> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/drive-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/drive-support/staying-safe/create-a-new-vault.md).

# Operational security tips

Oten Drive's cryptography is strong. In practice, the weak points are habits and surroundings — not the math. These tips help your behavior match your threat model.

### Keys & recovery <a href="#keys--recovery" id="keys--recovery"></a>

* **Store recovery keys off the device.** Keep your User Recovery Key and each Vault Recovery Key in a password manager on separate hardware, or a physical safe. A recovery key sitting on the device it protects is both a loss risk and, for a vault with Shadow Layers, a hint.
* **Use strong, unique vault passwords.** Vault and layer passwords are cryptographic. Don't reuse them across layers or with other services.
* **Keep a private record of which password opens which layer** — ideally memorized. Never label layers "real"/"fake" anywhere.

### Devices <a href="#devices" id="devices"></a>

* **Lock when you step away.** Auto-Lock seals vaults on crash or exit, but an explicit lock is deliberate and immediate.
* **Set up Panic before you need it.** Decide what it wipes/hides, and practice triggering it. Consider Ghost Exit for the "just make it disappear" case.
* **Keep the OS and app updated.** On macOS, install Sparkle updates promptly.
* **Mind screens and shoulders.** File names and previews are plaintext on screen even though they're encrypted at rest.

### Deniability discipline <a href="#deniability-discipline" id="deniability-discipline"></a>

* **Make decoys believable.** A decoy layer should look lived-in — real, harmless files you actually touch.
* **Don't cross-link layers.** Avoid file names, shares, or references that reveal another layer exists.
* **Be consistent under pressure.** The system reveals nothing; your reactions can. See [What Shadow Layers do not protect against](/drive-support/security-model/create-a-new-vault-2.md).

### Sharing <a href="#sharing" id="sharing"></a>

* **Set expirations** and **send share passwords over a separate channel.**
* **Review and revoke** shares periodically; clear expired ones.
* **Think about scope** — a vault share exposes everything in that layer.

> Security is a routine, not a one-time setup. Revisit these as your situation changes.
