How to Secure Your Documents
Back

There is a lot of information here, but Safeinity strongly recommends you read and understand all of these options if you are protecting highly valuable assets.

Safeinity is designed to be secure, but the security of your documents also depends on your own computer and network security. The more valuable your documents, the more important it is that you take strong security measures.

Never fully trust any online service, no matter how secure it is.

These are suggestions only. Safeinity is not responsible for the use or misuse of this information.
General Security Measures for All Users
  • Basic Computer Security:
    1. Enable two-factor authentication (2FA) for Safeinity.
    2. Keep your software and operating system up to date.
    3. Use a standard user account, not an administrator account, for daily activities.
    4. Run a comprehensive security scan.
      On Windows:

      Use Windows Security (Defender) or tools like Malwarebytes, Kaspersky, Bitdefender.

      • Open Start > Settings > Privacy & Security > Windows Security
      • Click on Virus & threat protection
      • Select Full scan, or even better, Offline scan
      • Consider scanning with a second opinion tool like Malwarebytes
      On macOS:

      Use tools like Malwarebytes for Mac, Bitdefender for Mac, or CleanMyMac (with malware scan enabled).

      • Download one of the above apps from a trusted source
      • Install and run a full scan
      Why This Matters - Malware Risks:
      • Keyloggers: Record everything you type, including passwords and private keys
      • Clipboard hijackers: Watch for and replace copied wallet addresses or sensitive data
      • Remote access trojans (RATs): Allow attackers to view your screen or files remotely
  • Additional Computer Security:
    1. Apply OS/firmware updates
    2. Before using Safeinity, boot with BIOS/UEFI password protection.
    3. While using Safeinity, disable unused services such as Bluetooth, file sharing, remote desktop etc.
  • Network Security:
    1. Upload only on trusted networks.
    2. Is your router secure?
    3. Use VPN.
    4. Avoid public Wi-Fi.
  • Secure Key and Password Storage:
    Never Store Private Keys Digitally in Plaintext

    Most digital storage (like a .txt or .doc file) is vulnerable to malware, cloud sync hacks, and accidental sharing.

    How to Store Private Keys Physically:
    • Good: Write it down by hand on acid-free paper using a permanent pen
    • Better: Stamp it by hand into metal plates
    • Make two copies and store in different - secure - physical locations
    • Avoid:
      • Taking photos or screenshots
      • Printing from a Wi-Fi-enabled printer
    If You Must Store Digitally:

    Use Keepass

    • KeePass (keepass.info) - Open source, offline
    Website Safety:

    Never enter private keys on unknown or untrusted websites. Check:

    • Is the site HTTPS encrypted?
    • Is the domain exactly correct? (Beware phishing lookalikes)
    • Do you trust the site's developers?
    • Consider using read-only wallets (watch-only) for tracking instead of exposing your key
Very Strong Measures for High Value Documents and Crypto Wallet Keys
  1. Use a hardened laptop dedicated to security tasks only - or a hardware wallet.
  2. Put highly sensitive documents and keys in KeePass.
  3. Upload the KeePass database to Safeinity.
  4. You can use sharded keys or some other secure method to safely share your KeePass keys with your beneficiaries. However, since the KeePass database is secure in Safeinity, and will not be shared until your heartbeat triggers, you can use less secure methods to share the KeePass key.
  5. For crypto keys, use physical cold-storage as a backup to KeePass and Safeinity.

Security-Hardened Laptop Vendors

Information as of mid 2025. We have no affiliation with any of these vendors - and have not tested any of these products.

Use these at your own risk.

These vendors offer laptops built for threat-model use like crypto-wallet cold storage.

Common features include: Coreboot or PureBoot, Intel-ME disabled, anti-Evil-Maid / measured-boot support, Qubes-certified devices (where noted), and options for tamper-proof delivery.

Insurgo / PrivacyBeast X230
PrivacyBeast X230
  • ThinkPad-X230 refurbished with → coreboot + Heads
  • Intel-ME deactivated (neutered at SPI level)
  • Qubes OS-Release-4 certification (Level-1 hardware)
  • Tamper-evident shipping, “re-ownership wizard”, Librem or Nitrokey key seal
  • Media removal options (Wi-Fi, webcam, mic)

Insurgo was the first Qubes-certified X230 vendor and exceeds the certification baseline.

