Vault Security Best Practices

Choose a Strong Passphrase

Your vault passphrase is the single key to all your encrypted files. Use a long, unique passphrase — ideally 4+ random words (e.g. "correct horse battery staple") or a 16+ character password generated by a password manager. Never reuse a password you've used elsewhere.

Store Your Passphrase Safely

Use a password manager (1Password, Bitwarden, KeePass) to store your vault passphrase. If you forget it, your files are permanently inaccessible. We cannot help you recover them — this is by design.

Enable the Dead Man's Switch

If you store sensitive files, consider enabling the dead man's switch with a reasonable inactivity period (30–90 days). This ensures your files are either destroyed or shared with a trusted contact if something happens to you.

Use Geo-Destruction Rules When Travelling

If you operate in sensitive environments, configure geo-destruction rules with the countries you expect to access your vault from. Use the "Lock" action rather than "Destroy" if you travel frequently — you can always regain access from an approved country.

Set Expiry Dates on Temporary Files

Don't leave sensitive files in your vault indefinitely. If a file is only needed temporarily, set an expiry date when uploading. This reduces your exposure if your passphrase is ever compromised.

Share Passphrase Separately

When sharing files via share links, never send the vault passphrase in the same channel as the link. Use a different communication method — text message, phone call, or in person. The share link gives access to the encrypted blob; the passphrase is what decrypts it.

Use Password-Protected Share Links

Add a password to your share links for an extra layer of protection. Even if someone intercepts the share URL, they'll need both the share password (to access the download) and your vault passphrase (to decrypt the file).