Security Overview
Necron Vault Manager is designed to protect your files so that only you (with your dongle or software key) can access them. This page explains what protections are in place and what the system is designed to defend against.
How Your Files Are Protected
Strong Authenticated Encryption
All file content is encrypted using XChaCha20-Poly1305, a modern industry-standard encryption algorithm. This provides two guarantees in one:
- Confidentiality — your files are unreadable without the correct key
- Tamper detection — any modification to an encrypted file (accidental or intentional) is detected and rejected during decryption
There is no way to produce a "partial" or "garbled" decryption — the output is either the original file or an error.
Encrypted Filenames
When files are stored in a vault, the original filenames are also encrypted. Cloud providers and anyone who accesses the storage folder see only random-looking filenames — they cannot determine what your files are named or what they contain.
Hardware-Anchored Keys
For Pro tier users, your encryption key lives on a physical USB dongle — not on your computer's hard drive, not on a cloud server. This means:
- Your key cannot be remotely stolen
- If your computer is stolen, the attacker can't decrypt your files without the dongle
- You can store the dongle in a safe when not in use
Software Key Protection (Free Tier)
For Free tier users, the software key is stored on your computer but protected with envelope encryption bound to your Windows user account. This means:
- Copying the key file to another computer or user account makes it useless
- The key file is encrypted on disk and cannot be read directly
- Tampering with the key file is detected
Warning
Software keys (Free tier) offer convenience but do not provide the same level of security as hardware dongle keys. For sensitive data, a Pro tier hardware dongle is strongly recommended.
Zero-Knowledge Architecture
Necron Vault Manager follows a zero-knowledge design:
- Cloud providers never have access to your encryption keys or file contents — they only store encrypted data with random filenames
- Necron's servers handle account and subscription management only — they never see your keys or your files
- Only your dongle (or software key) can decrypt your data
What Necron Protects Against
| Threat | How You're Protected |
|---|---|
| Someone reads your files on the cloud | All content is encrypted — cloud providers see only encrypted data |
| Your computer is stolen | Files are useless without the dongle; software keys are bound to your Windows account |
| Files are tampered with | Authenticated encryption detects any modification |
| Someone analyzes your filenames | Vault filenames are encrypted — on-disk names reveal nothing |
| Encrypted files are swapped or renamed | Cryptographic bindings detect file manipulation |
| Cloud sync errors corrupt files | Integrity check detects corruption; self-healing repairs from other locations |
What Necron Does NOT Protect Against
No security system is perfect. These are the known limitations:
| Threat | Why It's Not Covered |
|---|---|
| Someone has your dongle AND your PIN | Physical possession of the dongle grants decryption access |
| Malware on your computer while the app is running | Active malware could potentially read data from the running application |
| You lose all copies of your dongle | Without the key material, encrypted data is permanently inaccessible — there is no recovery |
Note
These limitations are inherent to any client-side encryption system. The hardware dongle model still significantly raises the bar compared to password-only solutions, because an attacker must have physical access to the dongle while it is connected.
Defense in Depth
Necron Vault Manager uses multiple layers of protection:
- Hardware key isolation — your key material lives on a removable USB device, not your computer
- Authenticated encryption — every file is both encrypted and tamper-protected
- Encrypted filenames — metadata doesn't leak through filenames
- Multi-location redundancy — self-healing repairs damage from any single storage location
- Optional vault 2FA — add a PIN and authenticator code for extra protection on sensitive vaults
Further Reading
- Best Practices — recommended security practices
- Free vs. Pro Tiers — security differences between tiers
- Vault Integrity Check — how file verification works