Microsoft’s OneDrive Personal Vault promises extra security for your most sensitive files, but many people misunderstand what it actually does. We explain how OneDrive Personal Vault works, what protections it truly offers, and, just as importantly, what it does not protect, so you can decide whether it’s right for your data security needs.
Files in the Personal Vault are still stored in OneDrive’s cloud, but accessing them requires a second step of identity verification, distinct from just signing into your OneDrive account.
Personal Vault is NOT the fully encrypted online storage that customers have been asking for, to match Apple’s Advanced Data Protection. Files saved on Microsoft’s servers are still accessible by the company or government agencies. Full online encryption saves users files with a strong encryption key known only to the customer.
It’s a OneDrive feature worth keeping mind for specially private documents needed for identity like birth, marriage, divorce paperwork, passport or drivers license details.
It’s not a separate zero-knowledge cloud encryption where only you hold the keys (like some privacy-first services offer). Microsoft can access your files if they want or are compelled, just like standard OneDrive storage.
Personal Vault is not totally private and secure online storage. It’s Microsoft half-measure rather than spending the time and money to add proper cloud security like Apple or Proton have done.
When and who gets it?
Personal Vault is available to all paid OneDrive users, including Microsoft 365 customers with the included 1TB quota or Microsoft 365 Basic.
Free OneDrive account also get Personal Vault, limited to just three files, though there’s a way around that limit.
What is Personal Vault?
It’s a reserved storage space within an existing OneDrive quota. Files saved in the Personal Vault space need second verification before you can access them on a computer or device.
All OneDrive files on a computer or device are protected by whatever security you have on the device. Password login, fingerprint, facial identification plus maybe Bitlocker drive protection.
Personal Vault files get all that security PLUS either:
- What Microsoft describes as a ‘strong authentication method’
- another verification like a PIN, code sent to you via email/SMS or the Microsoft Authentication app (similar to two-factor authentication). On devices with Windows Hello use your fingerprint or face.
On Windows 11/10 PCs, Personal Vault files are saved to a BitLocker-encrypted area of the local hard drive.
The idea is that Personal Vault files are more secure on your computer/device even if someone get the hardware and manages to access the drive.
Any files can be saved to the Personal Vault including pictures, videos and scanned documents via the OneDrive app.
Microsoft 365 customers could put everything (or almost everything) into the Personal Vault, up to the limit of their online storage. Though that’s probably too much hassle for most files. Personal Vault seems intended for more important and private documents.
Open Personal Vault
The Personal Vault doesn’t appear in the Windows folder list. Go to the OneDrive app menu and choose “Unlock Personal Vault”.
Timeout protection
Personal Vault files can’t be left open on your device. After a period of inactivity (configurable) the Personal Vault will be locked up again and you’ll need to reauthenticate to gain access.
Open Personal Vault files will be saved and closed automatically if the inactivity time is reached.
OneDrive for Mac?
OneDrive for Mac: the Personal Vault doesn’t appear to be supported on Mac computers.
Use the OneDrive web interface to access the Personal Vault from a Mac.
Apple iPhone, iPad plus Android all support Personal Vault via the OneDrive app.
More about Personal Vault
Beating the Personal Vault limit of 3 files for free OneDrive accounts
OneDrive Personal Vault, deep inside and tricks
