Skip to main content

Security Best Practices

Recommended security practices to maximize protection of your vaults and data.

For All Users​

Account Security​

1. Use Strong, Unique Passwords

 Do:

  • Minimum 16 characters (longer is better)
  • Mix uppercase, lowercase, numbers, and symbols
  • Use a password manager (1Password, Bitwarden, LastPass)
  • Generate random passwords, don't create your own
  • Use unique password for Torvus (never reuse)

L Don't:

  • Use personal information (name, birthday, pet names)
  • Use dictionary words or common phrases
  • Reuse passwords across services
  • Share passwords via email/SMS
  • Write passwords on paper or sticky notes

Example Strong Password:

Good: Kp9$mN2@vL5#qR8&wT3!
Bad: password123, MyDogFluffy2024

2. Enable Multi-Factor Authentication (MFA)

 Recommended Methods (in order of security):

  1. Hardware Security Keys (YubiKey, Titan) - Most secure, phishing-resistant
  2. Authenticator Apps (Google Authenticator, Authy, 1Password) - Secure, offline
  3. SMS (Text message) - Least secure but better than nothing

L Don't:

  • Use SMS as only MFA method (vulnerable to SIM swapping)
  • Screenshot backup codes and store in cloud
  • Share MFA codes with anyone (including "support")

3. Secure Your Recovery Codes

 Do:

  • Download backup codes immediately after MFA setup
  • Store in password manager (encrypted)
  • Keep physical copy in safe or safe deposit box
  • Test one backup code to verify they work

L Don't:

  • Store backup codes in your vault (circular dependency)
  • Email backup codes to yourself
  • Take screenshot and save to iCloud/Google Photos

Session Security​

4. Recognize and Prevent Phishing

 Red Flags:

  • Email asking you to "verify account" or "reset password"
  • Urgent language ("Your account will be deleted in 24 hours!")
  • Suspicious sender email (torvussecurity-support@gmail.com L)
  • Links to non-Torvus domains
  • Requests for MFA codes or passwords

 Legitimate Torvus Communication:

  • Always from @torvussecurity.com email
  • Links to app.torvussecurity.com or docs.torvussecurity.com
  • Never asks for passwords or MFA codes
  • Never threatens account deletion

5. Secure Your Devices

 Do:

  • Enable full disk encryption (FileVault on Mac, BitLocker on Windows)
  • Use strong device passcode (not 1234 or 0000)
  • Enable automatic screen lock (5 minutes max)
  • Keep OS and software up-to-date
  • Install reputable antivirus software

L Don't:

  • Use public computers to access Torvus
  • Leave devices unlocked in public places
  • Install apps from unknown sources
  • Click links in unsolicited emails

For Vault Owners​

Vault Configuration​

6. Choose the Right Release Policy

Policy Selection Guide:

Use CaseRecommended PolicyCheck-in Frequency
Digital legacyInactivityMonthly
Emergency backupInactivityWeekly
Travel safetyInactivity + pause during travelDaily
JournalismManual + inactivity backupEvery 3 days
Scheduled deliveryDate-basedN/A
Estate planningDeath certificateN/A

7. Configure Appropriate Grace Periods

 Grace Period Recommendations:

  • Daily check-ins: 24-48 hour grace period
  • Weekly check-ins: 3-7 day grace period
  • Monthly check-ins: 14-30 day grace period
  • Quarterly check-ins: 30-60 day grace period

8. Add Multiple Recipients

 Why Multiple Recipients:

  • Redundancy (if one email changes)
  • Different roles (lawyer, family, trusted friend)
  • Geographic distribution (natural disasters)

 Recipient Verification:

  • Verify email addresses before adding
  • Confirm recipients received invitation
  • Periodically verify recipient emails still valid

Document Management​

9. Organize Documents Logically

 Best Practices:

  • Use descriptive names (passport_scan_2025.pdf not doc1.pdf)
  • Add descriptions to provide context
  • Use tags or folders for categorization
  • Include instructions in a README.txt file

Example Vault Structure:

Legal/
  � Will_2025.pdf
  � Power_of_Attorney.pdf
  � Trust_Documents.pdf

Financial/
  � Bank_Accounts.xlsx
  � Investment_Summary.pdf
  � Tax_Returns_2024.pdf

