Frequently Asked Questions

We only use one cookie to keep your user session active once you are logged in. This cookie cannot be used by any third party to track your usage. We do not attempt to read any other information about you, like if you are logged in to Facebook or Google accounts, what websites you visit or the size of your underwear, as others do.

We do not even use analytics software, like Google Analytics, to keep track of our visitors.

We use simple yet proven technology to keep your data so secured that even us cannot decrypt it in any way. Even if our entire database and source code was leaked, no one could do anything with it, because there are no backdoors, master keys or any way to decrypt your data.

We also backup our database to a secure cloud service every night, so even in the unlikely event that our servers were to fail, we could recover the application and all our users data within 24 hours.

Unfortunately, if you lose your certificate file, you also lose all the data that's in your account. The same happens if you forget your certificate's passphrase.

Your data will be lost forever.

The reason is, when you first create your account, a very strong encryption key is created uniquely for you, and it is encrypted using your certificate's public key. When you login, this key is decrypted using your private key, which is only part of your certificate file, and not stored elsewhere.

You lose your certificate, you lose the key to your data. Simple as that.

The information that you provide is mandatory for certificate files. You can provide ANY information you want, it is not validated in any way.

The only information that we keep unique in our database is the email address. We do not store it directly, but we keep an hash of it so that, once you create an account with an email address, no one else can create an account with this email address.

We do not use your personal information, because we do not know your personal information. It is all encrypted using your encryption key, so we have no idea who you are.

Password capture and replay is an inherently insecure way to handle your passwords, because it requires the use of browser extensions that can be compromised in a variety of ways. Using password managers that use such extensions and techniques is OK, but if you truly value your data, just don't use them.

Some other techniques of capture/replay are increasingly blocked by various websites and applications, and when they are detected, are seen as hacking attempts.

Being "The world's most secure", our password manager and digital vault simply cannot offer this type of insecure feature.

Certificate files are extremely secure. But they are only secure if you handle them correctly.

You can generate as many certificate files as you want to access your account. All the certificates you generate have access to read, edit and delete your data. This is why it is important to make sure you always know where these files are kept, and that you back them up in a very safe place.

Keep them in a safe place
It is pretty safe to keep a certificate file in your mobile phone or computer if they require a password or PIN to login. It is less safe to keep them on a USB key that is not password-protected. We do not advise you to keep your certificate files on any public online storage service, like Dropbox or Gmail, that can be hacked pretty easily.

Never copy your certificate files
You should download a certificate file only once and move it to its final destination: the device that you will use to access your account. You should never copy it to other devices. You should GENERATE a new certificate file for every device you plan to use your MySecureVault.ca account. You should also make sure to put the name of the device in the certificate holder's full name field of the certificates you generate. This way, you can identify where you use each certificate file and easily know which one to revoke, renew or delete.

Revoke the certificates you lose
If you lose a USB key that contains one of your certificate files, you should revoke this certificate immediately in your account. To do so, log in using another certificate file that is authorized to access your account, find the certificate you lost in the "Certificates" section, then click the [Revoke] button. If you happen to recover it, you can always re-instate it. If you lost it for good, you can simply delete it from your account.

Renew your certificates before they expire
The certificates we issue are valid for a 1 year period. Make sure you always have a valid certificate file if you want to be able to access your data. If you no longer have a valid certificate in your account, you will no longer be able to access your account and your data will be lost forever.

Your certficate passphrase is what keeps your private key secure. It has to be extremely strong to prevent anyone from gaining access to your data after gaining access to your certificate file, but it has to be easy for you to remember so you don't have to write it down on a piece of paper.

Our requirements of 15 characters is extremely basic. Mixing lowercase and UPPERCASE letters makes our 15 characters strong enough for most people. If you want to make sure it is strong enough for military or state secrets, you should use at leats 20 characters, using lowercase, uppercase, numbers and special characters.

Here is an example of a good passphrase:

When COVID19 is over, I want to visit Paris!

Here is an example of a not so good passphrase:

qwerty123456789

The first passphrase contains, lowercase, uppercase, digits and special characters (spaces, a comma and exclamation mark). The second one is a combination of two well-known character sequences, that are pretty easy to guess in a dictionary attack, and contains only lowercase characters and digits.

