FAQ
31 topics shown
Getting Started
Security & Access
Estate & Beneficiaries
Pricing & Billing
Account Management
Advanced Security
Select a question

Safeinity is a secure digital estate planning platform that protects and manages your digital assets after death.

Think of Safeinity as a secure vault for your most important information. Store documents, passwords, photos, and personal messages, then designate who should receive them when you pass away. Everything is encrypted and safely stored until your loved ones need it.

You can access your information anytime while you are alive, and your beneficiaries automatically gain access after your death - either through our automated heartbeat monitoring system or through your will.

How It Works (Simple Flow)
  1. Create your secure account and choose your plan.
  2. Upload and organize documents, files, and sensitive information.
  3. Assign beneficiaries and decide exactly what each person can access.
  4. Set your check-in and notification preferences.
  5. When trigger conditions are met, access is released according to your instructions.
What You Can Manage
  • Legal, financial, and personal documents
  • Beneficiary assignments by person or by file
  • Heartbeat check-in and escalation settings
  • Security features like encryption and 2FA
  • Ongoing updates as your life and estate plan change
Bottom line: Safeinity helps you stay in control while you are alive and makes sure your digital information is transferred only when and how you intended.

View Full Pricing Details

Basic Plan

$7

per quarter

only $2.33 per month
Essential Protection
  • 1GB secure storage
  • AES-256 encryption
  • Zero-trust encryption available
  • Document vault
  • Manual account management
  • Basic email support
  • No heartbeat monitoring
  • No death certificate validation
Get Started
Most Popular
Heartbeat Plan
$13

per quarter

only $4.33 per month
Everything in Basic, Plus:
  • 3GB secure storage
  • Heartbeat monitoring system
  • Automated check-ins via email/SMS
  • Beneficiary auto-notification
  • Customizable monitoring frequency
  • Priority email support
  • No death certificate validation
Get Started
Verification Plan
$18

per quarter

only $6.00 per month
Maximum Security & Validation
  • Everything in Heartbeat, Plus:
  • 10GB secure storage
  • Death certificate validation
  • Professional verification service
  • Legal document review
  • Enhanced security protocols
  • Priority support
Setup: $25 one-time set up fee
Processing Fee: Only charged when validation done. Varies by country. US generally runs $250
Get Started

Yes, we use enterprise-grade security measures to protect your sensitive information.

Encryption & Security
  • AES-256 non-deterministic encryption
  • Zero-knowledge architecture available
  • Multi-factor authentication available
  • Secure key management
  • Regular files encrypted by Safeinity and then again by AWS
  • High security files encrypted directly by you and then by AWS
  • AWS cannot access your data
Infrastructure & Compliance
  • SOC 2 compliant data centers - AWS S3
  • Regular security audits
  • Multiple backup locations
  • 99.9% uptime guarantee

Store any digital information that's important to you and your beneficiaries.

Legal Documents
  • Wills and testaments
  • Power of attorney documents
  • Trust documents
  • Insurance policies
  • Property deeds
Financial Information
  • Bank account details
  • Investment account information
  • Credit card information
  • Cryptocurrency wallet keys
  • Safe deposit box locations
Digital Assets
  • Website passwords
  • Social media account credentials
  • Email account access
  • Digital photo collections
  • Software licenses
Personal Items
  • Personal messages to loved ones
  • Family photos and videos
  • Important memories and stories
  • Final wishes and instructions
  • Contact lists and directories

Our heartbeat system ensures your digital assets are transferred only when appropriate.

Heartbeat monitoring is an automated check that allows you to confirm you are alive and well.

Safeinity sends you a regular email or text that you acknowledge with a button click. Once you stop responding, it is assumed you are incapacitated or deceased.

If you use our death certificate verification service - your passing is investigated and confirmed. Your beneficiaries are then contacted and given access to your documents.

If you do not use death certificate verification, once your heartbeat monitoring period has passed, your beneficiaries are given access.

Basic service does not include heartbeat monitoring. If you use basic service you will need to make arrangements to give beneficiaries access to your documents. You can use our key sharding service to assist you in that process.

How It Works
  1. Regular Check-ins: You receive periodic emails or texts asking you to confirm you're alive and well
  2. Multiple Attempts: If you don't respond, we send multiple reminders
  3. Beneficiary Notification: Beneficiaries are notified and given access to your information
Customizable Settings
  • Check-in Frequency: How often we send reminders
  • Reminder Schedule: How many reminders before escalation
Important

Keep your contact methods current and check it regularly.

We're here to help you protect your digital legacy with comprehensive support options.

Support Channels

What:
Death Certificate Validation is the process of verifying that a reported death is genuine before unlocking access the your protected digital assets and notifying beneficiaries.

Key Points:
Our investigative service performs death verification that confirms a person is deceased by checking authoritative sources (official death records, government registries, certified copies of death certificates, or trusted third-party verification services).

Why it matters:
This service prevents fraud and accidental release of your sensitive data. Ensures the estate process only moves forward after legitimate confirmation.

You are not charged for the investigation until your Heartbeat Monitoring is triggered.

Absolutely! Safeinity is designed for you to actively use and manage your information.

Full Account Access
  • View and edit all your stored information
  • Upload new documents and files
  • Update passwords and account details
  • Manage your beneficiaries
  • Configure heartbeat settings
Export Your Data
  • Download individual files
  • Create backup copies
  • Print important documents
Living Benefits
  • Document Vault: Safe storage for important papers
  • Organization Tool: Keep everything in one secure place
  • Access Anywhere: Available from any internet-connected device
  • Family Sharing: Share specific information with family members
Great Idea

Use Safeinity as your primary secure storage for important information. It's not just for after-death planning!

Your digital legacy is protected and transferred according to your wishes.

Timeline After Death
Trigger Threshold Initial Non-Response Period
Multiple email/text attempts
2-3 Weeks Verification Process
Death certificate verification and legal documentation review (optional)
Day 35+ Beneficiary Access Granted
Designated beneficiaries receive access to your digital assets
Beneficiary Experience
  • Email or text notification of access granted
  • Login credentials securely provided
  • Access to designated information only
  • Ability to download documents
  • Technical support available
Security Measures
  • Authentication required
  • Legal documentation verification
  • Secure data destruction 6 months after transfer

Two-factor authentication (2FA) adds an extra layer of security beyond just your password by requiring a second verification step.

