Creating a Vault
A vault is a secure, encrypted container for your files. Necron Vault Manager lets you create multiple vaults, each with its own storage locations, optional two-factor authentication, and independent encryption state. This guide walks you through the vault creation process.
Prerequisites
Before creating a vault, make sure you have:
- A MASTER dongle connected (either a physical USB dongle for Pro users, or an active software key for Free users)
- At least one folder available where encrypted files will be stored
Note
Only MASTER dongles can create vaults. If you have a SLAVE (read-only) dongle connected, the "Create Vault" button will instead show "Import Vault" — see SLAVE Vault Import & Restore for that workflow.
Create Vault Wizard
To start the wizard, click the Create / Import Vault button in the left sidebar. The wizard walks you through three steps:
Step 1 — Choose a Vault Name
Enter a human-readable name for your vault. This name is stored securely on your dongle and is visible only when the dongle is connected. Storage providers never see this name.
Choose something descriptive — for example, "Work Documents", "Tax Records 2025", or "Family Photos".
Step 2 — Select Storage Locations
Select at least one folder where the vault's encrypted files will be saved. You can add multiple locations for redundancy and self-healing.
The wizard offers four provider buttons:
| Provider | Description |
|---|---|
| Local | Any local folder, including external/removable USB drives |
| Dropbox | A folder inside your Dropbox sync directory |
| Google Drive | A folder inside your Google Drive sync directory |
| OneDrive | A folder inside your OneDrive sync directory |
Tip
For maximum protection, add locations across different providers. For example, one Local folder and one Google Drive folder. If one location is damaged or offline, the vault can self-heal from the other. See Vault Integrity Check for details.
Each selection opens a standard folder picker. Chosen locations appear as rows in the wizard, showing the provider type and folder path. The first location you add becomes the primary (priority 0) — this is where the app reads from first for performance.
Warning
Do not select a folder that is already inside another vault's storage location. Necron Vault Manager will detect nested vault locators and reject them to prevent conflicts.
Step 3 (Optional) — Enable Two-Factor Authentication
You can optionally protect the vault with 2FA using a TOTP authenticator app (such as Google Authenticator, Authy, or 1Password).
If you enable 2FA:
- Set a numeric PIN (minimum 6 digits) — this is required every time you open the vault
- Scan the QR code with your authenticator app
- Enter the 6-digit code from your authenticator to confirm enrollment
Once enabled, opening this vault requires both your dongle (something you have) and your PIN + TOTP code (something you know).
Note
2FA can be added or removed later from the vault inspector panel. See Settings & Preferences for more on vault-level security options.
What Happens During Creation
When you click Create, the following occurs:
- A unique vault identifier is generated
- The vault configuration (name, locations, 2FA flags) is saved to your dongle
- The configuration is sealed with a tamper-detection tag to prevent unauthorized changes
- For each storage location, the vault's folder structure is created on disk
- An encrypted configuration snapshot is written to each location — this enables SLAVE dongle import later
On-Disk Layout
The vault uses an obfuscated storage format. All filenames on disk are derived from random IDs, not your original filenames. Anyone who accesses the storage folder (including cloud providers) sees only random-named files with no meaningful structure.
The vault folder contains three main areas:
- Encrypted metadata — small encrypted records used to render the vault browser (folder and file names, structure)
- Encrypted content — the actual encrypted file data
- System data — vault snapshots, authentication data, and integrity indices
Tip
The vault browser reads only the metadata area — the encrypted file content (which may be very large) is never scanned for UI rendering, keeping the browser fast and responsive.
Vault Limits
| Feature | Free Tier | Pro Tier |
|---|---|---|
| Number of vaults | Unlimited | Unlimited |
| Locations per vault | Unlimited | Unlimited |
| 2FA (PIN + TOTP) | ✓ | ✓ |
| Vault integrity check | ✓ | ✓ |
| Self-healing across locations | ✓ | ✓ |
Next Steps
- Adding Locations — add more storage mirrors to an existing vault
- Vault Browser — navigate and manage files inside your vault
- Importing Files to a Vault — encrypt files into the vault