When you login to your account, if your browser asks to remind your passphrase, it is better to say no!. It is very bad to have your browser remind your passwords. If someone ever take control of it (physically or remotely), this person would be able to take control of your account.

Keep in mind that your passphrase should:

• Contain different character types: lowercase, uppercase, digits, punctuation
• Be a phrase that you can easily remember, but not an expression you use so frequently that someone could guess it
• Be easy enough for you to remember that you don't need to write it down

Below, you will find a great resource to measure the search space of your passphrase. Even though this tool is well-known and reputable, we recommend that you do NOT type your passphrase in it, but use it as a gauge as to what is an acceptable length and complexity for your passphrase.

It is also a very good read about passwords and passphrases. GRC Password Haystack

There is no limit to the number of accounts one person can register here. This way, you can create your own personal account for the private data that you do not want to share, and another account that you can share with your friends.

You can share an account with other people by registering a new account, then by generating a certificate file for each people that should have access to this account (recommended), or by sharing a single certificate file with other users of this shared account (not recommended).

You should never put information that you do not want to share in a shared account!

The most secure way to transfer the certificate files to other account users is by physical means. A USB cable, a USB key, an external hard drive, a CDROM, and so on. Less secure means are over a Wifi or Bluetooth connection.

The worst way to share a certificate file is by email, because it can be sent over unsecure connections. If this is your only way to share a certificate file, make sure the passphrase is extremely secure, and DO NOT SEND THE PASSPHRASE BY EMAIL. EVER. Not even in a separate email or to another email address.

Choose your device wisely

• Make sure that the device you use to access your account is safe, exempt from any virus, malware or ransomware
• Do not use a public device, like a public computer at an Internet Café or a library, and if you must, check the "This is a public device" checkbox at login, so your session will only last 5 minutes
• When you access your account from a public device, ALWAYS logout once you are done, and clear the browser cache, if possible. Otherwise, remain at the computer until your 5 minutes session expires
• Use a device that only you can access, like your personal computer, your tablet or your smartphone

Choose your network wisely

• Never access your account using a public Wifi network, even if it seems to be secure
• Avoid networks that could be tracking your usage, like your office's. They could potentially decrypt your passphrase or your entries
• Prefer your own internet connection that you know is not compromised or wiretapped
• If you think you may be under surveilance, avoid using mobile networks (LTE / 5G) at all costs. Authorities or criminals can use IMSI catchers to wiretap your mobile connection, and set up a proxy as a "man-in-the-middle" to decrypt your secure https trafic

If possible, use an anonymization network like TOR
TOR, or The Onion Router, is a network whose main purpose is to hide the original IP address and the identity of the user. By using TOR, we do not know what country you're in or what Internet provider you're using. If you are careful enough using TOR, you can remain completely anonymous while using our services.

Most of all, make sure our website's certificate is the good one!
We use HTTP Strict Transport Security to make sure our users are safe from Man-in-the-middle attacks, but some very motivated hackers could circumvent this. Always validate that the certificate's signature of our website is the same as the one you will find in the footer of all our pages.

Never use the same password for multiple accounts
Imagine using the same password for your Gmail, Paypal, Facebook, Twitter and Spotify accounts. All these having your Gmail address as your username. Let's say Spotify is hacked, and your password is now known to hackers. (In fact, they were hacked on 2020-12-11, and email address, passwords and other information were actually leaked). After that, all your other accounts would be compromised.

This is a real-life scenario that would never happen if you have a different password for every online service you use. This is where a password manager such as MySecureVault.ca comes in handy.

In the end, each online service or office account that you use should be protected by a different password.

Length and complexity
Your passwords should always be at least 15 characters long, and should include uppercase, lowercase, numbers and special characters. Avoid at all costs any easy to guess suites, like 12345, qwerty, asdfg, or words from the dictionary and any personal information. These are known attack vectors that can be leveraged to crack your passwords, even if you make a combination that seems to be complex to you.

The ideal password should be randomly generated by a password generator, like the one that we offer you in your account and on our home page.

