Encrypted Filename Modes
When encrypting files with Necron Vault Manager, you have a choice about how the filename is handled. This page explains the two modes: plaintext filenames and encrypted filenames.
Why Filenames Matter
Even if the file content is encrypted, the filename itself can reveal sensitive information. For example:
medical-records-2026.pdf.ncv3— reveals the nature of the contentcompany-layoff-plan.xlsx.ncv3— exposes confidential project namespassport-scan.jpg.ncv3— indicates personal identity documents
Encrypted filename mode prevents this metadata leakage by replacing the original filename with a random-looking token.
Mode 1: Plaintext Filenames (Default)
When "Encrypt filenames" is turned off (the default for Quick Encrypt):
| Original | Encrypted |
|---|---|
report.pdf |
report.pdf.ncv3 |
photo.jpg |
photo.jpg.ncv3 |
budget.xlsx |
budget.xlsx.ncv3 |
Characteristics:
- The original filename is preserved and visible on disk
- The
.ncv3extension is appended - File content is fully encrypted
- Anyone who can see the directory listing can see the filenames
Best for:
- Personal use where filename privacy isn't a concern
- Situations where you need to identify files without decrypting
- Quick organization — you can tell which file is which at a glance
Mode 2: Encrypted Filenames
When "Encrypt filenames" is turned on:
| Original | Encrypted |
|---|---|
report.pdf |
a7B2x9KpQ3mNz8Wn1Rk.ncrn |
photo.jpg |
f3Yz8Wn1a7B2xKpQ3mR9.ncrn |
budget.xlsx |
Kp3mNz8Wn1RkQ9a7B2xY.ncrn |
Characteristics:
- The original filename is replaced with a random-looking token
- The same filename always produces the same token (given the same key and vault), allowing the system to find and update files efficiently
- The
.ncrnextension is used - The original filename is stored inside the encrypted file and recovered on decryption
Best for:
- Sensitive environments where filenames shouldn't be visible
- Cloud storage where the cloud provider shouldn't know what you're storing
- Vault storage where the on-disk representation should reveal nothing about the content
Note
If you encrypt the same file twice (same filename, same key, same vault), the encrypted filename will be identical. This is by design — it allows the vault system to overwrite/update existing files efficiently.
Anti-Rename Protection
NCV3 files with encrypted filenames include protection that detects if someone renames the file on disk. If the encrypted file is renamed, decryption will fail.
Warning
Do not rename .ncrn files on disk. The anti-rename protection will cause decryption to fail because the filename no longer matches what's expected.
Choosing the Right Mode
| Consideration | Plaintext | Encrypted |
|---|---|---|
| Privacy | Filenames visible | Filenames hidden |
| Convenience | Easy to identify files | Can't tell files apart without decrypting |
| Cloud storage | Provider sees filenames | Provider sees only tokens |
| Organization | Browse files by name | Need the app to browse |
| Vault usage | Not typical for vaults | Standard for vault storage |
Tip
For day-to-day Quick Encrypt operations on your local machine, plaintext filenames (the default) are usually fine. For vault storage or cloud-synced encrypted files, encrypted filenames provide stronger privacy.
Filename Mode in Different Workflows
| Workflow | Default Mode | Configurable? |
|---|---|---|
| Quick Encrypt | Plaintext (NCV3) | ✅ Toggle "Encrypt filenames" |
| Quick Decrypt | Auto-detected | N/A — follows the file format |
| Vault Import (ADD FILES) | Encrypted | Always encrypted |
| Vault Browser | Encrypted on disk | Original names shown in UI |
Legacy Format Note
Older files encrypted with the OTP1 format used plaintext filenames with a .ncrn suffix. This legacy format is still supported for decryption but is no longer offered as an encryption option. All new encryptions use NCV3 or NCV2.