Nitrokey / NitroPad X230 & T430
NitroPad X230 & T430
  • Coreboot + Heads preinstalled; tamper-resistant boot using Anti-Evil Maid
  • Intel-ME deactivated by default in commissioning
  • Cru**cial:** USB Nitrokey provided; user keys provable offline via Heads
  • Qubes Certified for Release-4 models
  • Packaging & shipping designed to detect supply-chain tampering

Among the only two certified Qubes laptops; Nitrokey also supports more modern chassis (T430).

NovaCustom / Clevo-based Series (V54/V56/NS51/NV41)
Dasharo/Coreboot Laptops
  • Clevo chassis with coreboot + optional Heads
  • Intel-ME disabling (HAP-bit) manually or factory option
  • Qubes-friendly; community reports NV41 with Qubes-compatible flash stack
  • Anti-tamper services: glitter-coated screws, tamper-resistant tape
  • Extensive cleaning options: remove Wi-Fi / webcam; offer air-gap builds

Pioneered Intel-ME disable support among small ODMs and implemented bespoke anti-interdiction packaging.

Purism / Librem 14 (and 13/15)
Librem-14-/-13 /-15 with PureBoot
  • Ship with coreboot + PureBoot firmware (Heads fork)
  • Intel-ME disabled via HAP bit, not just cleaned
  • Write-protect DIP switch, kill-swishes for mic & camera ribbon
  • Anti-interdiction available, including factory-sealed & screw-logging
  • Official support for Qubes OS; installer offered on purchase page

Purism combines hardware kill-switches with cryptographically verifiable boot and anti-Evil-Maid keys.

Star Labs / StarBook (Mk-VI/VII)
StarBook (Mk-VI/VII)
  • Coreboot + EDK-II open-source firmware
  • Intel-ME disabled via HAP-bit on stock StarBook coreboot firmware
  • Official Qubes OS Certification (Release-4)
  • Only laptop certified with out-of-the-box qubes-fwupdmgr support
  • Optional Qubes pre-installation available from factory

StarBook is modern, lightweight (≈1-kg), and built with secure firmware updates in mind.

System76 / Open Firmware-enabled Laptops
Pangolin, Darter Pro, etc.
  • Coreboot open firmware across many lines since ≈2017
  • Intel-ME deactivated via HAP bit on 12th-13th Gen Intel (e.g. Raptor Lake)
  • Distributing Linux Stack (Pop!_OS) as the primary supported OS
  • Firmware updates verifiable via fwupdmgr and vapour-build; coreboot source available
  • No formal Qubes certification yet; works with some caution

System76's policy to disable ME makes them a strong contender for advanced users.

Darkveil / Fully Anonymous Laptop Service
Turnkey Qubes Laptop (Service)
  • Anonymous purchase, delivery with no identity linkage
  • Factory-installed Qubes OS with disk encryption and hardened BIOS
  • Firmwares pre-flashed and checked via Heads or similar stack
  • Includes one-on-one operational security onboarding session
  • Pricing and shipping engineered for whistleblower / high-risk cases

Ideal for operators who cannot buy traceably from vendors & require supply-chain injury resistance.

KeePass

What is KeePass?

KeePass Secure Password Management is a way for you to encrypt all of you data in a single file which you alone hold the key to.

This prevents brute force attacks on your data - and prevents any access even by us.

We strongly recommend you store your data in KeePass before uploading to Safeinity. We have no affiliation with KeePass.

KeePass is a free, open-source account and document manager designed to securely store and manage passwords, usernames, notes, full documents and other sensitive information in a single encrypted database file.

Developed by Dominik Reichl and maintained by a community of contributors since 2003, it is licensed under the GNU General Public License (GPL), meaning its source code is publicly available for review, modification, and auditing. This transparency fosters trust and allows security experts worldwide to ensure its robustness.

KeePass has never suffered a major breach or been defeated. Its core encryption remains uncracked in real-world scenarios.