We only use the latest and most secure cipher suites on our web servers. We are proud to have an A+ rating with Qualys SSL Labs, that you can see for yourself by clicking the link below:

MySecureVault.ca A+

Our server certificate is automatically updated every 3 months or less and is issued by Let's Encrypt, a non-profit certificate authority that provides X.509 certificates for TLS at no charge. In the footer of all the pages on our website, you can find our current SSL certificate information, that you can compare with the certificate provided to your browser to make sure there is no "Man-in-the-middle" decryption taking place.

Certificate file content
The certificate files you use to login in your account includes the following information:

• A serial number, used to select the right row in our database for the authentication process
• An RSA public key, used to encrypt a string that is used in the authentication process, and used to encrypt your data encryption key
• A 4096 bits RSA private key, that is never stored in your account and only contained in your certificate file, used to decrypt the authentication string and to decrypt your data encryption key
• The data you provided while registering (full name, email address, etc...), that we do not validate in any way. It can be anything you want.

Your certificate file is encrypted with a passphrase that can only brute forced, which is why it is important that it is long and hard to guess.

The authentication process

• When you login, you upload your certificate file, along with your certificate passphrase. This information is encrypted over our very secure HTTPS connection, so no one can peek at it.
• Our servers decrypt your certificate file with your passphrase, and read the information it contains. Your passphrase is never stored on our servers, merely kept in memory for the time it takes to authenticate (less than one second).
• While your certificate is read, our login script uses the private key it contains to decrypt a field that was encrypted with your public key upon registration. If the decrypted field matches the info in your certificate, it means the private key and certificate information match, so it confirms that the certificate is authorized and the passphrase provided is the good one.
• The last action performed, once authenticated, is that your private key is used to decrypt your Data Encryption Key (DEK), which is common to all your encrypted data. With this key, you will later be able to decrypt and encrypt your data.

Data Encryption Key (DEK)
Upon registration, a unique Data Encryption Key (DEK) is generated for you. This DEK serves the purpose of encrypting all your data, except the DEK itself that is encrypted by the public key of each of your certificates. This is why each of your certificates have their own "encryptedKey" row in our database. In fact, it is all the same key encrypted with the public key of each certificate in your account.

You can update your DEK using the button in the "Tools" section of your profile page. Updating the DEK will decrypt your data with your old DEK and re-encrypt all your records and data with the new DEK. The new DEK will also be encrypted with the public key of all your certificates.

For your own security, we do not let you see your DEK.

• Data Encryption Key length: 3680 bits (6,17 x 10¹¹⁰⁷ possible values)
• Encryption type: RSA asymmetric encryption
• Padding: Optimal asymmetric encryption padding (OAEP)
• Key used to encrypt your DEK: certificate public key
• Key used to decrypt your DEK: certificate private key (4096 bits)
• PHP function used to encrypt your DEK: openssl_public_encrypt()

Data encryption
Your data is currently encrypted using aes-256-gcm, a cutting-edge cipher suite. For the moment, this it the NSA's current standard for encrypting top-secret information.

The key used to encrypt your data is your Data Encryption Key (DEK). Each record has en Initialization Vector (IV), which consists of 96 random bits for aes-256-gcm, that is a "seed" unique to each record used to scramble data before encrypting it with your DEK. After encrypting a record, there is a tag that validates data integrity. Only the IV, the encrypted data and the tag are stored in our database for each record, and the only way to decrypt it is with your DEK, that must be unlocked with your certificate's private key.

The following information is encrypted using this method in your account:

• Your certificate data (full name, email address, city, country)
• Your PKCS12(.pfx) certificate files
• Your entries (passwords, notes, files metadata)
• Your files content
• Your session data

Unencrypted data
Very few information is stored in cleartext in our database, which makes it extremely private. The only data that is not encrypted, for practical purpose, is the following:

• Your sessions expiration date and time
• The date and time at which you registered your account
• The date and time of the last access to your account

We use this data to cleanup obsolete user accounts and sessions.

This function can be accessed from your main page, under the "My Passwords" section.