How It Works

After entering your password, you must provide a second form of verification. This means even if someone steals your password, they still can't access your account without the second factor.

Authenticator Apps (Recommended)

How it works:

  • Install an app like Google Authenticator, Authy, or Microsoft Authenticator
  • Scan a QR code during setup to link your account
  • App generates time-based 6-digit codes that change every 30 seconds
  • Enter the current code when logging in

Advantages:

  • Most Secure: Codes generated offline on your device
  • No Network Required: Works without cell signal or internet
  • Not Interceptable: Hackers can't intercept the codes
  • Industry Standard: Used by banks and tech companies
Important: Save Backup Codes

When you enable 2FA, we provide backup codes. Print these or save them securely. You'll need them if you lose your phone or authenticator app!

Email Codes (Better Than Text)

How it works:

  • We send a 6-digit code to your registered email
  • Check your email and enter the code to log in
  • Code expires after 10 minutes

Considerations:

  • Requires Email Access: Must have access to your email account
  • Email Vulnerabilities: If your email is compromised, so is your 2FA
  • Delivery Delays: May take a few minutes to receive
  • Better than nothing: Still adds protection vs. password only
SMS Text Messages (Less Secure)

How it works:

  • We send a 6-digit code via text message to your phone
  • Enter the code to complete login
  • Code expires after 10 minutes

Considerations:

  • SIM Swapping Risk: Attackers can hijack your phone number
  • Network Required: Needs cell signal to receive texts
  • SMS Interception: Messages can potentially be intercepted
  • Convenient but weaker: Easy to use but less secure than apps
Our Recommendation

Use an authenticator app for maximum security. If you can't use an app, email codes are safer than SMS. You can enable multiple methods and use email/SMS as backups to your authenticator app.

We use military-grade AES-256 encryption to protect your sensitive information.

Encryption Standards
  • AES-256: Same encryption used by government agencies and banks
  • File Encryption: AES-256-GCM with authentication tags
  • Password Hashing: SHA-256 with high level iterations and unique salts
Storage Security
  • AWS S3: Documents stored on SOC 2 Type II certified infrastructure
  • Secrets Manager: Keys stored in AWS Secrets Manager
  • Database: Microsoft SQL Server
Protection Layers
  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: All private data encrypted before storage
  • At Rest: All files encrypted by Safeinity, and then again by AWS
  • Authentication: TOTP-based two-factor authentication available
  • Session Security: HttpOnly cookies with 20 minute timeout
Learn More

For detailed technical information about our security architecture, visit our Technology & Security page.

A Heartbeat Monitoring subscription is needed in order to manage beneficiaries.

Managing beneficiaries is simple and can be updated anytime from your account dashboard.

Adding Beneficiaries
  1. Navigate: Go to Beneficiaries section in your dashboard
  2. Add Details: Enter name, email, and relationship
  3. Save: Your beneficiary is now in the system
Access Control
  • Grant access to specific documents - or all files
  • Set different access for different beneficiaries
Managing Beneficiaries
  • Update Information: Change contact details anytime
  • Add or Remove: 1,000 beneficiaries max
  • Modify Access: Adjust what each person can see
Keep Updated

Review your beneficiary list regularly. Life changes like marriages, divorces, births, and deaths may require updates to your beneficiary designations.

Shamir's Secret Sharing is an advanced cryptographic method that splits your master key into multiple shares.

How It Works

Your master encryption key is mathematically split into multiple "shares" (shards). You decide how many shares are needed to reconstruct the key.

Example: (3,5) Scheme
  • 5 total shares created
  • Any 3 shares can reconstruct the key
  • 2 or fewer shares reveal nothing
  • Shares can be given to different people
Security Properties
  • Perfect Secrecy: Less than threshold reveals no information
  • Fault Tolerance: System works even if some shares are lost
  • No Single Point of Failure: No one person has complete access
  • Mathematically Secure: Based on proven cryptographic principles
Use Cases
  • Family Trust: Share with multiple family members
  • Business Succession: Distribute among board members
  • Estate Planning: Require consensus among beneficiaries
  • Backup Strategy: Store shares in different locations
Important Notes
  • Choose threshold carefully - not too low (insecure) or too high (inaccessible)
  • Keep shares in secure but accessible locations
  • Document who has which shares
  • Consider geographic distribution

Best Practice: Safeinity has found that more people than you might expect will lose shards, even when large sums of money are involved. Plan accordingly when setting the threshold. You will probably need extra shards.

Consider leaving one with your lawyer or other trusted professional. Leaving a shard in your safe deposit box or other secure location can help cover for lost shards. You will have to balance current security against the eventual need for access for loved ones.

We can work though these situations - sometimes - but the cost can be very expensive and the process can take weeks. It's best to avoid the situation entirely by planning carefully.

We have secure account recovery options while maintaining the highest security standards.

Password Reset
  1. Request Reset: Click "Forgot Password" on login page
  2. Email Verification: Check your registered email for reset link
  3. Create New Password: Choose a strong, unique password
  4. Regain Access: Log in with your new credentials
Lost 2FA Access?

If you've lost access to your authenticator app, use your backup codes. If you don't have backup codes, contact support for account recovery assistance. Recovery may not be possible in all cases.

Master Encryption Key

None of this information applies to your master encrytpion key that you can optionally use to encrypt high security files. If you lose that key there is no way to recover your encrypted files.

Account Recovery
  • Email Verification: Verify ownership via registered email
  • Identity Verification: Additional verification may be required
  • Support Contact: Our team can assist with recovery
  • Security Questions: Answer your pre-set security questions
Prevention Tips
  • Use KeePassXC to store your password securely
  • Save backup codes in multiple secure locations
  • Keep your email address current
  • Enable 2FA for maximum security
  • Write down recovery codes and store offline

Need Help? Contact support

You can cancel your subscription at any time with no penalties or hidden fees.

