Best Practices
This page provides practical security recommendations for getting the most out of Necron Vault Manager's protection. Whether you're a Free tier user with a software key or a Pro user with a hardware dongle, these practices will help you maintain strong data security.
Key Management
Use a Hardware Dongle for Sensitive Data
The single most impactful security decision is using a Pro tier hardware dongle instead of a software key for anything sensitive. A physical dongle:
- Cannot be remotely copied or stolen
- Requires physical possession to decrypt
- Can be stored in a safe when not in use
- Supports backup copies on separate USB drives
Tip
If you're using the Free tier for evaluation, you can upgrade to Pro at any time. Your existing encrypted files remain fully compatible — the provisioning process copies your key material to the USB dongle.
Create Backup Dongles
Pro users can create up to 5 backup dongles that share the same encryption key. Store at least one backup in a separate physical location from your primary dongle:
- One in your home
- One in a bank safe deposit box
- One with a trusted family member
If your primary dongle fails, is lost, or is stolen, a backup dongle provides full access to all your encrypted data.
Danger
If you lose all copies of your dongle key material (including backups), your encrypted data becomes permanently inaccessible. There is no recovery mechanism — this is fundamental to the zero-knowledge security model.
Protect Your Software Key (Free Tier)
If you're using the Free tier software key:
- Do not reinstall Windows without first exporting your key or decrypting critical files — the software key is bound to your Windows user profile
- Do not delete your user profile — this destroys the secrets needed to access the key
- Keep backups of important files in their decrypted form somewhere safe
- Consider upgrading to Pro for truly important data
Vault Configuration
Use Multiple Storage Locations
Configure at least 2–3 storage locations for each vault, ideally across different providers:
| Example Setup | Resilience |
|---|---|
| Local + Dropbox | Survives local disk failure OR Dropbox compromise |
| Local + Dropbox + Google Drive | Survives any two simultaneous failures |
| Local + External USB + OneDrive | Survives any two simultaneous failures |
The more diverse your locations, the stronger the self-healing capability.
Mix Provider Types
Don't put all locations on the same provider. If Dropbox has an outage or data loss, having Google Drive and a local copy means your data survives.
Recommended combinations:
- One local folder (fast, always online)
- One cloud folder on Provider A (off-site backup)
- One cloud folder on Provider B (diversity)
Enable Vault 2FA for Critical Vaults
For vaults containing highly sensitive data, enable PIN + TOTP two-factor authentication:
- Adds a knowledge factor (PIN + authenticator code) to the possession factor (dongle)
- Prevents unauthorized access even if the dongle is briefly accessible to someone else
- A 6-digit PIN provides strong brute-force resistance
Note
2FA is optional and can be enabled or disabled at any time from the vault inspector panel. All active vault locations must be online when changing 2FA settings to ensure consistent replication.
Operational Security
Run Integrity Checks Regularly
Make it a habit to run a full integrity check periodically:
- Weekly for critical business vaults
- Monthly for personal vaults
- After any incident — power failure, crash, cloud sync error
- Before creating backups — verify integrity first
The automatic missing-files check runs every time you open a vault, but the full integrity check should be triggered manually.
Keep Cloud Sync Clients Running
Vault locations that use cloud sync (Dropbox, Google Drive, OneDrive) depend on the cloud provider's desktop client being active. If the sync client is paused or not running:
- Changes won't replicate to that location
- The location appears as "offline" in the vault inspector
- Self-healing can't repair that location until sync resumes
Tip
After making changes to a vault, verify that all locations show as online in the inspector. If a location is offline, check that the cloud sync client is running and the folder is accessible.
Don't Modify Encrypted Files Manually
Never manually move, rename, copy, or delete files inside the .necron vault directories. The integrity system uses cryptographic bindings between filenames, headers, and content — manual file operations will trigger tampering detection.
If you need to reorganize vault data, use the Vault Browser inside the app.
Keep the App Updated
Always use the latest version of Necron Vault Manager. Updates may include:
- Security patches for cryptographic libraries
- Improvements to integrity checking and self-healing
- New encryption features and format updates
- Bug fixes that affect data reliability
Physical Security
Secure Your Dongle
Treat your Necron dongle like a physical key to a safe:
- Don't leave it plugged into an unattended computer
- Remove the dongle when not actively using the app
- Store backups in a physically secure location
- Consider using the optional vault PIN to protect against brief physical access
Secure Your Computer
Necron Vault Manager encrypts data at rest, but plaintext exists in memory while the app is running:
- Use full-disk encryption (BitLocker, FileVault) on your computer
- Lock your computer when stepping away
- Use strong Windows account passwords
- Keep your operating system updated with security patches
- Use reputable antivirus/anti-malware software
Data Recovery Planning
Know Your Recovery Options
| Scenario | Recovery Path |
|---|---|
| Primary dongle lost/broken | Use a backup dongle |
| Single location corrupted | Self-healing restores from other locations |
| Cloud provider outage | Local copy remains accessible |
| Computer replacement | Connect dongle to new computer + reinstall app |
| Software key lost (Free tier) | No recovery — data is permanently inaccessible |
Test Your Backups
Periodically verify that your backup dongles actually work:
- Connect a backup dongle
- Open a vault
- Decrypt a test file
- Confirm the decrypted content is correct
Don't wait for an emergency to discover a backup dongle is faulty.
Document Your Setup
Keep a record (stored securely, not on the computer) of:
- Which vaults exist and what they contain
- Which storage locations are configured for each vault
- Where backup dongles are stored
- Your vault PINs and TOTP recovery codes (if 2FA is enabled)
Summary: Security Tier Recommendations
| Use Case | Recommended Tier | Key Practices |
|---|---|---|
| Casual / testing | Free | Keep decrypted backups of important files |
| Personal documents | Pro (1 dongle) | 2+ locations, one backup dongle |
| Business data | Pro (2+ dongles) | 3+ locations, multiple backups, vault 2FA, regular integrity checks |
| Highly sensitive data | Pro (3+ dongles) | 3+ diverse locations, vault 2FA, weekly integrity checks, off-site backups |
Further Reading
- Security Overview — understand the threat model
- Free vs. Pro Tiers — Free tier vs Pro tier differences
- Vault Integrity Check — how to verify vault health
- Backup Dongles — creating and managing backups