SafeKeeper.life - Secure by design

Your data is always 100% yours We never store your data

Back to Documentation

Keyholder Best Practices

User Guide

Keyholder Management Best Practices

Overview

Effective Keyholder management is critical to the success of your emergency trigger system. This guide covers best practices for selecting Keyholders, configuring Voters, and managing the protective constraints that ensure your credentials remain secure while still being accessible in emergencies.

Understanding Roles

Keyholders vs. Voters

SafekeeperLife distinguishes between two groups:

  • Keyholders: Recipients of Keys (pieces of your master Key) who can reconstruct it and reveal your credentials
  • Voters: Individuals who can attest that you are deceased (only relevant for attestation triggers)

These groups can overlap but serve different purposes:

Example 1: Separate Groups
Voters (5): Spouse, 2 children, lawyer, doctor
Keyholders (3): Spouse, trusted friend, business partner
Votes Required: 3

Example 2: Overlapping Groups
Voters (4): Spouse, 2 children, sibling
Keyholders (4): Same as Voters
Votes Required: 3

Example 3: Minimal Overlap
Voters (6): Family members + close friends
Keyholders (2): Lawyer, accountant (professionals only)
Votes Required: 4

Why separate them?

  • Voters verify your death (attestation function)
  • Keyholders access credentials (reveal function)
  • Separation provides additional security layer
  • Prevents single group from controlling entire process

Choosing Keyholders

Selection Criteria

Essential Qualities:

  1. Trustworthy: Will act in your best interests
  2. Available: Likely to be reachable when needed
  3. Tech-capable: Comfortable following instructions
  4. Responsible: Will safeguard their Key
  5. Long-term: Expected to outlive you or remain accessible

Consider:

  • Geographic distribution (don’t put all Keyholders in same location)
  • Relationship stability (avoid people you might fall out with)
  • Professional vs. personal relationships (mix can be good)
  • Age and health (younger, healthier individuals more likely to be available)

Number of Keyholders

Threshold (k): Number of Keys needed to reveal credentials

Total Keyholders (n): Total Keys distributed (n = threshold + spare Keys)

Common Configurations:

Threshold 2, Total 2 (k=2, n=2)
- Minimal setup
- No redundancy (both Keyholders must respond)
- Risk: If one is unavailable, reveal is impossible

Threshold 2, Total 3 (k=2, n=3)
- Good redundancy
- One Keyholder can be unavailable
- Recommended for most users

Threshold 2, Total 4 (k=2, n=4)
- High redundancy
- Two Keyholders can be unavailable
- Good for high-value safes

Threshold 3, Total 4 (k=3, n=4)
- Higher security (requires 3 to collude)
- One Keyholder can be unavailable
- Good for sensitive credentials

Threshold 3, Total 5 (k=3, n=5)
- High security + good redundancy
- Two Keyholders can be unavailable
- Best for very sensitive safes

Recommendation: k=2, n=3 (threshold 2, total 3) provides good balance of security and availability for most users.

Keyholder Categories

Personal Relationships:

  • Spouse/partner (trusted, but emotionally affected)
  • Adult children (good long-term, may lack experience)
  • Siblings (reliable, but relationships can be complex)
  • Close friends (trustworthy, but relationships may change)

Professional Relationships:

  • Lawyer/attorney (professional duty, but costs money)
  • Accountant (financial expertise, professional distance)
  • Financial advisor (understands context, fiduciary duty)
  • Executor of estate (already has legal role)

Mixed Approach (Recommended):

Example: k=2, n=3
Keyholder 1: Spouse (personal + immediate access)
Keyholder 2: Lawyer (professional + legal expertise)
Keyholder 3: Adult child (long-term + family continuity)

Choosing Voters (for Attestation Trigger)

Selection Criteria

Essential Qualities:

  1. Would know of your death: Close enough to hear news
  2. Trustworthy: Won’t falsely attest while you’re alive
  3. Responsive: Will act when they learn of your death
  4. Accessible: Email remains valid long-term

Consider:

  • Family members (immediate knowledge of death)
  • Close friends (likely to hear news quickly)
  • Professional contacts (lawyers, doctors who would be notified)
  • Geographic diversity (different social circles)

