OneDrive Personal Vault now available worldwide (but you should not trust it with your darkest secrets)

Microsoft today announced that their Personal Vault feature is now available to all OneDrive users around the world, after only being available initially in some regions.

OneDrive Personal Vault is a protected area in OneDrive that can only be accessed with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS. Personal Vault gives you an added layer of protection for your most important files, photos, and videos—for example, copies of documents such as your passport, driver’s license, or insurance information—should someone gain access to your account or device.

Beyond a second layer of identity verification, Personal Vault also includes the following security measures:

• Scan and shoot—Using the OneDrive app, you can scan documents or shoot photos directly into your Personal Vault, keeping them off less secure areas of your device, like your camera roll.
• Automatic locking—No need to worry about whether you left your Personal Vault or your files open—both will close and lock automatically after a period of inactivity.
• BitLocker encryption—On Windows 10 PCs, OneDrive automatically syncs your Personal Vault files to a BitLocker-encrypted area of your local hard drive.
• Restricted sharing—To prevent accidental sharing, files in Personal Vault and shared items moved into Personal Vault cannot be shared.

Taken together, these security measures help ensure that Personal Vault files are not stored unprotected on your PC, and your files have additional protection, even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it or to your account.

While these features are laudable, and should increase the security of OneDrive users, users should not rely on the feature to store their truly secret files in the cloud.

The files are encrypted by Microsoft, not the end user, and Microsoft holds all the keys and data on Microsoft’s servers (often USA), which means they are available by legal request and potentially illegal hacking. Hardware tokens are not supported, leaving the system open to increasingly common SIM hacking.

If you want to store truly secret files in the cloud, alternate products such as Boxcryptor offers zero-knowledge encryption software that adds an additional layer of security to the cloud of your choice through strong end-to-end encryption.

If your secrets are more mundable, if you’re using OneDrive’s free or standalone 100 GB plan, you can store up to three files in Personal Vault. Office 365 Personal and Office 365 Home subscribers can store as many files as they want in Personal Vault, up to their storage limit.