Cancellation Process
  1. Download Data: Verify you have local copies of your files
  2. Access Settings: Go to Account Settings > Close Account Immediately
  3. Cancel Subscription: Complete form and click "Close My Account" button
  4. Confirm: Confirm your cancellation request
Refund Policy
  • Refunds: Safeinity does not currently offer refunds
After Cancellation
  • Data Retention: All account data is wiped immediately
  • Permanent Deletion: After 30 days, all files are permanently deleted

Questions about billing or cancellation? Contact our billing team

Storage limits depend on your subscription plan, with generous allowances for most users.

File Upload Limits
  • Maximum File Size: #application.stor.maxFileSizeMB# MB per file
  • Supported Formats: All common file types accepted
  • Encryption: Files encrypted with AES-256-GCM
  • Upload Speed: Optimized for large files
Storage by Plan

Basic Plan: #application.stor.baseGB# GB total storage

Heartbeat Monitoring: #application.stor.hbGB# GB total storage

Death Certificate Verification: #application.stor.dcvGB# GB total storage

Need More? Additional storage available for purchase

What You Can Store
  • Documents (PDF, Word, Excel, etc.)
  • Photos and videos
  • Audio files
  • Archives and backups
  • Scanned documents
  • Encrypted files
Need More Storage?

Upgrade your plan or purchase additional storage blocks.
Go to Account > Storage Plan to see options and pricing.

Safeinity offers three subscription tiers designed to meet different needs and budgets.

Subscription Tiers
Basic Plan
  • Secure document storage (#application.stor.baseGB# GB)
  • AES-256 encryption
  • Manual file sharing with beneficiaries
Heartbeat Monitoring Plan
  • Everything in Basic, plus:
  • Beneficiary management
  • Automated heartbeat monitoring
  • #application.stor.hbGB# GB storage
  • Automatic beneficiary notification
  • Customizable check-in frequency
Death Certificate Verification Plan
  • Everything in Heartbeat Monitoring, plus:
  • Professional death verification service
  • #application.stor.dcvGB# GB storage
  • Legal documentation review
  • Fraud prevention
How to Upgrade
  1. Access Settings: Go to Account > Subscription Settings
  2. Choose Plan: Select your desired plan tier
  3. Review Changes: See pro-rated pricing and new features
  4. Payment: Secure checkout via Stripe
  5. Instant Access: Upgraded features available immediately
Downgrades
  • Can downgrade to lower tier anytime
  • Change takes effect at end of current billing period
  • No immediate charge - prevents double billing
  • Storage must fit within new plan limits
Pro-Rated Billing
  • Credits Applied: Unused time credited toward upgrade
  • Fair Pricing: Never pay twice for the same period
  • Transparent: See exact calculations before confirming
Special Offer

Annual subscriptions save compared to quarterly billing. Switch billing frequency anytime in your account settings

Yes! You can switch between quarterly (3-month) and annual (12-month) billing at any time.

Billing Options
Quarterly Billing (3 Months)
  • Pay every 3 months
  • More frequent payments, lower upfront cost
  • Flexibility to change plans more often
  • Good for trying out the service
Annual Billing (12 Months)
  • Pay once per year
  • Save compared to quarterly
  • Lock in current pricing for a full year
  • Best value
How to Switch
  1. Navigate: Account > Billing Period
  2. Choose Frequency: Select quarterly or annual
  3. Review: See when change takes effect and pricing
  4. Confirm: Approve the billing period change
When Changes Take Effect
  • Current Period: Continue with existing billing
  • End of Period: New billing frequency starts
  • No Interruption: Seamless transition
Smart Billing

Your subscription automatically renews at the end of each period. You can cancel anytime with no penalties, and your service continues until the end of your paid period.

Absolutely! You have complete control over which beneficiaries can access which files.

File Assignment Options

Navigate to Dashboard. Click the Manage Assets / Beneficiaries button to manage relationships. The system offers two approaches:

Option 1: Assign Files to a Beneficiary
  1. Select a beneficiary from the dropdown
  2. See all your files with checkboxes
  3. Check files this person should receive
  4. Already assigned files auto-checked
  5. Save to update assignments
Option 2: Assign Beneficiaries to a File
  1. Select a file from the dropdown
  2. See all your beneficiaries with checkboxes
  3. Check who should receive this file
  4. Existing assignments auto-checked
  5. Save to update assignments
View All Relationships
  • Summary Table: See all file-beneficiary assignments
  • Search & Sort: Find files or beneficiaries quickly
  • Quick Removal: Delete relationships with one click
  • File Titles: Easy identification of documents and people
Smart Assignment
  • Visual Feedback: Existing assignments automatically checked when you select a beneficiary or file
  • Flexible: Same file can go to multiple beneficiaries
  • Selective: A particular beneficiary can be limited to specific files
Use Cases

Example 1: Send financial documents only to your spouse

Example 2: Share family photos with all children

Example 3: Give business documents to your business partner

Example 4: Send medical records to your healthcare proxy

Zero-knowledge encryption is the ultimate security option where even Safeinity cannot access your encrypted data.

How It Works

With zero-knowledge encryption, your data is encrypted before it leaves your device. The encryption happens entirely in your browser.

Standard Encryption
  • Data encrypted with Safeinity-managed keys
  • We can decrypt for account recovery
  • Easier password reset process
  • Customer support can assist with access issues
  • Best for most users
Zero-Knowledge Encryption
  • You must manage your encryption key
  • We cannot decrypt your data - ever
  • Maximum privacy and security
  • No account recovery if master encryption key lost
  • Best for ultra-sensitive information
Advantages
  • Complete Privacy: Nobody but you can ever access your data
  • Government Proof: Even court orders cannot decrypt your files
  • Trust Not Required: Don't have to trust Safeinity or anyone
  • Peace of Mind: Ultimate data security
Critical Warnings
  • Lost Master encryption key = Lost Data: No recovery possible
  • No Reset Option: Support cannot help if you forget your master encryption key
  • Backup Responsibility: You must manage your own backups
  • Write It Down: Store key in physical safe or KeePassXC
  • Test Access: Verify you can log in before relying on it
  • Test: Verify you can download and decrypt your files
Should You Use It?

Use Zero-Knowledge If:

  • You have extremely sensitive data
  • You are comfortable managing passwords
  • You use a reliable password management system (KeePassXC recommended)

Use Standard Encryption:

  • You want account recovery options
  • Extremely good security is good enough

You have complete control over your data and can request permanent deletion at any time.