Number of Voters

Votes Required (M): Number of attestations needed to seal Safe

Total Voters (V): Total individuals who can attest

Critical Constraints:

1. M > k (Votes Required > Threshold)
   WHY: Prevents same group from both sealing AND revealing

   Example (INSECURE):
   Threshold k=2, Votes Required M=2, Voters V=2
   → Same 2 people can seal Safe AND reveal credentials
   → No separation of concerns

   Example (SECURE):
   Threshold k=2, Votes Required M=3, Voters V=5
   → Need 3 to seal, 2 to reveal
   → Different groups control each process

2. M ≤ V (Votes Required ≤ Total Voters)
   WHY: Can't require more votes than available Voters

   Example (IMPOSSIBLE):
   Votes Required M=5, Total Voters V=3
   → Can never reach threshold (only 3 Voters exist)

Common Configurations:

k=2, M=3, V=5
- Good separation (need 3 to seal, 2 to reveal)
- Redundancy (5 Voters, only need 3)
- Recommended for most users

k=2, M=4, V=6
- High security (need 4 to seal, 2 to reveal)
- Good redundancy (6 Voters, only need 4)
- Good for sensitive safes

k=3, M=5, V=7
- Very high security (need 5 to seal, 3 to reveal)
- Good redundancy
- Best for very sensitive safes

Recommendation: For k=2, use M=3 with V=5 Voters.

Voter Categories

Immediate Circle:

  • Spouse/partner
  • Adult children
  • Parents (if younger than you)
  • Siblings

Extended Circle:

  • Close friends
  • Extended family
  • Neighbors

Professional Circle:

  • Lawyer/attorney
  • Doctor/physician
  • Financial advisor
  • Religious/spiritual leader

Mixed Approach (Recommended):

Example: k=2, M=3, V=5
Voter 1: Spouse
Voter 2: Adult child 1
Voter 3: Adult child 2
Voter 4: Sibling
Voter 5: Close friend
Votes Required: 3

Common Pitfalls and Solutions

Pitfall 1: All Keyholders Are Same Age/Generation

Problem: If all Keyholders are your peers, they may die or become incapacitated around the same time as you.

Solution: Mix generations

Good: Spouse (your age) + Adult child (younger) + Sibling (similar age)
Better: Adult child (younger) + Lawyer (professional) + Nephew (much younger)

Pitfall 2: Geographic Concentration

Problem: All Keyholders in same city/region (natural disaster, local emergency).

Solution: Geographic diversity

Good: 1 local, 1 in different state, 1 international

Pitfall 3: Insufficient Separation (M ≤ k)

Problem: Same people can seal and reveal (no checks and balances).

Solution: Ensure M > k

Bad: k=2, M=2 (same 2 people control everything)
Good: k=2, M=3 (need more people to seal than reveal)

Pitfall 4: Too High Threshold

Problem: Threshold k=4 or k=5 makes reveal very difficult (need too many people to respond).

Solution: Keep threshold at 2 or 3

Preferred: k=2 (only need 2 Keyholders to respond)
Alternative: k=3 (more security, but harder to reveal)
Avoid: k=4+ (very difficult to coordinate)

Pitfall 5: No Redundancy

Problem: n=k (no spare Keys), so if one Keyholder unavailable, reveal impossible.

Solution: Always have spare Keys

Bad: k=2, n=2 (no spares)
Good: k=2, n=3 (1 spare)
Better: k=2, n=4 (2 spares)

Pitfall 6: Overlapping Voters and Keyholders Without M > k

Problem: If Voters and Keyholders are the same people, and M ≤ k, the same group controls both sealing and revealing.

Solution: Either separate groups OR ensure M > k

Bad: Voters = Keyholders, k=2, M=2 (no separation)
Good: Voters = Keyholders, k=2, M=3 (separation by numbers)
Better: Voters ≠ Keyholders (complete separation)

Pitfall 7: Outdated Contact Information

Problem: Keyholder changed email address, doesn’t receive Key.

