USB Dongle Provisioning
When you subscribe to Pro tier, your encryption key material must be written to a physical USB drive. This process is called dongle provisioning and is handled by a guided wizard inside the desktop app. This page explains the full provisioning flow.
Prerequisites
Before starting the provisioning wizard:
- An active Pro subscription (payment confirmed via Paddle)
- A blank USB drive — any standard USB flash drive works (no special hardware required)
- The Necron Vault Manager desktop app installed and launched
Tip
You don't need an expensive or specialized USB drive. Any USB 2.0/3.0 flash drive will work. The key material is small, so even a low-capacity drive is sufficient. A dedicated USB drive is recommended — avoid sharing it with other files.
Provisioning Wizard
The provisioning wizard runs automatically when a Pro user launches the app without a configured dongle. You can also trigger it manually during the Free → Pro upgrade flow.
Step 1 — Insert USB Drive
Insert a blank USB drive into your computer. The app automatically detects removable drives and displays a list of available targets.
Warning
The wizard will write key material to the selected drive. While it won't erase existing files, using a dedicated USB drive is strongly recommended to avoid accidental file interaction.
Step 2 — Inspect Drive
The app inspects the selected drive to check for:
- Whether a key file already exists on the drive
- Whether other files are present (a warning is shown)
- Whether the drive is writable
If a key file already exists:
- If it matches your account — the drive is already provisioned and can be reused
- If it belongs to a different account — the wizard refuses to overwrite
Step 3 — Write Key Material
The wizard writes your encryption key and configuration files to the USB drive. This includes:
- Key file — contains a unique key identifier, device identifier, and the random key material used for encryption
- Configuration file — tracks key usage and stores vault settings
Step 4 — Register Dongle
After writing the key files, the app registers the dongle with your account on the server. This enables dongle verification on future app launches.
Step 5 — Ready
The wizard completes and the app enters Pro mode. You can now:
- Create vaults
- Encrypt and decrypt files
- Manage vault locations
- The dongle is your key — remove it when not in use
Upgrading from Free to Pro
If you're upgrading from an existing Free tier account, the provisioning process has a special step: your existing software key material is copied from the local file to the USB dongle.
This means:
- Your encryption key stays the same
- All previously encrypted files remain accessible
- Your vaults continue working without re-encryption
- The software key file on your computer is no longer used
The upgrade flow:
- Complete Pro payment via Paddle (website or in-app)
- Relaunch the desktop app
- The app detects your Pro subscription and prompts for USB provisioning
- Insert a USB drive and follow the wizard
- Key material is copied from the local software key to the USB
- The dongle is registered with your account
Note
After a successful Free → Pro upgrade, your local software key file remains on disk but is no longer active. The app uses the hardware dongle exclusively.
Subsequent Launches
After provisioning, subsequent app launches follow a simple flow:
- App starts and scans for USB drives
- Dongle detected and verified with the server
- App enters Pro mode
If the dongle is not present at startup, the gatekeeper screen appears with a prompt to insert the dongle. No decryption is possible without the physical key.
Troubleshooting
| Issue | Solution |
|---|---|
| Drive not detected | Try a different USB port; ensure the drive is formatted (FAT32, exFAT, or NTFS) |
| "Key UID mismatch" error | The USB drive has a key file from a different account — use a different drive |
| "Subscription not active" | Check your subscription status on the website account page |
| Provisioning fails mid-write | Remove and reinsert the drive; retry the wizard — it's safe to re-run |
| Drive appears read-only | Check the physical write-protect switch on the USB drive (if present) |
Security Notes
- Never copy the key files manually between drives. Use the Backup Dongle wizard to create authorized copies with unique device identifiers.
- The server verifies the dongle at every app launch. If you lose a dongle, deactivate it from your account to prevent unauthorized use.
Next Steps
- Backup Dongles — create backup copies of your key
- Free vs. Pro Tiers — understand the security differences
- Creating a Vault — start encrypting files