Your Files. Your Keys. Your Privacy.

Killswitch uses zero-knowledge encryption, the same technology trusted by password managers like 1Password and Bitwarden. We literally cannot read your files, even if we wanted to.

We can't read your files. By design.

How We Keep Your Files Safe

Your Password

Unlocks Master Key

(in your browser)

Decrypts Your Files

Password Never Leaves Your Device

We never see it, store it, or transmit it. Your password stays on your device.

Master Key is Wrapped

Your master key is encrypted with your password. We store only the encrypted version.

Lightning-Fast Password Changes

Change your password in milliseconds. No file re-encryption needed, same as 1Password.

Encrypted Before It Leaves Your Browser

Your File

Readable

AES-256-GCM

Encrypted Blob

Random data

Our Servers

Can't decrypt

Files encrypted in your browser before upload

We only ever receive encrypted data

Even if our servers are hacked, files remain encrypted

Same encryption used by banks and governments (AES-256-GCM)

Share Securely, Stay Private

When you share a file, we use a clever system that lets recipients access your files without us ever knowing the decryption key.

1

You share a file - A unique secure token is generated in your browser

2

Token encrypts the file key - We only store a hash (fingerprint), never the actual token

3

Recipient gets a link - The token is in the URL, which we never see

Recipient gets a unique secure link

Token is in the URL, never stored on our servers

You can revoke access anytime

Files stay encrypted throughout the process

Your Digital Legacy, Protected

Deadman switches automatically transfer your files to beneficiaries if you stop checking in. Here's how we maintain security while enabling this automation.

How Deadman Switch Encryption Works

1

You Create a Switch

For each beneficiary-file combination, a unique access key is generated in your browser

2

Keys Are Encrypted and Stored

Access keys are encrypted with our server key (AES-256-GCM) before storage - protected even from database access

3

You Check In Regularly

As long as you check in, nothing happens. Your files stay encrypted and private.

4

Miss Your Check-In? Switch Triggers

Access keys are decrypted (server-side) and unique links sent to each beneficiary

Files stay encrypted - We never have your file encryption keys

Per-beneficiary keys - Each person gets their own unique access link

Keys encrypted at rest - Protected by server-side encryption

Test before you trust - Verify everything works with test mode

The Necessary Trade-off

For automated inheritance to work when you're unavailable, we must store encrypted access keys on our servers. This is the same approach used by 1Password (Emergency Access), Bitwarden (Emergency Contact), and LastPass (Emergency Access). Your files themselves remain zero-knowledge encrypted - we only have the keys to unlock the share links, not your actual file encryption keys.

What Our Engineers CAN'T Do

Zero-knowledge means zero access. Even with full database and server access, our team sees only encrypted blobs.

Cannot read your files

Cannot see your filenames (encrypted in our database)

Cannot access your password

Cannot decrypt your data even if legally compelled

Cannot recover your files if you lose your password (this is a feature, not a bug)

Important: Because we can't access your data, losing your password means losing access to your files forever. We recommend using a password manager.

Technical Deep Dive

For the security-minded, here's exactly what we use under the hood.

Encryption Algorithms
  • File Encryption: AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode)
  • Key Derivation: PBKDF2 with SHA-256, 100,000 iterations (exceeds OWASP recommendations)
  • Token Hashing: SHA-256
  • IV Size: 12 bytes (96 bits) - standard for GCM
  • Salt Size: 16 bytes (128 bits) - randomly generated
Key Hierarchy
Password (never stored)
│
└─▶ PBKDF2 derivation (100k iterations)
      │
      └─▶ Password-Derived Key (PDK)
            │
            └─▶ Unwraps Master Key (AES-GCM)
                  │
                  └─▶ Unwraps File Keys (per-file)
                        │
                        └─▶ Decrypts Files (AES-GCM)
Wrapped Master Key Architecture

We use the same architecture as 1Password, Bitwarden, and ProtonMail:

  • Random Master Key: 256-bit key generated once, never changes
  • Password Wrapping: Master key is encrypted with your password-derived key
  • Fast Password Changes: Only re-wrap the master key (milliseconds, not hours)
  • Scalability: Password change time is constant regardless of file count
Per-File Encryption

Each file gets its own unique encryption key:

  • File Key: Random 256-bit key generated for each file
  • Key Wrapping: File key is wrapped (encrypted) with your master key
  • Isolation: Compromise of one file key doesn't affect others
  • Sharing: Enables fine-grained sharing without exposing master key
Server-Side Protection

Additional encryption for metadata stored in our database:

  • Cloak Vault: AES-256-GCM encryption for database fields
  • Encrypted Fields: Filenames, descriptions, storage paths
  • Key Management: Server encryption keys stored in secure environment variables
  • Defense in Depth: Even metadata is protected against database breaches

How We Compare

Feature Killswitch Google Drive Dropbox iCloud
Client-side encryption Partial
Zero-knowledge architecture
Provider can read files
Automatic digital legacy Limited

Ready to Secure Your Digital Life?

Join thousands of people who trust Killswitch to protect their most important files and ensure their digital legacy reaches the right hands.

Get Started Free Back to Home