Solution: Regular reviews

Review annually: Check all email addresses
Update process: Unlock Safe, update contact, re-lock
Test: Send test email to verify receipt

Pitfall 8: Keyholders Don’t Know Their Role

Problem: Keyholder receives Key email but doesn’t understand what to do.

Solution: Brief Keyholders in advance

Tell them: "You'll receive an email with a Key if I die"
Explain: "Keep the file Safe, coordinate with other Keyholders"
Provide: Written instructions or link to documentation

Briefing Your Keyholders

What to Tell Keyholders

At Designation Time:

“I’ve designated you as a Keyholder for my SafekeeperLife Safe. Here’s what that means:

  1. Purpose: You’re one of [n] people who will receive a Key if I die or become incapacitated.

  2. What You’ll Receive: An email with a file attachment containing your Key. This file is encrypted and secure.

  3. What to Do:

    • Save the file somewhere Safe
    • DO NOT share it with anyone (not even other Keyholders)
    • Wait until [k] Keyholders are ready to proceed
    • Coordinate with other Keyholders to schedule the reveal
    • Upload your Key when ready

  4. Who Else: The other Keyholders are [list names]. You’ll need to coordinate with them.

  5. Timeline: There’s no rush. Take time to coordinate properly. Shares don’t expire.

  6. Questions: [Provide contact info for backup person or lawyer]

  7. Documentation: [Link to user guide or instructions]”

What to Tell Voters

At Designation Time:

“I’ve designated you as a voter for my SafekeeperLife attestation trigger. Here’s what that means:

  1. Purpose: If you have credible evidence that I’ve died, you can log in and attest to my death.

  2. Threshold: [M] out of [V] Voters must attest before the Safe is sealed.

  3. What Happens: Once [M] Voters attest, my Safe is automatically sealed and Keys are sent to Keyholders.

  4. Important: Only attest if you’re certain I’ve died. False attestation is serious.

  5. How to Attest: Log into SafekeeperLife, navigate to attestation page, and submit your attestation.

  6. Reset: If I log in (proving I’m alive), all attestations are cleared.

  7. Questions: [Provide contact info for backup person or lawyer]”

Configuration Examples

Example 1: Simple Family Setup

Scenario: Small family, moderate security needs

Configuration:

Threshold: 2
Total Keyholders: 3 (spouse, child, sibling)

Inactivity Trigger: Enabled (180 days + 14 day grace)
Attestation Trigger: Disabled

Rationale:
- Simple, family-centric
- Time-based trigger provides safety net
- No attestation needed (trust inactivity trigger)

Example 2: High-Security Professional Setup

Scenario: High-value credentials, professional relationships

Configuration:

Threshold: 3
Total Keyholders: 4 (lawyer, accountant, business partner, spouse)

Votes Required: 4
Total Voters: 6 (spouse, 2 children, sibling, lawyer, close friend)

Inactivity Trigger: Enabled (365 days + 30 day grace)
Attestation Trigger: Enabled
Scheduled Trigger: Disabled

Rationale:
- High security (k=3, M=4)
- Separation of concerns (Voters ≠ Keyholders)
- Multiple trigger types for redundancy
- Professional Keyholders for expertise

Example 3: Estate Planning Setup

Scenario: Elderly user, known timeline

Configuration:

Threshold: 2
Total Keyholders: 3 (executor, child 1, child 2)

Votes Required: 3
Total Voters: 4 (children, spouse, lawyer)

Inactivity Trigger: Enabled (90 days + 7 day grace)
Attestation Trigger: Enabled
Scheduled Trigger: Enabled (specific date)

Rationale:
- All triggers enabled (maximum coverage)
- Executor as Keyholder (legal role)
- Short inactivity period (elderly, may not login often)
- Scheduled trigger aligns with estate planning

Example 4: Young Professional Setup

Scenario: Young, healthy, low immediate risk

Configuration:

Threshold: 2
Total Keyholders: 3 (spouse, parent, sibling)

Votes Required: 3
Total Voters: 5 (spouse, parent, sibling, 2 close friends)

Inactivity Trigger: Enabled (365 days + 14 day grace)
Attestation Trigger: Enabled
Scheduled Trigger: Disabled