Access/
  � Password_List_Encrypted.txt
  � Crypto_Recovery_Seeds.pdf
  � Safe_Combination.txt

Instructions/
  � README_FOR_RECIPIENTS.txt

10. Include Instructions for Recipients

 What to Include:

# Instructions for Recipients

## Important Contacts
- Estate Attorney: Jane Smith, 555-1234
- Financial Advisor: Bob Jones, 555-5678
- Accountant: Mary Johnson, 555-9012

## Document Guide
- **Will**: See Legal/Will_2025.pdf for final wishes
- **Bank Accounts**: Financial/Bank_Accounts.xlsx lists all accounts
- **Passwords**: Access/Password_List_Encrypted.txt (password: [stored separately])
- **Crypto**: Access/Crypto_Recovery_Seeds.pdf for cryptocurrency wallets

## Next Steps
1. Contact estate attorney (Jane Smith) immediately
2. Access bank accounts using info in Financial folder
3. Review will and trust documents in Legal folder
4. Contact financial advisor to discuss assets

## Emergency Contacts
- Close Friend: Sarah Williams, 555-4321
- Sibling: Tom Doe, 555-8765

11. Encrypt Sensitive Documents Before Upload

For maximum security, encrypt documents client-side before uploading:

 Encryption Tools:

  • 7-Zip: Free, cross-platform (AES-256 encryption)
  • VeraCrypt: Free, open-source container encryption
  • GPG: Free, command-line encryption
  • macOS: Built-in encrypted disk images

Example (7-Zip):

# Encrypt file with password
7z a -p -mhe=on sensitive_file.pdf.7z sensitive_file.pdf

# Password stored separately (password manager or physical note)

Check-in Management​

12. Set Reminders

 Reminder Strategy:

  • Email reminders 3-7 days before due
  • SMS reminders 24 hours before due
  • Calendar events synced to phone
  • Alarms for critical check-ins

13. Pause Policies During Travel

 When to Pause:

  • International travel (limited internet)
  • Hospital stays
  • Wilderness trips (no cell coverage)
  • Extended vacations

 How to Pause:

  1. Go to Vault � Policy � Pause
  2. Set resume date (travel return date + buffer)
  3. Confirm pause
  4. Verify pause is active before departure

For Administrators​

User Management​

14. Implement Principle of Least Privilege

 Access Levels:

  • Grant minimum permissions needed for role
  • Use vault-level permissions, not account-level
  • Set expiration dates for temporary access
  • Review permissions quarterly

Permission Matrix Example:

RoleCan Create VaultsCan Delete VaultsCan Manage UsersCan View Audit Logs
Admin
ManagerLLimited
MemberOwn vaults onlyLOwn vaults only
GuestLLLL

15. Regular Access Reviews

 Review Schedule:

  • Monthly: Review new user additions
  • Quarterly: Review all user permissions
  • Annually: Comprehensive access audit
  • Ad-hoc: When employee leaves or changes roles

16. Implement Single Sign-On (SSO)

 Benefits:

  • Centralized user management
  • Automatic deprovisioning when employees leave
  • Compliance with corporate password policies
  • Reduced password fatigue

 Supported SSO Providers:

  • Okta
  • Azure AD / Microsoft Entra ID
  • Google Workspace
  • OneLogin
  • Auth0

Security Monitoring​

17. Enable Security Alerts

 Critical Alerts to Enable:

  • Failed login attempts (5+ in 10 minutes)
  • Permission changes
  • Vault release events
  • Bulk document downloads
  • API key usage anomalies

18. Review Audit Logs

 Log Review Schedule:

  • Weekly: Review failed login attempts
  • Monthly: Review permission changes
  • Quarterly: Full audit log review
  • Annually: Compliance audit

 What to Look For:

  • Logins from unusual locations
  • Access at unusual times (3 AM)
  • Multiple failed login attempts
  • Bulk downloads of documents
  • Sudden permission elevations

For Developers​

API Security​

19. Secure API Key Storage

 Do:

//  Use environment variables
const API_KEY = process.env.TORVUS_API_KEY;

//  Use secret management services
const API_KEY = await awsSecretsManager.getSecret('torvus-api-key');

//  Load from .env file (add to .gitignore)
require('dotenv').config();
const API_KEY = process.env.TORVUS_API_KEY;

L Don't:

// L Hardcode API keys
const API_KEY = 'torvus_live_abc123xyz789';

