Managing Files

Where are my files actually stored?

Everything in Merlin is stored in a single, strongly encrypted data file, called Merlin.MEDF.  You can make a backup of all your Merlin data simply by copying that file to any device that has enough space to hold it.

How much storage do I get?

The amount of data Merlin can hold is limited only by the size of your device's storage.

Can I back up my Merlin data file?

Yes, simply copy it to any drive or device that has enough space to hold it. The file name is Merlin.MEDF.

How do I import files?

Create a new folder or open an existing folder and tap or click 'Import'. Select the files you want to import into Merlin, and then set the import options. The import options allow you to verify the encryption (not usually necessary), wipe the original files (recommended), and hunt down and destroy all the thumbnails your operating system has made of the originals (also recommended).

You can also drag and drop files directly form Windows onto any folder in Merlin and the same thing will happen.

Once a file is imported into Merlin and wiped from your device, it remains forever encrypted and protected within the Merlin ecosystem, including when you view or edit it, or share it with other Merlin users. 

What happens to the original file on my device when I import it into Merlin?

That's up to you. The factory setting in Merlin is to completely wipe original files from your device once the file has been imported into and encrypted within Merlin. You can turn that off if you like, but that sort of defeats the purpose of using Merlin's secure file manager in the first place.

I imported a file into the wrong Persona. How can I get it into the correct Persona?

Simple. First, export the file from the Persona where it doesn't belong, and then import it to the Persona where you want it. You can leave the file in the original Persona, or delete it.

Why does it take so long to import a file?

It takes a relatively long time to import files because Merlin must do many more things than your operating system does when it just copies a file.

First, Merlin creates a digest of the file called a hash, and if duplicate detection is on, it scans an internal catalog of hashes to see if the file was previously imported. Note for the technically minded: this is actually a 'salted hash' unique to each instance of Merlin, which renders hash-map attacks useless. Additionally, the hashes are themselves are encrypted within the Merlin container.

Next, Merlin encrypts the file, and if verification is turned on, it immediately decrypts it (to memory only) and compares it to the original to verify that the encrypted version is an exact match. Then, if you are placing the file in a package or a special encryption folder, it must encrypt the encrypted version (i.e., double encryption), and then pause to verify that.

Next, if 'Wipe Original' is turned on, it must wipe the original file from your storage system. The default wipe makes three passes over the entire original file with random data, so this takes a bit of time.

Finally, if you have selected 'Destroy Thumbnails' (and you should), Merlin must hunt down and destroy all the different thumbnail sizes your operating system has created of the file. This also takes time.

On a typical mid-range Windows device (such as an ordinary laptop) Merlin does all this at the rate of about two megabytes per second, which is not bad when you consider everything that it's doing. Be patient, privacy is worth the wait.

When I delete files in Merlin, are they completely wiped or do traces remain?

You can move a file to the Merlin Trash, from which it can later be restored, or you can permanently delete it. When you permanently delete a Merlin file, all traces of the content are gone, and all internal Merlin thumbnails are also automatically destroyed. 

What are Operating System Thumbnails?

Most operating systems (including Windows and OSX) automatically make thumbnail images of every file on your hard drive, in sizes up to 1024 by 1024 pixels or even larger, and store them in hidden system files. Often these images remain long after you delete or even wipe the files themselves. This is a significant threat to your privacy. When you import files into Merlin, you can have Merlin hunt down and destroy the operating system thumbnails.

What happens to Operating System Thumbnails when I import a file into Merlin?

If you chose to have Merlin wipe original files from your device as soon as they have been imported into Merlin (which is strongly recommended), Merlin will also wipe the operating system thumbnails of it. That takes additional time, slowing down the import process, especially if you are importing a lot of files, but it's worth the wait.

How does Merlin handle file data and its own thumbnail images?

File content and file thumbnails are NEVER written in an unencrypted form to any kind of permanent storage, even when you open them for viewing or editing. Everything is done in memory only. Merlin creates and encrypts its own thumbnail images of the files you import, keeping them completely separate from the operating system and hence completely secure. When you open a Merlin file folder the files and the thumbnails of them are decrypted on-the-fly to memory, and shown to you in the folder window. When you close that window or close Merlin, the data is removed from memory immediately, and overwritten with random bytes. At no time are either thumbnails or the actual content of files in Merlin ever written in 'plain text' to your disk. 

Can I export a file from Merlin back to my device?

Yes. You can export files from Merlin back to the original locations from which they were imported, or to new locations. You can also export files to a special workspace inside your Merlin container. This allows you to open files using the original applications, edit and save them, and then re-import them as new versions. When you export a file to a regular disk location, Merlin will warn you that the exported version is no longer encrypted, and therefore no longer safe from prying eyes.

How are files protected in Merlin?