Adding a password entry:

1. Click the [Add password] button at the top of the "My passwords" section
2. Fill in at least all the required fields ("Entry name" and "Password" are strictly required to be at least 1 character long)
3. At any time, you can display the password you are typing by clicking the [Show] button, and you can hide it back using the [Hide] button
4. If you type a web address (URL), make sure it has a valid format. It is not required to type the "https://" at the beginning, but it is strongly recommended, otherwise, we automatically add "https://", which may not be the right scheme
5. Once completed, click the [Add] button at the bottom of the "Add password" box

Displaying a password entry:

1. You can search for an entry with the "Search" box at the top of the "My passwords" section. No need to press [Enter], the search runs as you type
2. Find the entry you need to access, then click on the title of the entry to display it
3. You can copy the username or password to your clipboard by clicking the [Copy] button
4. You can display the password by clicking the [Show] button, and you can hide it back using the [Hide] button
5. You can click the web address (URL), if it exists, to follow the link in a new browser tab
6. You can hide back the password entry by clicking the title again

Editing a password entry:

1. You can search for an entry with the "Search" box at the top of the "My passwords" section. No need to press [Enter], the search runs as you type
2. Find the entry you need to edit, then click on the title of the entry to display it
3. Now click on the [Edit] button at the bottom of the entry. This leads you to the password entry edition form
4. You can then edit what needs to be
5. You can display the password by clicking the [Show] button, and you can hide it back using the [Hide] button
6. Once you are done, you can click the [Save] button to save the changes, or the [Cancel] button to cancel the changes

This function can be accessed from your main page, under the "My secret notes" section.

Adding a secret note entry:

1. Click the [Add a note] button at the top of the "My secret notes" section
2. Fill in at least the required field ("Note name" is strictly required to be at least 1 character long). It is not required to type anything in the "Note content" textbox
3. Once completed, click the [Add] button at the bottom of the "Add a note" box

Displaying a note entry:

1. You can search for a note entry with the "Search" box at the top of the "My secret notes" section. No need to press [Enter], the search runs as you type
2. Find the entry you need to access, then click on the title of the entry to display it
3. You can hide back the note entry by clicking the title again

Editing a note entry:

1. You can search for a note entry with the "Search" box at the top of the "My secret notes" section. No need to press [Enter], the search runs as you type
2. Find the entry you need to edit, then click on the title of the entry to display it
3. Now click on the [Edit] button at the bottom of the entry. This leads you to the note entry edition form
4. Once you are done, you can click the [Save] button to save the changes, or the [Cancel] button to cancel the changes

This function can be accessed from your main page, under the "My secret files" section.

Adding a file entry:

1. Click the [Add a file] button at the top of the "My secret files" section
2. Fill in the required field ("Short file description" has to be at least 1 character long, and will be the file entry title once added)
3. Click the [Select a file] button (Or whatever it is called in your browser) to choose a file to upload
4. Once completed, click the [Add] button at the bottom of the "Add a file" box

Displaying and downloading a file:

1. You can search for a file entry with the "Search" box at the top of the "My secret files" section. No need to press [Enter], the search runs as you type
2. Find the entry you need to access, then click on the title of the entry to display it
3. You can click on the "Detail" link to display / hide file details, like the file type, original size, encrypted size, and different file hashes for integrity validation
4. To download the file, click the [Download] button at the bottom of the file entry
5. You can hide back the file entry by clicking the title again

Editing a file entry:

1. You can search for a file entry with the "Search" box at the top of the "My secret files" section. No need to press [Enter], the search runs as you type
2. Find the entry you need to edit, then click on the title of the entry to display it
3. Now click on the [Edit] button at the bottom of the file entry. This leads you to the file entry edition form
4. You can edit the "Entry name" only, and/or upload a new version of the file
5. If you need to upload a new version of the file, click the [Select a file] button (Or whatever it is called in your browser) to choose a file to upload. The old version will be overwritten and you will not be able to recover it
6. Once you are done, you can click the [Save] button to save the changes, or the [Cancel] button to cancel the changes

This is a security feature to prevent Cross-Site Request Forgery (CSRF). You may have been browsing MySecureVault.ca with 2 browser windows opened, or you may have submitted the form incorrectly.

Resolution
Make sure you browse MySecureVault.ca with only one browser window opened. If you need to browse our site with 2 different windows, use 2 different browsers (Like Chrome and Firefox), or use private browsing tabs.