Vault Metadata
Vault metadata in Necron Vault Manager is split between two locations: the dongle (authoritative configuration) and the storage locations (encrypted files and snapshots). This separation is a deliberate security design — critical configuration lives on hardware you physically control, while storage locations only contain encrypted data that is useless without the dongle.
Dongle-Side Metadata
The dongle stores the authoritative record of all your vault configuration:
- Vault list — which vaults exist, their names, and version numbers
- Storage locations — where each vault's encrypted files are stored (local folders, cloud sync directories)
- Security settings — whether each vault requires PIN or two-factor authentication
- Key usage tracking — how much of your dongle's key material has been used
This configuration is cryptographically protected against tampering. The app verifies its integrity every time it reads the vault configuration.
Note
The vault configuration on the dongle is tamper-protected. Any modification — changed vault names, altered storage paths, or disabled security flags — is detected and rejected.
Storage-Side Data
Each vault storage location (the folders where your encrypted files live) contains:
- Encrypted folder/file structure — metadata that defines which files and folders exist in the vault
- Encrypted file content — the actual encrypted data
- Vault configuration snapshot — an encrypted copy of the vault configuration, used for recovery with backup dongles
All of this data is encrypted and cannot be read without the dongle.
What's Stored Where
| Data | Location | Purpose |
|---|---|---|
| Vault names and settings | Dongle | Authoritative vault configuration |
| Storage locations | Dongle | Where encrypted files are stored |
| Folder/file structure | Storage locations | Allows the vault browser to show your files |
| Encrypted file content | Storage locations | Your actual files, encrypted |
| Configuration snapshot | Storage locations | Enables vault recovery with backup dongles |
The Dongle Is the Root of Trust
The vault's authoritative configuration lives on the dongle. Without the dongle (or a backup dongle), you cannot:
- Know which vaults exist or their names
- Know where encrypted files are stored
- Decrypt any files or view the vault structure
- Modify vault configuration
This means someone who copies the encrypted storage folders cannot do anything with them without the dongle.
What Cloud Providers See
Storage locations contain only encrypted data with random filenames. A cloud provider examining your sync folder sees an opaque directory with uninterpretable contents — no meaningful folder structure, filenames, or file metadata.
Metadata Recovery
The vault configuration snapshot stored at each storage location acts as a safety net:
- If your primary dongle fails, a backup dongle can import vault configurations from any storage location
- Snapshots are refreshed automatically on every configuration change
- Multiple locations each have their own snapshot copy
Warning
If you lose both your primary dongle and all backup dongles, vault data becomes permanently inaccessible — even though the encrypted files still exist at their storage locations. Always maintain at least one backup dongle.
Next Steps
- Creating a Vault — understand the creation process
- SLAVE Vault Import & Restore — recover vaults with a backup dongle
- Security Overview — how your data is protected