Securing your secrets
Your vaults, whether stored on iCloud or locally on your device, are always encrypted with a 256-bit key. This vault key itself is encrypted by your device keys. The protection of device keys can differ from device to device.
There's a video about this feature on our YouTube channel.
Secrets leverages the features of Apple's keychain and allows for various combinations of authentication options, namely:
- Passcode only
- Biometry only (Face ID or Touch ID)
- Passphrase only
- Passcode or Biometry
- Passcode and Biometry
- Passphrase or Biometry
- Passphrase and Biometry
- Passphrase or Watch
- Passphrase or Biometry or Watch
The availability of these options depends on the device's capabilities and support from the operating system. For example, unlocking with an Watch is only available on macOS.
By allowing different authentication options on each of your devices, you can choose the option that best fits that device. For example, on your home computer, you might authenticate with just Touch ID but use a Passphrase and Face ID on your phone since the risk of the latter being lost or stolen is much higher.
You can also change how long Secrets remains unlocked after being inactive by adjusting the "Lock Automatically" setting in the application's security settings.
Recovery keys
Last but not least, you should make sure you have a recovery key created in case you're unable to unlock Secrets. This could happen for a number of reasons: you might forget your passphrase, your Touch ID sensor may malfunction, etc. Also, note that device keys never leave your device, so using a recovery key is your only option when restoring your data from a backup.
You can create a recovery key in the "Security" section of the application's settings. When creating a recovery key you should be ready to print it on paper and store it somewhere safe.
However, if you're using iCloud to sync your data, the preferred way is to create a "Paper Device". A paper device doubles as a recovery key and is automatically synced to all your trusted devices. While a recovery key is specific to the device where it was created, a paper device can be used as a recovery key on all the trusted devices. If you restore a backup for any of your devices, the same paper device will work for all of them.