Features
  • Encrypted Database: Stores all data in a .kdbx file encrypted with AES-256 (or optionally Twofish or ChaCha20), considered unbreakable with current technology when paired with a strong master password.
  • Password Generator: Creates complex, random passwords with customizable options (length, character sets, excluding similar characters) to promote unique, secure passwords for each account.
  • Cross-Platform Compatibility: Runs natively on Windows, with ports like KeePassXC and KeePassDX for macOS, Linux, Android, and iOS, ensuring seamless access across devices.
  • Auto-Type Functionality: Simulates keystrokes to securely enter credentials into login forms, reducing risks from keyloggers or clipboard snooping, with customizable window title matching.
  • Plugins and Extensibility: Supports a wide range of community-developed plugins, such as browser extensions (e.g., KeePassHTTP or KeePassXC browser integration), two-factor authentication, and import/export tools.
  • Portable Mode: Runs directly from a USB drive without installation, ideal for secure use on shared or temporary systems.
  • Customizable Organization: Allows grouping entries into folders, tagging, and adding custom fields, attachments, or expiration dates for passwords.
  • Additional Security Layers: Supports key files, time-based one-time passwords (TOTP) for 2FA, and secure entry sharing via protected exports.

How to Download

Always download KeePass from official sources to ensure security and avoid tampered versions:

  1. Visit the official website at keepass.info, maintained by the developer and community.
  2. Select the appropriate version: KeePass 2.x is recommended for most users due to its advanced features, while KeePass 1.x is for older systems. Check the "Downloads" section for the latest stable release.
  3. Choose between the installer (for system integration) or portable ZIP archive (for USB use).
  4. Verify the download's integrity using SHA-256 hashes provided on the site with tools like Windows' certutil.
  5. For non-Windows platforms, download forks like KeePassXC from keepassxc.org or mobile apps like KeePassDX via F-Droid or Google Play.
  6. After downloading, scan the file with antivirus software and verify the hash to ensure authenticity. Avoid third-party download sites to prevent bundled malware.

The open-source community regularly updates KeePass

How to Use

Setting up and using KeePass is straightforward but requires careful configuration to maximize security:

  1. Install and Create a Database: Install KeePass or extract the portable version. Launch the app and select "File > New" to create a database.
  2. Set Up the Master Password: Create a strong master passphrase (12-16+ characters, mixed types). Optionally, add a key file (generated via KeePass and stored separately, e.g., on a USB) for dual-factor security. KeePass uses key derivation like PBKDF2 or Argon2 to resist dictionary attacks.
  3. Add and Organize Entries: Use "Entry > Add Entry" to input details like title, username, password, URL, and notes. Organize entries in groups (e.g., "Banking," "Email") via "Group > Add Group." Attach files or set custom auto-type sequences.
  4. Access and Auto-Fill Credentials: Search entries in the database. Double-click to copy details (Ctrl+C for password, Ctrl+U for username) or use Ctrl+Alt+A for auto-type to securely fill login forms. Enable clipboard auto-clear for added security.
  5. Data: When complete, upload the .kdbx file to Safeinity.
  6. You can create beneficiary specific KeePass databases: Make separate databases for each beneficiary to limit access. Shard the KeePass master password and pass the partial keys out to two or more beneficiaries. At any time (such as on your death or incapacitation), the beneficiaries can combine their keys to open the KeePass database.

Crypto Hardware Wallets vs. Hardened Laptops

What Are Hardware Wallets?

A crypto hardware wallet is a small, dedicated device designed to securely store cryptocurrency private keys offline. Unlike software wallets or apps, a hardware wallet isolates the keys from your computer and the internet, reducing the attack surface. Popular examples include Ledger, Trezor, and Coldcard.

How They Are Used

  • Setup: The user initializes the device, generates a recovery seed (usually 12 to 24 words), and optionally sets a PIN.
  • Transactions: To send crypto, the wallet must be connected to a computer or phone. The transaction is built on the host device, but the private key never leaves the wallet—only a signed transaction is returned.
  • Backup & Recovery: If the device is lost or destroyed, funds can be restored with the recovery seed on another compatible wallet.

Pros of Hardware Wallets

  • Strong Isolation: Keys remain offline and never touch an internet-connected system.
  • Simplicity: Purpose-built for a narrow function—reduces complexity and user error.
  • Portability: Small, lightweight, and easy to carry securely.
  • Resilience Against Malware: Even if the host computer is compromised, the private keys are not exposed.

Cons of Hardware Wallets

  • Compromise: They are not foolproof. They have been successfully attacked.
  • Single Purpose: Only stores crypto keys—cannot run broader security tasks.
  • Supply Chain Risk: If purchased from an untrusted vendor, could be tampered with.
  • Physical Loss: Small devices are easy to misplace, though recovery seeds mitigate this.
  • Limited Security Layers: Protection depends heavily on the PIN and user's safe handling of recovery seeds.