The best way to visualize how Merlin protects files (and everything else it manages) is to think of a set of nested boxes. The outermost is your device itself. Files living there are protected only by your operating system's login credentials, which are usually trivial to bypass. And unless you use a file or whole-disk encryption product such as TrueCrypt, the files that live in that outermost box are readable by anyone or anything that bypasses your login credentials, or that runs once you've logged in. That includes virtually any app on your device. These unprotected files are vulnerable to viruses and spyware, identity theft software and all kinds of other mayhem.

The next box is Merlin itself. Everything Merlin manages and stores lives within a single, large encrypted data file (Merlin.MEDF). When you log into Merlin it first asks for your 'Master Password'. That password is converted into a key that unlocks the encrypted data file and 'mounts' it as a disk drive on your device (it chooses the drive assignment automatically).

The next box inward contains your data items, including contacts, emails, files and everything else. Each of these is individually encrypted using the credentials of the Persona to which it belongs. That means that a file, for example, is actually encrypted twice, once in and of itself using the Persona's encryption, and again because it's inside the encrypted data file.

The innermost box is optional. You can create special encryption folders, each with their own separate key and a third layer of encryption. And you can also create special encryption Packages with separate keys that you can share with other people. One type of package is 'self-extracting', allowing you to pack up files, encrypt them and then send them to someone who doesn't have Merlin. Depending on which encryption plug-ins you install, you can also select different encryption algorithms to use when creating a package or a special encryption folder.

Can Merlin find duplicates of files inside Merlin?

Yes. You can select one or many files in a folder and ask Merlin to find duplicates of them by content, by name or by both, no matter what folder the copies are in. Once they are found, you can securely delete them, or merge them into a revision chain. Merlin can also detect duplicates when you import files, checking only the folder into which you are importing them, or checking all folders (except special encryption folders). When Merlin detects that you are importing a duplicate, you can skip it, skip and wipe it, or import it as a copy anyway.

Merlin can also scan your device looking for duplicates of files it already has, and import them as copies or wipe them.

Can Merlin rename a series of files?

Yes. Merlin has a 'Pattern Rename' function that allows you to select a group of files and rename them in a single operation according to any of several different patterns. Renaming can occur with or without letters or numbers to distinguish between same-named files.

Pattern renaming is useful when someone sends you a group of files (pictures, for example) named by their camera, such as img_001.jpg, img_002.jpg, etc., and in a single renaming action you'd like to give the sequence more meaningful names, such as Flowers-1.jpg, Flowers-2.jpg, etc. Pattern renaming is even more valuable when you download or receive a group of cryptically-named files, such as xrg79qwmr22.jpg, y6ookjg6ds44m.jpg, etc., and you'd like to give them meaningful names, such as Landscape-1.jpg, etc.

What is a "Pointless Transmission"?

A 'Pointless Transmission' is one that can never be delivered because the recipient device does not have enough storage space to hold the data. Merlin does a pretty good job of warning you about that so you don't waste Kahuna Traffic Credits, but bear in mind that storage is a dynamic resource shared amongst all apps, so the amount available on a recipient's device can change between the time a file is sent and when it's actually received. If Merlin tells you a recipient does not have enough secure data space to accept a transmission, you can send them a secure IM or MerlinMail (or just call them) and tell them you have files you want to send, and ask them to increase the amount of storage Merlin is allowed to use. Once they do that, your copy of Merlin will know and you can just send the files again. If the recipient is one of your own devices, then you'll need to increase the capacity (or delete files) on that device to make enough room.

Is there a size limit to files in Merlin?

Nope. Files can be as big as your device allows. Some devices have limited storage capacity (mobile phones or some tablets, for example) and some have huge capacity (large desktops or laptops), so there may be limits on the sizes of files you can share with a given device.

Can I run simultaneous imports?

Yes, but since Merlin runs your storage system as fast as it will go, if you simultaneously import files into two folders it must do twice as much work, so it will take twice as long. Likewise with three folders, it would take three times as long.

Will Merlin alert me if a file has GPS or Personally Identifying Information (PII) in it?

Yes. Many files types (especially pictures) contain additional properties, metadata or Exif data (Exchangeable image file format) that contain information beyond just the text or picture. This can include the name of the author or creator of the file, the camera make and model on which a picture was taken, and in a startling number of cases, an alarmingly precise set of GPS data indicating where the picture was taken. When Merlin detects personally identifying or GPS data in a file, it places a red information icon or a blue globe icon on the secure thumbnail images it makes of the file. In 'details' view it will show GPS and PII columns.

Can Merlin show me where a picture that has GPS data was taken?

Yes. Merlin can start any of several geolocation programs, such as Google Earth or Bing Maps, and navigate right to the spot where the picture was taken. All you have to do is tap or right-click on the file and select 'Go to GPS location'. Merlin does everything else automatically. This is a lot cooler than words alone can describe... try it and you'll see what we mean.

