow Layers give you strong, cryptographic plausible deniability. But no feature protects against every threat, and being honest about the gaps is what keeps you safe. Here's what Shadow Layers (and Oten Drive generally) cannot do.

They don't hide your behavior

  • Someone watching you type a second password, or noticing you open the app twice, learns something the software can't hide. Deniability depends on your discipline, not just the crypto.

  • Naming, notes, or cross-references that hint at hidden content betray it. Keep everything neutral and never label a layer.

They don't defeat a compromised device

  • Malware, keyloggers, or screen recording on your device can capture passwords and plaintext while a layer is open. Encryption at rest can't help once you've decrypted in front of a compromised system.

  • Someone with your unlocked session sees whatever that layer contains. Lock when you step away.

They don't erase metadata

  • The server can see that activity and blobs exist, their timing, and rough sizes — it just can't read them. Patterns of activity are not hidden.

They don't rescue lost credentials

  • Forgotten password + lost recovery key = permanent loss. There is no backdoor, for you or anyone.

  • A recovery key found on your device can hint that a vault has extra layers. Store keys off the device.

They aren't a substitute for legal/physical safety

  • Deniability is a technical property. It does not protect you from physical coercion continuing, from being compelled under law where that applies, or from consequences outside the software's reach. Understand your real-world threat model.

Read this alongside How Shadow Layers work and Operational security tips. The cryptography is sound; the human layer is where care is required.

Last updated