Hardened Laptops as an Alternative

A hardened laptop is a standard laptop configured with strict security hardening—full-disk encryption, OS hardening, no unnecessary services, and strict network controls. It can be dedicated to crypto management, password storage (e.g., KeePass), or even air-gapped.

Pros of Hardened Laptops

  • Versatility: Can run multiple security tools, including password managers, encrypted file storage, and custom scripts.
  • Air-Gap Capable: When kept offline, can approximate a hardware wallet’s isolation.
  • Better Physical Durability: Larger and harder to lose than a small hardware wallet.
  • Multi-Asset Security: Can protect not just crypto keys, but also sensitive documents, encryption keys, and digital certificates.

Cons of Hardened Laptops

  • Higher Attack Surface: More complex OS and software = more potential vulnerabilities.
  • User Discipline Required: Misconfigurations or connecting to the internet can undermine security.
  • Less Convenient: Bulkier to carry compared to a small hardware wallet.
  • Cost: Far more expensive than a dedicated hardware wallet.

Conclusion

For everyday crypto users, a hardware wallet is the most practical balance of security and convenience. For high-value or multi-purpose security setups, a hardened laptop offers flexibility and stronger defense-in-depth—especially when used offline—but requires more expertise and careful discipline.

Physical Cold-Storage: 4 Safety-Deposit Boxes + Steel-Stamped Seed

Goal: Ensure no single location or person holds the full seed/private key while maintaining durable, tamper-resistant backups.

Quick Steps

  1. Open 4 safety-deposit boxes at different banks (banks - not branches), ideally in different jurisdictions or geographic areas.
  2. Two can be in one location, and the other two in a second city / location.
  3. Prepare steel plates (corrosion-resistant stainless steel or dedicated crypto plates designed for mnemonic/seed stamping).
  4. Stamp your seed keys (mnemonic or private key fingerprint) into the steel plates using plate-stamping tools.
  5. Divide your key(s) in half. Put half the seed keys on one plate and the other half on the second plate. (Copy A and Copy B).
  6. Do this again. You now have two copies of your keys - with half of each key on its own plate.
  7. Test recovery: In a secure environment, reassemble plates from copies (use non-production keys first, i.e., a test wallet) to confirm you can reconstruct the seed and access funds. Do this before relying on the system.
  8. Distribute halves across the 4 boxes so no single box contains a full copy of the seed. Example distribution:
    • Box 1: A first half
    • Box 2: A second half
    • Box 3: B first half
    • Box 4: B second half

    (This ensures two separate copies are split and each box only contains a partial piece.)

  9. Place one key set in one geograpic area and the other key set in a separate area.
  10. Document the scheme in Safeinity. Record which bank and box number holds which piece.

Practical Hardening Details & Best Practices

  • No digital photos / no cloud copies: Never photograph or scan stamped plates.
  • Never put your keys in any digital format other than KeePass, or on your hardened laptop or a hardware wallet.
  • Avoid writing the full seed in the same location as passphrase: If you use a BIP-39 passphrase, store it separately (different box or trusted holder) - never co-locate.
  • Legal & access planning: Ensure the right people (or executor) can lawfully access boxes when needed; This is What Safeinity and your will is for.
  • Chain of custody: Keep records of who had access during stamping and transport. Use a trusted courier or do it yourself; do not mail plates.
  • Periodically verify (every 1-3 years): Banks change policies; check boxes and confirm plates intact.
  • Keep plate materials durable: Choose stainless steel or dedicated crypto metal (e.g., Cryptosteel, Billfodl) rated for corrosion, fire, and time.

Safer / More Complex Alternative

Use Safeinity's key sharding and a threshold scheme (e.g., 2-of-3, 3-of-5) to divide the key into shares. Store shares in separate deposit boxes or with trusted custodians. Advantages: flexible quorum, better resilience, and no brittle physical-halving mistakes.

Note: many people are irresponsible with keys. Some of the people you give shards to will probably lose them. Make sure they understand the importance of their shard, and make the threshold low enough to ensure your key can be reconstructed (e.g., 5-of-10). Describe how to use the shards and about Safeinity in your will.

For extremely large holdings, consider building a shielded enclosure / Faraday cage and only accessing your hardened laptop and Safeinity from within it. This protects against electronic theft.

