Security Best Practices

Follow these guidelines to maximize the security of your encrypted data.

Use Keyfiles Instead of Passwords

Keyfiles are more secure than passwords because they:

  • Are longer and more random than typical passwords
  • Don't require typing (reducing risk of keyloggers)
  • Can be stored securely using your OS keychain
# Generate a secure keyfile
openssl rand -out ~/.keys/master.key 32

# Store it securely (use OS keychain or encrypted storage)
# Then use it for encryption
nokvault encrypt file.txt --keyfile ~/.keys/master.key

Secure Keyfile Storage

Protect your keyfiles:

  • Store keyfiles in a secure location (not in the same directory as encrypted files)
  • Use file system permissions: chmod 600 ~/.keys/master.key
  • Consider encrypting keyfiles themselves
  • Back up keyfiles securely (encrypted backup, separate location)
  • Never commit keyfiles to version control

Rotate Keys Periodically

Regularly rotate encryption keys, especially if:

  • A key might have been compromised
  • Someone with access to the key no longer needs it
  • Following a security incident
  • As part of regular security maintenance
# Rotate key without re-encrypting data
nokvault rotate-key file.nokvault \
  --old-keyfile ~/.keys/old.key \
  --new-keyfile ~/.keys/new.key

Use Secure Deletion

When deleting sensitive unencrypted files, use secure deletion: 

# Securely delete sensitive files
nokvault secure-delete sensitive-file.txt --passes 7

# This overwrites the file multiple times before deletion

Regular file deletion only removes file system references; the data remains on disk until overwritten.

Version Control Best Practices

Never commit sensitive data to version control:

  • Add *.key, *.pem, and keyfile patterns to .gitignore
  • Never commit passwords or keyfiles
  • Use environment variables or secure secret management for CI/CD
  • Consider encrypting entire repositories if they contain sensitive data
# .gitignore
*.key
*.pem
*.nokvault
.env
secrets/

Automation Security

When automating encryption tasks:

  • Use environment variables instead of hardcoded passwords
  • Restrict environment variable access
  • Use keyfiles with restricted permissions
  • Log operations without logging sensitive data
# Use environment variables (not hardcoded passwords)
export NOKVAULT_PASSWORD="secure-password"
nokvault encrypt file.txt --no-prompt
unset NOKVAULT_PASSWORD

# Or use keyfiles
nokvault encrypt file.txt --keyfile ~/.keys/automation.key --no-prompt

Backup Strategy

Implement a secure backup strategy:

  • Back up encrypted files regularly
  • Store keyfiles separately from encrypted data
  • Use multiple backup locations
  • Test restoration procedures
  • Consider encrypting backups themselves

Keep Software Updated

Security vulnerabilities are discovered and patched regularly:

  • Update Nokvault to the latest version
  • Subscribe to security advisories
  • Review changelogs for security fixes
  • Update dependencies regularly

Access Control

Limit access to encrypted files and keyfiles:

  • Use appropriate file system permissions
  • Limit who has access to keyfiles
  • Use separate keyfiles for different projects or users
  • Audit access logs if available