Your keys are encrypted with AES-256-GCM behind a passphrase only you know (PBKDF2, 310k iterations). The encrypted blob is useless without it. This protects keys at rest — not against malware running while you use the app. Use dedicated, quota-capped keys. Keys are never written into this file.
First time: click Locate & remember key file…, pick your .rckeys on the O:/ drive, then type the passphrase. After that: the app remembers the file (Chrome) and only asks for the passphrase. The O:/ drive must be connected when you open the app. Already use the Reality Check app? Its exported .rckeys loads here unchanged.