Can Merlin remove GPS and Personal data from a file?

Yes. Merlin has a powerful file properties tool than can remove specific properties or all properties from the files you select. You can also leave the properties in place, but set Merlin so that whenever you share a file, they are all removed from the encrypted copy that's sent.

Can Merlin find unencrypted versions of files on my device outside of Merlin?

Yes. Merlin has a File Scan tool that will search your device for unencrypted versions of files already in Merlin. You can decide what constitutes a match: the content matches, the name matches, or both must match. And you can also decide how fast you want the scan to run: gradual, normal, fast or extreme.

To be sure of finding all the unencrypted copies of files you are searching for, make certain you select every drive or device that may ever have held them, including hard disks and flash drives. Once Merlin finds unencrypted matches you can wipe both the files and their unencrypted thumbnails.

Note that the speed at which you tell Merlin to scan can have a significant impact on how fast both Merlin and all other apps run while the scan is in progress. At the gradual speed setting you will rarely if ever notice performance degradation in any app. At the extreme speed setting, Merlin will drive your storage system as fast as it can go to find the unencrypted versions you are looking for, and the performance of all apps as well as other parts of Merlin itself will degrade dramatically.

Use the extreme setting only when you want to clean out unencrypted files as your only priority because everything else will slow to a crawl. Also note that on a portable device, a fast scan will consume battery power at a pretty good clip, so it's best to have it plugged in. If a device loses power while a scan is running the scan will stop, and you'd have to start it all over again to be sure of finding everything.

Can Merlin show me an overview of all the files it's managing?

Yes, Merlin can display an overview and counts of all the different types of files you have imported, with charts for size, ratings and type. It will also show the amount of secure file space used and remaining, and the number of files in the trash and the space consumed.

Can I rate files?

Yes, you can assign ratings from no rating up to 5 stars. Ratings are used to indicate how much you like a picture, or story, or any other file content.

Can I set a priority on a file, and what does that mean?

Yes, you can assign priorities ranging from no priority up to critical. Priorities are useful when you want to list or group files in a folder by their importance. Knowing a priority is also useful to Merlin when it's merging different versions of a file into a revision chain because it will know which versions matter most, aside from the date they were last edited.

How does Merlin keep large files secure, such as movies that might not fit into my available RAM?

Merlin uses a 'sliding decryption window' technology that decrypts large files in manageable segments to memory only, as needed. Even if a movie file is many gigabytes, you are still watching it only frame-by-frame, so all Merlin needs to do is ensure that it has enough of the movie decrypted in advance to continuously feed its secure internal media player. At any given time, that's actually a small amount of data which fits easily into memory, relative to the size of the entire movie.

What about the operating system's swap file, isn't that a potential security leak?

Yes, it can be. Many operating systems will move dormant data held in memory to a 'memory swap file' on disk in order to free up RAM for more active applications. It's therefore possible that some portion of memory that happens to be swapped to disk contains decrypted Merlin data. Merlin attempts to prevent this in several ways...

First, Merlin decrypts to memory only what you are actively working on, keeping the exposure size as small as possible. Second, Merlin frequently accesses small randomly chosen parts of data that have been decrypted to memory, even if you yourself are not using it at the moment (have walked away from your device for a minute, for example). This fools the operating system into thinking the data is in active use, thus discouraging it from swapping it out. And third, if Merlin sees that you have opened something to work on it, thus decrypting it, but you yourself are dormant, it will automatically re-encrypt it and wipe the current image from memory until it notices that you are no longer dormant, at which time it will decrypt it again. This causes a slight delay when you resume working on it, but it's usually not noticeable.

These techniques dramatically reduce the probability that the operating system will swap sensitive memory data to permanent storage, but they do not entirely eliminate it. To address that, Merlin also frequently simply moves junk data into various bits of memory, and then intentionally leaves it dormant, thus fooling the operating system into swapping the junk to disk. With a sufficient number of such overwrites, the junk entirely replaces any detectable, meaningful data.

All of this works quite well on fixed and semi-mobile devices such as desktop or laptop computers with mains power or large batteries. But on mobile devices in which a premium must necessarily be placed on power consumption (because their batteries are relatively small), these techniques can become prohibitively expensive. Therefore, on mobile devices Merlin must instead impose limits on what you can open simultaneously (typically just one folder at a time, and just one or two files for viewing or editing at a time), all in an effort to reduce the memory footprint of decrypted data to something small enough that applying the techniques described above does not cost too much extra power. Fortunately, this is usually not a painful restriction because the small screens of mobile devices discourage people from opening more than one or two things at a time anyway. That said, using Merlin on a mobile device will cost a little extra battery life (~5%) relative to most other apps – that's the price of safety.