Warnings / Gotchas

  • If you split badly, you can permanently lose funds. Plan, test, and document recovery precisely.
  • Banks will refuse access without the right paperwork. Plan legal access (will, executor). Obviously do not put the seed/passphrase in the will.
  • Physical theft vs. coercion: A safety deposit box has few physical attack vectors, but is subject to coercion attacks.
  • Safeinity is working on a new service to mitigate coercion risk. This will include your required physical presence and retired FBI agents. It will not be cheap.
Shielded Enclosure / Faraday Cage Guide

A properly built shielded enclosure (SE) / Faraday cage is a great physical layer control when you're using a hardened laptop for signing or accessing high-value crypto. Below is a brief overview: why you'd use one and pointers for building.

Why use a shielded enclosure with a hardened laptop

  • Blocks RF eavesdropping & injection. Prevents attackers from capturing electromagnetic emissions (side-channel leaks) from the laptop or from injecting radio-frequency commands or attacks (e.g., remote keyloggers, malicious implants using RF).
  • Reduces malware/remote access risk during air-gapped operations. Even if the laptop is otherwise exposed, the SE helps keep wireless/over-the-air attack vectors closed while you sign or access keys.
  • Prevents unintended beaconing. Stops the device from broadcasting or receiving Bluetooth/Wi-Fi/GNSS/NFC signals while sensitive operations occur.
  • Mitigates physical attacks that rely on electromagnetic leakage (TEMPEST-style or close-range sniffing).
  • Creates a controlled audit surface. You can control what crosses the boundary (optical feedthroughs, battery power, etc.) and verify that only approved channels are used during sensitive operations.

High-level construction pointers

  1. Rigid conductive shell. Use continuous conductive material: copper sheet or heavy gauge aluminium, or an electrically conductive mesh with very small openings. For portable SEs conductive fabric (silver/copper cloth) over a frame also works for many purposes.
  2. Seam integrity. All seams must be electrically continuous: overlapping seams, conductive tape, or conductive gasketing. Gaps are where RF leaks. Use EMI/RFI shielding tape or compression gaskets at doors/hinges.
  3. Door/access. A hinged door or removable panel for inserting/removing the laptop. The door must compress a conductive gasket for full perimeter contact. Some enclosures use clamps or bolts to ensure tight contact.
  4. Optical interface. Use optical fibre feedthrough. This forces air-gapped communication and maintains RF isolation.
  5. Power considerations. Battery operation (no external power connections crossing the shield) is safest. If external power is needed, use proper power line filters and/or optical power coupling to prevent RF ingress through the power path.

Optical interface: supporting air-gapped operations

An optical interface can preserve the security advantages of an SE while still allowing limited, auditable communication:

  • QR code scanning. Laptop displays QR codes on screen; external camera captures them through optical window. This lets you export signatures/transactions without RF.
  • Display monitoring. External cameras can record what's on screen for audit, process validation, or remote monitoring without RF communication.
  • Fibre optic feedthrough. If you need data transfer, optical fibres can pass through metal shields without creating RF apertures. Use specialized feedthrough connectors.
  • Light-based commands. External operators can signal to the laptop via pulsed light or laser signals through the optical window.
Implementation note: Ensure optical windows don't compromise electromagnetic shielding. Use conductive transparent materials or design windows small enough to maintain attenuation.

Grounding

Proper grounding is crucial for RF effectiveness.
  • Single-point ground. Connect the SE to building/mains ground at ONE point only to avoid ground loops that can create RF ingress paths.
  • Low impedance path. Use heavy gauge wire or copper braiding for the ground connection. Minimize length and inductance.
  • Test continuity. A proper building ground rod will probably need to be installed. It must be tested with a megger to meet proper specs for a shielded enclosure.

Operational best practices

  • Battery management. Keep laptop battery charged. Plan operations to avoid needing external power during sensitive work.
  • Physical security. Control access to the SE. Consider tamper-evident seals when not in use.
  • Effectiveness testing. Periodically test RF isolation using a spectrum analyzer, RF detector, or (less desirable) simple tests like trying to receive cell/WiFi signals inside.
Bottom line: A properly constructed shielded enclosure adds significant electromagnetic isolation to hardened laptop operations. The key is continuous conductivity, proper grounding, and maintaining seam integrity. Many commercial and DIY options exist - choose based on your portability, budget, and shielding effectiveness requirements. Most commercial vendors can provide shielding effectiveness data and proper assembly/grounding documentation.
NOT AUTHORIZED
Contact Shane or Rodney.