Before You Delete
  • Download Data: Verify you have local copies all files you want to keep
  • Save Beneficiary Info: Record beneficiary contact details
  • Notify Beneficiaries: Tell them about closure if needed
Account Closure Process
  1. Cancel Subscription: Go to Account (top right) Close Account Immediately
  2. Verification: Confirm your identity via email
  3. Final Confirmation: Confirm you want permanent deletion
  4. Data Wiped: All account data permanently deleted immediately
  5. Data Wiped: All files permanently deleted after 30 days
Grace Period

NONE

What Gets Deleted
  • All Files: Documents, photos, videos - everything
  • Personal Info: Name, email, phone, address
  • Beneficiaries: All beneficiary data and relationships
  • Encryption Keys: All encryption keys destroyed
  • Account Data: Login credentials, preferences, settings
  • Heartbeat Settings: Monitoring configuration deleted
  • Billing History: Payment records permanently removed
  • Billing History: Your data on Stripe, our payment processor remains. It cannot be deleted by Safeinity.
Privacy Guarantee

When data is deleted, it's permanently erased from our servers and backup systems. We comply with GDPR right-to-be-forgotten requirements. Deletion is irreversible and complete.

Securing Your Secrets

1) Paper Storage — The Risks

Storing your financial information and sensitive data — such as usernames, passwords, seed keys, and two-factor authentication directions — on paper carries two types of risk.

Risk 1: No Real Security

Anyone who gains access sees your financial and private life immediately. There is no identity verification, no alert that it has been viewed, and no way to control how widely it may be shared. Even a bank safe deposit box is not fully safe — these have been accessed by both thieves and law enforcement repeatedly.

Risk 2: Information Goes Stale

Passwords change, new accounts appear, and additional security measures are introduced — often rendering earlier paper instructions incomplete or misleading. Keeping it all up-to-date in a bank document, let alone at home, is extremely difficult and risky.

2) Electronic Storage — Severe Risks

Electronic storage can appear more secure, yet introduces severe risks of its own — especially for high-value accounts.

  • Files are copied, synchronized, and backed up across multiple devices and services.
  • Screenshots, notes, and spreadsheets may persist on disk long after you think they've been deleted.
  • Placing a crypto wallet key — even once — into a document, screenshot, or any unprotected electronic format carries severe risk.
The only safe exceptions are systems specifically designed for secure storage, such as KeePassXC and the Safeinity SecureForm.
The Modern Security Philosophy — And How Safeinity Fits

Modern security requires a different philosophy. Rather than relying on hiding secrets, it depends on controlled access — ensuring that sensitive information is available only to verified individuals and under defined conditions. Data cannot be kept on disk or in memory in an unsecured manner.

This is Safeinity in a nutshell. Instead of scattered documents or informal storage habits, Safeinity is designed to manage access deliberately and securely. You control what may be accessed, when, and by whom — even after your death.

On Windows:

Use Windows Security (Defender) or tools like Malwarebytes, Kaspersky, Bitdefender.

  • Open Start > Settings > Privacy & Security > Windows Security
  • Click on Virus & threat protection
  • Select Full scan, or even better, Offline scan
  • Consider scanning with a second opinion tool like Malwarebytes
On macOS:

Use tools like Malwarebytes for Mac, Bitdefender for Mac, or CleanMyMac (with malware scan enabled).

  • Download one of the above apps from a trusted source
  • Install and run a full scan
Why This Matters - Malware Risks:
Keyloggers: Record everything you type, including passwords and private keys.
Clipboard hijackers: Watch for and replace copied wallet addresses or sensitive data.
Remote access trojans (RATs): Allow attackers to view your screen or files remotely.

Secure Key and Password Storage:
Never Store Private Keys Digitally in Plaintext
Most digital storage (like a .txt or .doc file) is vulnerable to malware, cloud sync hacks, and accidental sharing.
How to Store Private Keys Physically:
  • Good: Write it down by hand on acid-free paper using a permanent pen
  • Better: Stamp it by hand into metal plates
  • Make copies and store in different - secure - physical locations
  • Make split copies - Physical Cold Storage
  • Avoid:
    • Taking photos or screenshots
    • Printing from a Wi-Fi-enabled printer
If You Must Store Digitally:
  • Use KeePassXC
  • Use password manager
  • Never use plugins or browser extensions with anything security related
Website Safety:

Never enter private keys on unknown or untrusted websites. Check:

  • Is the site HTTPS encrypted?
  • Is the domain exactly correct? (Beware phishing lookalikes)
  • Do you trust the site's developers?
  • Consider using read-only wallets (watch-only) for tracking instead of exposing your key

This guide describes a physical cold-storage method using multiple safety-deposit boxes and steel-stamped seed keys.
It is designed for users who want to store their crypto keys offline in a secure, tamper-resistant manner without relying solely on hardware wallets or digital storage.

Goal: Ensure no single location or person holds the full seed/private key while maintaining durable, tamper-resistant backups.

Quick Steps

  1. Open 4 safety-deposit boxes at different banks (banks - not branches), ideally in different jurisdictions or geographic areas.
  2. Two can be in one location, and the other two in a second city / location.
  3. Prepare steel plates (corrosion-resistant stainless steel or dedicated crypto plates designed for mnemonic/seed stamping).
  4. Stamp your seed keys (mnemonic or private key fingerprint) into the steel plates using plate-stamping tools.
  5. Divide your key(s) in half. Put half the seed keys on one plate and the other half on the second plate. (Copy A and Copy B).
  6. Do this again. You now have two copies of your keys - with half of each key on its own plate.
  7. Test recovery: In a secure environment, reassemble plates from copies (use non-production keys first, i.e., a test wallet) to confirm you can reconstruct the seed and access funds. Do this before relying on the system.
  8. Distribute halves across the 4 boxes so no single box contains a full copy of the seed. Example distribution:
    • Box 1: A first half
    • Box 2: A second half
    • Box 3: B first half
    • Box 4: B second half

    (This ensures two separate copies are split and each box only contains a partial piece.)

  9. Place one key set in one geographic area and the other key set in a separate area.
  10. Document the scheme in Safeinity. Record which bank and box number holds which piece.

