Operational security tips

Oten Drive's cryptography is strong. In practice, the weak points are habits and surroundings — not the math. These tips help your behavior match your threat model.

Keys & recovery

  • Store recovery keys off the device. Keep your User Recovery Key and each Vault Recovery Key in a password manager on separate hardware, or a physical safe. A recovery key sitting on the device it protects is both a loss risk and, for a vault with Shadow Layers, a hint.

  • Use strong, unique vault passwords. Vault and layer passwords are cryptographic. Don't reuse them across layers or with other services.

  • Keep a private record of which password opens which layer — ideally memorized. Never label layers "real"/"fake" anywhere.

Devices

  • Lock when you step away. Auto-Lock seals vaults on crash or exit, but an explicit lock is deliberate and immediate.

  • Set up Panic before you need it. Decide what it wipes/hides, and practice triggering it. Consider Ghost Exit for the "just make it disappear" case.

  • Keep the OS and app updated. On macOS, install Sparkle updates promptly.

  • Mind screens and shoulders. File names and previews are plaintext on screen even though they're encrypted at rest.

Deniability discipline

  • Make decoys believable. A decoy layer should look lived-in — real, harmless files you actually touch.

  • Don't cross-link layers. Avoid file names, shares, or references that reveal another layer exists.

  • Be consistent under pressure. The system reveals nothing; your reactions can. See What Shadow Layers do not protect against.

Sharing

  • Set expirations and send share passwords over a separate channel.

  • Review and revoke shares periodically; clear expired ones.

  • Think about scope — a vault share exposes everything in that layer.

Security is a routine, not a one-time setup. Revisit these as your situation changes.

Last updated