// L Commit to version control
git add config.js  // config.js contains API keys

// L Expose in client-side code
<script>
  const apiKey = 'torvus_live_abc123xyz789';
</script>

20. Implement Rate Limiting

 Client-Side Rate Limiting:

import Bottleneck from 'bottleneck';

const limiter = new Bottleneck({
  minTime: 100, // Max 10 requests per second
  maxConcurrent: 5 // Max 5 concurrent requests
});

const apiCall = limiter.wrap(async (endpoint) => {
  return fetch(`https://api.torvussecurity.com/v1/${endpoint}`, {
    headers: { 'Authorization': `Bearer ${API_KEY}` }
  });
});

21. Handle Errors Gracefully

 Error Handling Best Practices:

async function uploadDocument(vaultId, file) {
  try {
    const response = await client.documents.upload(vaultId, file);
    return response;
  } catch (error) {
    if (error instanceof RateLimitError) {
      // Wait and retry
      await sleep(error.retryAfter * 1000);
      return uploadDocument(vaultId, file);
    } else if (error instanceof AuthenticationError) {
      // Rotate API key
      await rotateApiKey();
      return uploadDocument(vaultId, file);
    } else {
      // Log error (sanitize sensitive data)
      logger.error('Upload failed', {
        vault_id: vaultId,
        error_type: error.constructor.name,
        // Don't log: API keys, file contents, etc.
      });
      throw error;
    }
  }
}

22. Validate TLS Certificates

 Certificate Validation:

import requests

#  Always verify certificates (default)
response = requests.get(
    'https://api.torvussecurity.com/v1/vaults',
    headers={'Authorization': f'Bearer {API_KEY}'},
    verify=True  # Default, but explicit is better
)

# L Never disable certificate verification in production
response = requests.get(url, verify=False)  # DANGEROUS!

Code Security​

23. Sanitize User Input

 Input Validation:

import { z } from 'zod';

const VaultSchema = z.object({
  name: z.string().min(1).max(100),
  description: z.string().max(500).optional(),
  policyType: z.enum(['manual', 'inactivity', 'date_based'])
});

// Validate before API call
const vaultData = VaultSchema.parse(userInput);
await client.vaults.create(vaultData);

24. Implement Logging and Monitoring

 Secure Logging:

//  Good: Sanitized logging
logger.info('Vault created', {
  vault_id: response.id,
  user_id: userId,
  timestamp: new Date().toISOString()
});

// L Bad: Logging sensitive data
logger.info('Vault created', {
  api_key: API_KEY,  // L Never log credentials
  document_content: fileContent  // L Don't log file contents
});

Security Checklist​

Monthly Checklist​

  • Review failed login attempts in audit log
  • Verify MFA is enabled and working
  • Check for unusual vault access patterns
  • Review API key usage (if using API)
  • Complete scheduled check-ins on time

Quarterly Checklist​

  • Review and update recipient email addresses
  • Test vault recovery process (download backup)
  • Review vault access permissions
  • Rotate API keys (if using API)
  • Review and update vault release policies
  • Verify backup codes are accessible

Annual Checklist​

  • Full security audit (review all settings)
  • Update emergency contact information
  • Review and update documents in vaults
  • Test recipient notification process
  • Review compliance requirements (GDPR, CCPA)
  • Update password (even if using password manager)
  • Replace hardware security keys (if 3+ years old)

Security Myths​

Myth #1: "I don't need MFA because I have a strong password." L False: Passwords can be phished, leaked, or brute-forced. MFA adds critical second layer.

Myth #2: "SMS MFA is as secure as authenticator apps." L False: SMS can be intercepted via SIM swapping attacks. Use TOTP apps or hardware keys.

Myth #3: "Public WiFi is safe if the site uses HTTPS." � Partially True: HTTPS protects data in transit, but public WiFi can still be risky. Use VPN on public networks.

Myth #4: "Security questions add security." L False: Security questions (mother's maiden name, first pet) are easily guessable or found on social media.

Myth #5: "I can store my Torvus password in my Torvus vault." L Bad Idea: Circular dependency. If you forget password, you can't access vault to retrieve it.

Resources​

Security Tools​

Password Managers:

Authenticator Apps:

Hardware Security Keys:

Further Reading​

Last Updated: October 8, 2025