Practical Hardening Details & Best Practices

  • No digital photos / no cloud copies: Never photograph or scan stamped plates.
  • Never put your keys in any digital format other than KeePassXC, or on your hardened laptop or a hardware wallet.
  • Avoid writing the full seed in the same location as passphrase: If you use a BIP-39 passphrase, store it separately (different box or trusted holder) - never co-locate.
  • Legal & access planning: Ensure the right people (or executor) can lawfully access boxes when needed; This is What Safeinity and your will is for.
  • Chain of custody: Keep records of who had access during stamping and transport. Use a trusted courier or do it yourself; do not mail plates.
  • Periodically verify (every 1-3 years): Banks change policies; check boxes and confirm plates intact.
  • Keep plate materials durable: Choose stainless steel or dedicated crypto metal (e.g., Cryptosteel, Billfodl) rated for corrosion, fire, and time.

Safer / More Complex Alternative

Use Safeinity's key sharding and a threshold scheme (e.g., 2-of-3, 3-of-5) to divide the key into shares. Store shares in separate deposit boxes or with trusted custodians. Advantages: flexible quorum, better resilience, and no brittle physical-halving mistakes.

Note: many people are irresponsible with keys. Some of the people you give shards to will probably lose them. Make sure they understand the importance of their shard, and make the threshold low enough to ensure your key can be reconstructed (e.g., 5-of-10). Describe how to use the shards and about Safeinity in your will.

For extremely large holdings, consider building a shielded enclosure / Faraday cage and only accessing your hardened laptop and Safeinity from within it. This protects against electronic theft.

Warnings / Gotchas

  • If you split badly, you can permanently lose funds. Plan, test, and document recovery precisely.
  • Banks will refuse access without the right paperwork. Plan legal access (will, executor). Obviously do not put the seed/passphrase in the will.
  • Physical theft vs. coercion: A safety deposit box has few physical attack vectors, but is subject to coercion attacks.
  • Safeinity is working on a new service to mitigate coercion risk. This will include your required physical presence and retired FBI agents. It will not be cheap.

What is KeePassXC?

KeePassXC is a way for you to encrypt all of your data in a single file which you alone hold the key to.

This prevents brute force attacks on your data - and prevents any access even by us.

We strongly recommend you store your data in KeePassXC before uploading to Safeinity. We have no affiliation with KeePassXC.

KeePassXC is a free, open-source account and document manager designed to securely store and manage passwords, usernames, notes, full documents and other sensitive information in a single encrypted database file.

KeePassXC is community maintained, open source, and built around the widely used KDBX database format. Its source code is publicly available for review, modification, and auditing, which helps security-minded users evaluate how it stores and protects sensitive information.

KeePassXC uses well-established encryption and an auditable codebase, but its real-world safety still depends on strong device security, a strong master passphrase, and disciplined operational practices.

Features
  • Encrypted Database: Stores all data in a .kdbx file encrypted with AES-256 (or optionally Twofish or ChaCha20), considered unbreakable with current technology when paired with a strong master password.
  • Password Generator: Creates complex, random passwords with customizable options (length, character sets, excluding similar characters) to promote unique, secure passwords for each account.
  • Cross-Platform Compatibility: Runs natively on Windows, macOS, and Linux, with compatible KDBX apps such as KeePassDX available for mobile workflows.
  • Auto-Type Functionality: Simulates keystrokes to securely enter credentials into login forms, reducing risks from keyloggers or clipboard snooping, with customizable window title matching.
  • Browser Integration and Extensibility: Supports browser integration, import/export tooling, and a range of entry and database management features for offline-first workflows.
  • Portable Mode: Runs directly from a USB drive without installation, ideal for secure use on shared or temporary systems.
  • Customizable Organization: Allows grouping entries into folders, tagging, and adding custom fields, attachments, or expiration dates for passwords.
  • Additional Security Layers: Supports key files, time-based one-time passwords (TOTP) for 2FA, and secure entry sharing via protected exports.

How to Download

Always download KeePassXC from official sources to ensure security and avoid tampered versions:

  1. Visit the official download page at keepassxc.org/download, maintained by the KeePassXC project.
  2. Select the appropriate build for your operating system. Desktop releases are available for Windows, macOS, and Linux.
  3. Choose between the installer (for system integration) or portable ZIP archive (for USB use).
  4. Verify the download's integrity using SHA-256 hashes provided on the site with tools like Windows' certutil.
  5. If you need mobile access, use a compatible KDBX application such as KeePassDX from a trusted official app source.
  6. After downloading, scan the file with antivirus software and verify the hash to ensure authenticity. Avoid third-party download sites to prevent bundled malware.

The open-source community regularly updates KeePassXC.

How to Use

Setting up and using KeePassXC is straightforward but requires careful configuration to maximize security:

  1. Install and Create a Database: Install KeePassXC or extract the portable version. Launch the app and create a new database.
  2. Set Up the Master Password: Create a strong master passphrase (12-16+ characters, mixed types). Optionally, add a key file generated by KeePassXC and store it separately, such as on a USB drive, for dual-factor security.
  3. Add and Organize Entries: Use "Entry > Add Entry" to input details like title, username, password, URL, and notes. Organize entries in groups (e.g., "Banking," "Email") via "Group > Add Group." Attach files or set custom auto-type sequences.
  4. Access and Auto-Fill Credentials: Search entries in the database. Double-click to copy details (Ctrl+C for password, Ctrl+U for username) or use Ctrl+Alt+A for auto-type to securely fill login forms. Enable clipboard auto-clear for added security.
  5. Data: When complete, upload the .kdbx file to Safeinity.
  6. You can create beneficiary specific KeePassXC databases: Make separate databases for each beneficiary to limit access. Shard the KeePassXC master password and pass the partial keys out to two or more beneficiaries. At any time (such as on your death or incapacitation), the beneficiaries can combine their keys to open the KeePassXC database.

How to Use Password Managers Safely (and When KeePassXC May Be a Better Fit)

Password managers are best avoided for critical accounts - banks, brokerages etc.

Password managers reduce password reuse and make strong, unique passwords practical.

They can also fail in predictable ways:

  • Phishing and fake login pages can steal your master password.
  • Malware on your device can capture keystrokes or vault data.
  • Account recovery abuse can let attackers bypass MFA.
  • Stolen encrypted vaults can be cracked offline if the master password is weak.
  • Browser extension vulnerabilities can expose data.

