Operational security tips
Oten Drive's cryptography is strong. In practice, the weak points are habits and surroundings — not the math. These tips help your behavior match your threat model.
Keys & recovery
Store recovery keys off the device. Keep your User Recovery Key and each Vault Recovery Key in a password manager on separate hardware, or a physical safe. A recovery key sitting on the device it protects is both a loss risk and, for a vault with Shadow Layers, a hint.
Use strong, unique vault passwords. Vault and layer passwords are cryptographic. Don't reuse them across layers or with other services.
Keep a private record of which password opens which layer — ideally memorized. Never label layers "real"/"fake" anywhere.
Devices
Lock when you step away. Auto-Lock seals vaults on crash or exit, but an explicit lock is deliberate and immediate.
Set up Panic before you need it. Decide what it wipes/hides, and practice triggering it. Consider Ghost Exit for the "just make it disappear" case.
Keep the OS and app updated. On macOS, install Sparkle updates promptly.
Mind screens and shoulders. File names and previews are plaintext on screen even though they're encrypted at rest.
Deniability discipline
Make decoys believable. A decoy layer should look lived-in — real, harmless files you actually touch.
Don't cross-link layers. Avoid file names, shares, or references that reveal another layer exists.
Be consistent under pressure. The system reveals nothing; your reactions can. See What Shadow Layers do not protect against.
Sharing
Set expirations and send share passwords over a separate channel.
Review and revoke shares periodically; clear expired ones.
Think about scope — a vault share exposes everything in that layer.
Security is a routine, not a one-time setup. Revisit these as your situation changes.
Last updated