I’m a software engineer. I’m not an estate planning attorney, not a financial planner, not anyone who is going to tell you what to put in your will. There are people who do those things very well, and you should talk to them.
What I am qualified to talk about is how software stores things — and specifically, how the family vault you’re being sold by everyone else stores everything in a form the company can read. I built SecureFamilyVault because I couldn’t find a vault that did the obvious thing: encrypt my family’s records on my device, with keys the company doesn’t have.
This post is the long version of why.
How I got here
A few years ago I tried to put my own family’s important documents in one place. I had paperwork in three filing cabinets, account statements scattered across email, beneficiary designations I’d set up years ago and couldn’t remember the details of, and a rough mental model of “if something happens to me, my wife will figure it out” that, on inspection, was a lie. She wouldn’t have known where to start.
I looked at every consumer estate-planning vault I could find. Several were polished. A couple had genuinely good UX. Every single one stored my data in a form their company could read.
That’s not a complaint about any particular product. It’s just how almost all software is built. The default is: company hosts a database, your data lives in the database, company employees with the right credentials can query it. Most products operate this way for good reasons — it’s simpler, support is easier, recovery is straightforward.
Estate planning is the wrong place for that default.
The threat model
When you put account numbers, beneficiary names, document scans, and “here’s where the safety deposit box key is” into a server-stored vault, you’ve created exactly the high-value target that attackers spend years figuring out how to get into. Not because the vault company is careless — most aren’t — but because:
- The vault company has decryption keys. So does anyone who steals the keys.
- Vault companies get acquired, change leadership, change privacy policies. The terms you signed up under are not the terms you’ll be operating under in ten years.
- Vault companies sometimes get subpoenaed. Their lawyers comply.
- Vault companies sometimes go out of business. Your data is now in the bankruptcy estate.
- Employees inside vault companies make mistakes. So do their contractors.
None of these are hypothetical. All of them have happened to large, well-funded, well-meaning companies in adjacent product categories.
For most products, accepting this tradeoff is fine. Your Spotify history is not going to ruin your life. Your family’s estate records are different. The whole point of consolidating them is so that one person — you — has the master inventory. The moment you hand that inventory to a third party in a readable form, you’ve inverted the problem you were trying to solve.
The model I wanted instead
I wanted the 1Password model, applied to estate records.
If you’ve used 1Password, you’ve used the model. You pick a strong passphrase. The app generates a long random “Secret Key” that lives only on your devices and on a printed Emergency Kit. The two get combined and stretched with a slow key-derivation function (PBKDF2 with 100,000 iterations) into a 256-bit master key, which encrypts everything with AES-256-GCM before it ever leaves your machine.
The company that runs 1Password literally cannot read your passwords. Not because they promise not to — because they mathematically can’t. They don’t have your passphrase. They don’t have your Secret Key. Without both, the encrypted blob they sync between your devices is uniformly random bytes.
That’s the model SecureFamilyVault uses. Same primitives. Same property: we cannot read your vault, so we don’t, and we won’t.
What that means in practice
It means a few things that sound small and aren’t:
Your data lives on your device first. Encrypted on disk in your browser’s OPFS (think: a private, sandboxed slice of your hard drive that only the SecureFamilyVault tab can read). Your vault works offline. It doesn’t depend on us being up. If we shut down tomorrow, your vault on your device keeps working.
The cloud sync is just an encrypted blob. If you connect Google Drive, what we upload to your own Drive folder is an opaque
.sfvfile. Google can’t read it. Neither can we. Neither can anyone who eventually gets access to your Drive — including us if we issued ourselves credentials, which we haven’t and won’t.You can leave at any time. Export your encrypted backup with one click. Take it to another app. Take it to a thumb drive. Take it to nowhere. You’re never locked in by being unable to extract what you put in.
There is no “forgot password” link. This is the genuinely hard part of the model and I want to be honest about it. If you lose your passphrase and your Emergency Kit, your vault is unrecoverable. There is no support ticket that can save you. That’s a feature of the design — the same property that means we can’t read your data means we can’t help a malicious actor read it either. It is also a real responsibility, and we communicate it loudly during setup.
Why the free tier is free
The other thing I wanted: the version of the product that covers what most families need should cost zero. Not “free trial.” Not “free until you hit a limit and we make you upgrade.” Actually free.
This is possible because of how we built it. Most of the value — cataloguing assets, designating beneficiaries, generating a will template, storing some documents locally, sharing access with a trusted person — runs entirely on your device or through your existing cloud accounts. There’s no per-user database we have to pay for. There’s no per-user storage we have to pay for. There’s a Cloudflare Pages bill that scales with traffic and not with users.
The paid tier exists for things that have real ongoing cost to us — cloud document storage on Cloudflare R2 (a few cents per GB per month), email notifications, advisor collaboration features that need server-side coordination. That tier funds the company. The free tier funds nothing because it doesn’t need to.
I don’t have an opinion about whether estate planning should be expensive. I have an opinion about whether the inventory of your family’s records should be expensive. It shouldn’t.
What I’m not going to do
I’m going to write about how the product works, what privacy actually means in this category, what changed last month in iOS Legacy Contact and Google Inactive Account Manager, how to have the conversation with your parents about getting their documents organized, and what the math behind the security model looks like up close.
I’m not going to write about whether you need a trust. I’m not going to write about state probate rules. I’m not going to give you legal or financial advice. If you want the latter, the people who do it well have credentials I don’t have, and you should pay them for an hour of their time. It will be the cheapest hour of estate planning you ever buy.
What I can offer is the honest version of the technology choices behind a vault that’s built for your family’s records — and the slow, patient work of organizing what your family will actually need, in a form they can actually get to, encrypted in a form nobody else can.
That’s what this blog is going to be about.
Seth Carstens is the founder and sole engineer of SecureFamilyVault. Nothing in this post is legal advice. For anything binding, talk to a licensed attorney in your state.
Want the next post by email? Subscribe to the newsletter. One short post per week. No spam, no upsells, unsubscribe with one click — we don’t even have a marketing automation tool to make it complicated.