This page focuses on practical steps that improve safety regardless of which manager you use, and explains why an offline option like KeePassXC can reduce certain risks.

1) The Risks

Most password managers use strong encryption. In real incidents, attackers typically succeed by compromising the environment around the vault. The most common failure modes are:

  • Phishing & fake login pages
  • Credential stuffing (reused passwords)
  • Account recovery abuse
  • Compromised device (malware)
  • Browser extension weaknesses
  • Stolen encrypted vault backups
Key idea: encryption is necessary, but not sufficient.
Your security depends on how well you protect (a) your master password, (b) your second factor, and (c) your devices.
2) Safer Setup Checklist (Works for Any Password Manager)
A. Master password
  • Use a long passphrase (e.g., 4-6+ random words). Length matters more than complexity.
  • Never reuse your master password anywhere else.
  • Avoid “password hints” that disclose real parts of the passphrase.
B. Multi-factor authentication (MFA)
  • Prefer a hardware security key (FIDO2/WebAuthn) when supported.
  • If you can’t use a key, prefer an authenticator app (TOTP).
  • Avoid SMS-based MFA where possible (SIM swap risk).
  • Store username, password, and MFA information in Safeinity using a SecureForm™.
C. Account recovery
  • Review recovery options (email, phone, backup codes) and disable weak paths you don’t need.
  • Use a dedicated email with strong MFA for your password manager account.
D. Device security
  • Keep your OS and browser updated; enable full-disk encryption (BitLocker/FileVault).
  • Use a separate, strong device login (PIN/password/biometric) and a short screen lock timer.
  • Avoid plugins or browser extensions!
  • Watch for malware signs; use reputable endpoint protection if you're a high-value target.
E. Daily use habits
  • Type the password manager URL yourself or use a trusted bookmark. Don't follow emailed “log in” links.
  • Turn on alerts for new device sign-ins, exports, and security events (if available).
  • Don't keep your vault unlocked indefinitely. Use auto-lock and require re-auth for sensitive actions.
3) Cloud-Synced vs Offline (Why This Choice Matters)

Many popular managers sync vaults through the vendor's cloud. That's convenient, but it introduces a distinct risk: an attacker who steals an encrypted vault backup can attempt offline cracking over time. Your defenses against that are strong key derivation, a long master passphrase, and (ideally) an additional secret.

Topic Cloud-synced password manager KeePassXC (offline database)
Convenience Easy multi-device sync Manual sync or your own sync method
Breach exposure Vendor compromise can expose encrypted vault copies + metadata No vendor cloud to breach; risk shifts to your device/storage
Offline cracking risk Higher if encrypted backups are stolen (depends on KDF + your master passphrase) Primarily if your KeePassXC database file is stolen
Attack surface Web app + APIs + extensions + recovery systems Local app + your OS + optional plugins
Best for Most users who prioritize ease and cross-device use Users who prefer local control and can manage backups safely
Additional Known Issues With Password Managers
1) Server-side access in cloud managers despite "zero-knowledge" claims

Research shows that most popular cloud password managers may not always match the practical meaning of "the provider cannot see your vault".

  • Recovery, sharing, or organizational features can create paths to vault access if server control is compromised.
  • Some attack paths can weaken the effective protection of encrypted vault data.
  • Risk is higher if users rely heavily on cloud sync plus recovery convenience features.
2) Plaintext password leakage in host memory (RAM)

A study reviewed major password managers for memory handling behavior while running.

  • Some products still left sensitive plaintext artifacts in memory due to implementation leaks or framework behavior.
  • Residual memory content can include master passwords, key material, or recently used credentials.
Overall takeaway: password managers are still usually better than weak reused passwords or paper lists, but convenience features can add attack surface. Favor a strong unique master passphrase, robust MFA, minimal recovery/sharing exposure, and a trusted endpoint. For current details, verify primary sources on schneier.com.
4) When KeePassXC Might Be a Better Alternative

KeePassXC is a local password database stored as a file (often .kdbx). Because it does not require a vendor cloud, it can reduce exposure to certain third-party breach scenarios. However, it transfers more responsibility to you.

Situations where KeePassXC can make sense
  • High concern about vendor-cloud breaches or centralized targets.
  • Low number of devices (e.g., one main computer) or willingness to sync manually.
  • Comfort managing backups (encrypted storage, safe copies, and routine testing).
Tradeoffs to understand
  • If your device is compromised (malware/remote access), KeePassXC does not automatically protect you.
  • You must handle backups. If you lose the database file and have no backup, recovery may be impossible.
Simple rule: KeePassXC reduces vendor-breach risk, but increases personal-operations risk (backup management, device security, safe syncing).
5) KeePassXC Safety Checklist (Practical Defaults)
A. Database protection
  • Use a strong master passphrase (long, unique).
  • Consider a key file stored separately (e.g., a USB drive). Don't keep it next to the database.
  • Use modern KDF settings (the default is usually reasonable; stronger settings may increase unlock time).
B. Backups
  • Keep at least two encrypted backups in different locations (e.g., encrypted external drive + encrypted cloud storage).
  • Test restore occasionally (a backup that can't be restored is not a backup).
C. Syncing (if you need it)
  • If you sync via a cloud drive, remember: the cloud provider can still be breached. The database should remain encrypted.
  • Prefer syncing the database file through a reputable provider and keep your account protected with MFA.
D. Usage hygiene
  • Keep clipboard timeout short.
  • Lock KeePassXC when away.
6) A Balanced Recommendation
  • If you want easy multi-device access and minimal maintenance, a reputable cloud-synced password manager plus a long master passphrase and strong MFA is usually the best practical option.
  • If you prefer local control and are comfortable managing backups and device security, KeePassXC can be a strong alternative.
7) Major Established Password Managers

The following are widely known, established options. This is not an endorsement; evaluate current security history, features, and fit for your threat model before choosing.

  • 1Password (cloud-synced, consumer and business plans)
  • Bitwarden (open-source core, cloud or self-hosted options)
  • Dashlane (cloud-synced, consumer/business focus)
  • KeePassXC (offline-first/local database approach)
  • Keeper (cloud-synced, strong enterprise presence)
  • NordPass (cloud-synced, consumer/business offerings)
  • LastPass (long-established cloud manager; review current risk profile carefully)

Hardened Laptop Vendors

Information as of mid 2025. We have no affiliation with any of these vendors - and have not tested any of these products.