Rationale:
- Long inactivity period (low immediate risk)
- Attestation provides early trigger if unexpected
- Family + friends as Voters
- Simple Keyholder setup

Maintenance and Updates

Annual Review Checklist

Every Year:

  • [ ] Verify all Keyholder email addresses are current
  • [ ] Verify all voter email addresses are current
  • [ ] Confirm all Keyholders are still willing and able
  • [ ] Confirm all Voters are still willing and able
  • [ ] Review trigger settings (still appropriate?)
  • [ ] Test login to reset inactivity timer
  • [ ] Update documentation if needed
  • [ ] Brief new Keyholders/Voters if any changes

When to Update Configuration

Immediate Update Required:

  • Keyholder dies or becomes incapacitated
  • Keyholder relationship deteriorates (divorce, falling out)
  • Keyholder changes email address (bounced notification)
  • Voter relationship changes
  • Major life event (marriage, divorce, new child)

Consider Update:

  • Change in security needs
  • Change in risk profile
  • New technology available
  • Feedback from Keyholders/Voters

Update Process:

  1. Unlock Safe with password
  2. Update Keyholder/voter designations
  3. Update trigger configuration if needed
  4. Re-lock Safe (generates new pre-encrypted Keys)
  5. Brief new Keyholders/Voters
  6. Document changes

Security Considerations

Keyholder Collusion Risk

Risk: k Keyholders could collude to reveal credentials while you’re alive.

Mitigations:

  • Choose trustworthy Keyholders
  • Increase threshold (k=3 harder than k=2)
  • Mix personal and professional relationships (harder to collude)
  • Geographic/social diversity (reduces communication opportunity)

Acceptance: Some risk is inherent in Key sharing. Weigh against risk of credentials becoming inaccessible.

Voter False Attestation Risk

Risk: Voters falsely attest you have passed away to trigger seal.

Mitigations:

  • Ensure M > k (need more Voters than Keyholders)
  • Choose trustworthy Voters
  • Regular logins clear attestations (proves you’re alive)
  • Grace periods give you time to respond
  • Legal consequences for false attestation

Lost Key Share Risk

Risk: Keyholder loses their shared Key.

Mitigations:

  • Have spare Keyholders (n > k)
  • Brief Keyholders on secure storage
  • Consider professional Keyholders (lawyers have secure storage)
  • If too many shares lost, unlock and re-seal to generate new shares

Compromised Keyholder Email

Risk: Keyholder’s email is compromised, attacker gets shared Key.

Mitigations:

  • Encourage Keyholders to use strong email security
  • k-of-n threshold means attacker needs multiple shares
  • Consider additional authentication for reveal process
  • Professional Keyholders likely have secure email

FAQ

Q: Can Keyholders and Voters be the same people? A: Yes, but ensure M > k (votes required > threshold) to maintain separation of concerns.

Q: What happens if a Keyholder dies before I do? A: If you have spare Keys (n > k), the remaining Keyholders can still reveal. Otherwise, you should unlock and re-lock your Safe with a new Keyholder.

Q: Can I change Keyholders after locking? A: Yes, but you must unlock the Safe first, update designations, then re-lock. This generates new pre-encrypted Keys.

Q: Should I tell Keyholders who the other Keyholders are? A: Yes, recommended. They’ll need to coordinate during reveal process.

Q: What if all my Keyholders refuse to participate in reveal? A: This is rare, but highlights importance of choosing trustworthy Keyholders. Consider professional Keyholders (lawyers) who have fiduciary duty.

Q: Can I have different Keyholders for different safes? A: Yes, each Safe has independent Keyholder designations.

Q: Should my spouse be both a voter and a Keyholder? A: Generally yes. Spouse is trustworthy, has immediate knowledge of your death, and is primary beneficiary of credentials.

Q: What’s the maximum number of Keyholders/Voters? A: Technical limits are high, but practical limits are:

  • Keyholders: 5-7 max (coordination becomes difficult)
  • Voters: 10-15 max (hard to brief and maintain)

Need Help?

Can't find what you're looking for? Check out our other guides or return to the documentation index.

← All Documentation Getting Started Guide →
Back to Documentation Getting Started Guide