Use these at your own risk.

These vendors offer laptops built for threat-model use like crypto-wallet cold storage.

Common features include:

  • Coreboot or PureBoot
  • Intel-ME disabled
  • Anti-Evil-Maid / measured-boot support
  • Qubes-certified devices (where noted)
  • Options for tamper-proof delivery

Insurgo / PrivacyBeast X230
PrivacyBeast X230
  • ThinkPad-X230 refurbished with → coreboot + Heads
  • Intel-ME deactivated (neutered at SPI level)
  • Qubes OS-Release-4 certification (Level-1 hardware)
  • Tamper-evident shipping, “re-ownership wizard”, Librem or Nitrokey key seal
  • Media removal options (Wi-Fi, webcam, mic)

Insurgo was the first Qubes-certified X230 vendor and exceeds the certification baseline.

Nitrokey / NitroPad X230 & T430
NitroPad X230 & T430
  • Coreboot + Heads preinstalled; tamper-resistant boot using Anti-Evil Maid
  • Intel-ME deactivated by default in commissioning
  • Cru**cial:** USB Nitrokey provided; user keys provable offline via Heads
  • Qubes Certified for Release-4 models
  • Packaging & shipping designed to detect supply-chain tampering

Among the only two certified Qubes laptops; Nitrokey also supports more modern chassis (T430).

NovaCustom / Clevo-based Series (V54/V56/NS51/NV41)
Dasharo/Coreboot Laptops
  • Clevo chassis with coreboot + optional Heads
  • Intel-ME disabling (HAP-bit) manually or factory option
  • Qubes-friendly; community reports NV41 with Qubes-compatible flash stack
  • Anti-tamper services: glitter-coated screws, tamper-resistant tape
  • Extensive cleaning options: remove Wi-Fi / webcam; offer air-gap builds

Pioneered Intel-ME disable support among small ODMs and implemented bespoke anti-interdiction packaging.

Purism / Librem 14 (and 13/15)
Librem-14-/-13 /-15 with PureBoot
  • Ship with coreboot + PureBoot firmware (Heads fork)
  • Intel-ME disabled via HAP bit, not just cleaned
  • Write-protect DIP switch, kill-swishes for mic & camera ribbon
  • Anti-interdiction available, including factory-sealed & screw-logging
  • Official support for Qubes OS; installer offered on purchase page

Purism combines hardware kill-switches with cryptographically verifiable boot and anti-Evil-Maid keys.

Star Labs / StarBook (Mk-VI/VII)
StarBook (Mk-VI/VII)
  • Coreboot + EDK-II open-source firmware
  • Intel-ME disabled via HAP-bit on stock StarBook coreboot firmware
  • Official Qubes OS Certification (Release-4)
  • Only laptop certified with out-of-the-box qubes-fwupdmgr support
  • Optional Qubes pre-installation available from factory

StarBook is modern, lightweight (≈1-kg), and built with secure firmware updates in mind.

System76 / Open Firmware-enabled Laptops
Pangolin, Darter Pro, etc.
  • Coreboot open firmware across many lines since ≈2017
  • Intel-ME deactivated via HAP bit on 12th-13th Gen Intel (e.g. Raptor Lake)
  • Distributing Linux Stack (Pop!_OS) as the primary supported OS
  • Firmware updates verifiable via fwupdmgr and vapour-build; coreboot source available
  • No formal Qubes certification yet; works with some caution

System76's policy to disable ME makes them a strong contender for advanced users.

Darkveil / Fully Anonymous Laptop Service
Turnkey Qubes Laptop (Service)
  • Anonymous purchase, delivery with no identity linkage
  • Factory-installed Qubes OS with disk encryption and hardened BIOS
  • Firmwares pre-flashed and checked via Heads or similar stack
  • Includes one-on-one operational security onboarding session
  • Pricing and shipping engineered for whistleblower / high-risk cases

Ideal for operators who cannot buy traceably from vendors & require supply-chain injury resistance.

What Are Hardware Wallets?

A crypto hardware wallet is a small, dedicated device designed to securely store cryptocurrency private keys offline. Unlike software wallets or apps, a hardware wallet isolates keys from internet-connected systems. Examples include Ledger, Trezor, and Coldcard.

How They Are Used
  • Setup: Initialize device, generate a 12-24 word recovery seed, set PIN.
  • Transactions: Host builds transaction, wallet signs internally, key never leaves device.
  • Recovery: Restore funds using seed on a compatible wallet if device is lost/damaged.

Hardware Wallet Pros / Cons

Pros
  • Strong isolation: keys stay offline.
  • Simplicity: single-purpose workflow reduces mistakes.
  • Portability: easy to carry.
  • Malware resilience: compromised host usually does not expose private keys.
Cons
  • Not foolproof: attacks and misuse still occur.
  • Single-purpose: limited for broader security tasks.
  • Supply-chain risk: tampering risk from untrusted sellers.
  • Physical loss risk: device can be misplaced.
  • Seed handling burden: security depends on safe PIN/seed practices.

Hardened Laptops as an Alternative

A hardened laptop is a system configured with strict controls (full-disk encryption, hardened OS, disabled unnecessary services, strict networking). It can be dedicated to crypto workflows, KeePassXC, and offline operations.

Pros
  • Versatility: supports multiple security tools/workflows.
  • Air-gap capable: can approximate hardware-wallet isolation when kept offline.
  • Larger physical footprint: typically harder to lose.
  • Multi-asset protection: keys, docs, certs, and related secrets.
Cons
  • Higher attack surface: more software and complexity.
  • Operational discipline required: misconfigurations can break security.
  • Lower convenience: bulkier than hardware wallets.
  • Higher cost: much more expensive than dedicated wallet devices.
Conclusion: Hardware wallets are practical for most users. Hardened laptops can provide stronger defense-in-depth for high-value, multi-purpose setups, but require more expertise and stricter operating discipline.

A properly built shielded enclosure (SE) / Faraday cage is a great physical layer control when you're using a hardened laptop for signing or accessing high-value crypto.

A shielded enclosure is probably not needed if you can keep people about 80 meters away from your PC or laptop. Even at 20 meters, you are generally pretty safe. However, highly professional entities (governments) have the ability to eavesdrop from much farther away, so if you are a high-value target, an SE is a good idea.

Why use a shielded enclosure with a hardened laptop or PC

  • Blocks RF eavesdropping & injection. Prevents attackers from capturing electromagnetic emissions from the laptop or from injecting radio-frequency commands or attacks (e.g., remote keyloggers, malicious implants using RF).
  • Reduces malware/remote access risk during air-gapped operations. Even if the laptop is otherwise exposed, the SE helps keep wireless/over-the-air attack vectors closed while you sign or access keys.
  • Prevents unintended beaconing. Stops the device from broadcasting or receiving Bluetooth/Wi-Fi/GNSS/NFC signals while sensitive operations occur.

High-level construction pointers

  1. Rigid conductive shell. Use continuous conductive material: copper sheet or heavy gauge aluminium, or an electrically conductive mesh with very small openings. For portable SEs conductive fabric (silver/copper cloth) over a frame also works for many purposes.
  2. Seam integrity. All seams must be electrically continuous: overlapping seams, conductive tape, or conductive gasketing. Gaps are where RF leaks. Use EMI/RFI shielding tape or compression gaskets at doors/hinges.
  3. Door/access. A hinged door or removable panel for inserting/removing the laptop. The door must compress a conductive gasket for full perimeter contact.
  4. Optical interface. Use optical fibre feedthrough. This forces air-gapped communication and maintains RF isolation.
  5. Power considerations. Battery operation (no external power connections crossing the shield) is safest. If external power is needed, use proper power line filters.

Grounding

Proper grounding is crucial for RF effectiveness.
  • Single-point ground. Connect the SE to building/mains ground at ONE point only to avoid ground loops that can create RF ingress paths.
  • Low impedance path. Use heavy gauge wire or copper braiding for the ground connection. Minimize length and inductance.
  • Test continuity. A proper building ground rod will probably need to be installed. It must be tested with a megger to meet proper specs for a shielded enclosure.
Bottom line: A properly constructed shielded enclosure adds significant electromagnetic isolation to hardened laptop operations. The key is continuous conductivity, proper grounding, and maintaining seam integrity.

Modern Estate Planning Challenges

Traditional estate planning was built for a physical world: deeds, paper statements, filing cabinets, and safety-deposit boxes. In that system, an executor could follow a paper trail.

What Changed

A large part of life now exists only online. Financial accounts, business operations, and records are often accessed by website login, email account, and device authentication.

In practice, access is no longer mostly about legal authority. It is often about one thing: credentials.

Legal Authority vs. Technical Access

A will can give an executor legal authority over property, but it does not automatically grant access to online services. Most platforms are governed by terms of service between the company and account holder, and those agreements may prohibit anyone else from logging in.

So a house, vehicle, or traditional bank account may transfer cleanly while key digital records remain inaccessible.

Security Works, But Creates Friction

Two-factor authentication, encrypted storage, and device-based logins are designed to block unauthorized access. They do this very well.

But these systems do not distinguish between a hacker and a grieving spouse without credentials. To the system, both appear unauthorized.

Why Attorneys Face a New Gap

Attorneys can prepare legal documents correctly, yet still cannot guarantee practical access to the information those documents reference.

Password lists often become outdated, insecure, or lost. Instructions in wills can introduce privacy and security concerns.

The core issue: Estate law was designed to transfer ownership, while digital systems are designed to restrict access. Those goals now collide.

This is why Safeinity.com exists. It does not replace traditional estate planning. It addresses a newer asset class: accounts and information that exist only behind authentication systems.

KeePassXC Security Best Practices

Securely handling credentials from KeePassXC requires strict workflow discipline.

Use the steps below to minimize clipboard and memory exposure when working with sensitive keys.

1) Use KeePassXC Copy Actions (Not Manual Copy)

Never manually highlight and copy sensitive fields.

  • Do not highlight text and press Ctrl+C manually.
  • Do not paste keys from notes or temporary files.
  • Do not leave key material visible on screen longer than needed.

Use built-in copy actions so KeePassXC clipboard protections are applied.

2) Enable Clipboard Auto-Clear

KeePassXC application settings for clipboard clearing.

  • Set clear clipboard after 10 seconds (recommended).
  • Use 5-10 seconds for crypto workflows.
  • Use 2 seconds for extreme security workflows.

Clipboard persistence is one of the highest-risk key exposure vectors.

3) Use Field References or Auto-Type for Higher Security

For sensitive workflows, avoid clipboard use when possible.

  • Use field references such as {REF:...}.
  • Use Auto-Type where supported.
  • Prefer direct injection over plaintext copy/paste.

Useful for SecureForm, MEK entry, wallet tooling, SSH keys, and encryption passphrases.

4) Enable Database Locking

KeePassXC application settings for database locking.

  • Lock the database after inactivity.
  • Lock on minimize and on workstation lock.

These controls reduce RAM scraping and memory-dump exposure risk.

5) Minimize Clipboard Exposure

Use auto-type or browser integration when appropriate so secrets spend less time on the clipboard.

KeePassXC application settings for auto-type or browser integration.

This reduces exposure to clipboard logging, screen scraping, and accidental pasting.

6) Avoid Clipboard Managers

Do not use clipboard tools or history features when handling secrets.

  • Disable Windows clipboard history.
  • Avoid third-party clipboard managers.
  • Avoid browser extensions that capture autofill/clipboard data.
7) Clear Residual Exposure After Key Operations

After high-risk operations, perform cleanup steps:

  • Close and lock the KeePassXC database.
  • Reboot the system.
  • Optionally clear swap/pagefile in extreme scenarios.
8) Advanced High-Security Workflow

For maximum isolation, use hardened operational environments:

  • Run KeePassXC from a Linux live environment.
  • No disk persistence, no swap, no network.
  • Hardware RNG and controlled physical environment.

This pattern is used in high-assurance custody and sensitive operations.

Key Concept: The goal is not to make clipboard usage "safe". The goal is to minimize exposure time, avoid plaintext persistence, limit screen rendering, and reduce memory reuse risk.