SafeKeeper.life - Secure by design

Your data is always 100% yours We never store your data

Back to Documentation

Keyholder Reveal Process

User Guide

Keyholder Guide: Reveal Process

If you’ve been designated as a Keyholder for someone’s SafekeeperLife Safe, this guide will help you understand your role and responsibilities.

Table of Contents

What is a Keyholder?

A Keyholder is a trusted person designated by a safekeeper (the person who created the Safe) to help reveal encrypted credentials in specific circumstances.

Your Role as a Keyholder

Responsibilities:

  • Store your Key file securely
  • Respond when the safekeeper or other Keyholders reach out
  • Upload your Key when needed (after confirming it’s appropriate)
  • Help access the safekeeper’s credentials in emergency situations
  • Coordinate with other Keyholders to meet the threshold requirement

What You’re NOT Responsible For:

  • Deciding when to reveal (triggers or safekeeper decide this)
  • Managing the safekeeper’s accounts after reveal
  • Solving problems with the safekeeper’s credentials
  • Distributing credentials to non-Keyholders

Why You Were Chosen

The safekeeper chose you because:

  • They trust you with sensitive information
  • You’re likely to be available when needed
  • You’re responsible and can coordinate with others
  • You understand the importance of securing their credentials

Being designated as a Keyholder is an honor and shows significant trust.

Understanding Key Shares

What is a Key Share?

A shared Key (often just called a “Key”) is a cryptographic fragment of the encryption Key used to lock the Safe. No single shared Key can reveal the Safe’s contents—multiple Keyholders must combine their Keys together.

How Key Shares Work

SafekeeperLife uses Shamir’s Secret Sharing, a cryptographic technique that splits a secret (the encryption Key) into multiple shares:

  1. Splitting: The encryption Key is split into N shares (total Keyholders)
  2. Threshold: A minimum of K shares are required to reconstruct the Key (threshold)
  3. Security: Having fewer than K shares reveals nothing about the encryption Key

Example:

  • Threshold (K): 2
  • Total Keyholders (N): 4
  • Any 2 of the 4 Keyholders can reconstruct the Key
  • A single Keyholder alone cannot reveal anything

Why This Matters

Security:

  • No single person can reveal the Safe alone (unless threshold = 1)
  • The safekeeper can’t be coerced into revealing (they don’t have access after sealing)
  • Multiple Keyholders must collude or coordinate

Redundancy:

  • If one Keyholder loses their Key, others can still reveal (if threshold < total)
  • If a Keyholder is unavailable, others can proceed

Coordination:

  • Keyholders must work together
  • Communication and trust are essential

Receiving Your Key

Email Notification

When the safekeeper seals their Safe, you’ll receive an email notification:

Subject: You've been designated as a Keyholder for [Safekeeper's Name]

Hi [Your Name],

You've been designated as a Keyholder for [Safekeeper's Name]'s SafekeeperLife Safe.

Your Key file is attached to this email.

What you need to do:
1. Download the Key file attachment (.Key file)
2. Store it securely (see guide below)
3. If [Safekeeper's Name] or other Keyholders request it, upload your Key to reveal the Safe

Important:
- Do NOT share this Key with anyone
- Do NOT delete this email until you've saved the Key elsewhere
- Do NOT upload your Key unless you've confirmed a legitimate reveal request

For more information, see the Keyholder Guide:
https://safekeeperlife.com/docs/keyholder_guide_reveal_process

Thank you for being a trusted Keyholder.

SafekeeperLife Team

Downloading Your Key File

  1. Open the email from SafekeeperLife
  2. Find the attachment (filename: keyholder_key_[safe_id]_[your_email].Key)
  3. Download the attachment to your device
  4. Verify the file size (should be a few kilobytes)
  5. Move to secure storage (see next section)

Important: The Key file is not human-readable. It’s a binary file that SafekeeperLife uses cryptographically.

Storing Your Key Securely

Storage Options

Your Key file should be stored securely but accessible when needed. Consider these options:

Option 1: Password Manager (Recommended)

Pros:

  • Encrypted and secure
  • Accessible from multiple devices
  • Backed up automatically
  • Easy to retrieve

How:

  1. Open your password manager (1Password, Bitwarden, LastPass, etc.)
  2. Create a new entry: “SafekeeperLife Keyholder Key - [Safekeeper’s Name]”
  3. Attach the Key file to the entry
  4. Add notes: Safekeeper’s name, Safe purpose, other Keyholders (if known)

Option 2: Encrypted Cloud Storage

Pros:

  • Accessible from anywhere
  • Backed up
  • Can share folder with trusted family member (additional redundancy)

How:

  1. Upload Key file to encrypted cloud storage (Dropbox, Google Drive, iCloud with encryption)
  2. Place in a dedicated folder: “SafekeeperLife Keys”
  3. Enable two-factor authentication on the cloud account
  4. Note the location

Cons: Depends on cloud provider’s security

Option 3: Physical Storage (USB Drive)

Pros:

  • Offline and secure (no internet access)
  • Complete control

How:

  1. Copy Key file to a USB drive
  2. Label the drive clearly
  3. Store in a secure location (Safe, lockbox)

Cons:

  • Can be lost or damaged
  • Less accessible
  • Requires physical access

Option 4: Multiple Backups (Best Practice)

Recommended approach:

  1. Primary: Password manager (daily access)
  2. Backup: Encrypted cloud storage (redundancy)
  3. Physical: USB drive in Safe (last resort)

Security Best Practices

Do:

  • Encrypt the storage location (password manager, encrypted drive)
  • Use strong passwords for storage accounts
  • Enable two-factor authentication
  • Keep multiple backups in different locations
  • Document where you stored it (so you remember)

Don’t:

  • Store in plaintext on your computer (no unencrypted folders)
  • Email the Key file to yourself (email is not secure)
  • Share the Key file with anyone (unless authorized by safekeeper)
  • Store on a work computer (personal matter, privacy)
  • Upload to public file-sharing sites (Dropbox public links, etc.)

When Reveal is Needed

Trigger Scenarios

Reveal is needed when specific trigger conditions are met:

The safekeeper will have configured one or more automatic triggers:

Inactivity Trigger:

  • Safekeeper hasn’t logged in for X days (e.g., 180 days)
  • Grace period expires (e.g., 14 days of warnings)
  • Safe automatically seals

Attestation Trigger:

  • Multiple Voters attest that the safekeeper is deceased
  • Threshold of votes reached (e.g., 3 out of 5 Voters)
  • Safe automatically seals

Scheduled Trigger:

  • A specific date is reached (e.g., safekeeper’s 85th birthday)
  • Safe automatically seals on that date

Your Action: You’ll receive an email notification that the trigger fired and Keyholders can now reveal.

How You’ll Know

You’ll receive an email like this:

Subject: Reveal Requested for [Safekeeper's Name]'s Safe

Hi [Your Name],

A reveal condition has been met for [Safekeeper's Name]'s Safe.

Trigger: [Inactivity / Attestation / Scheduled]

You and other Keyholders can now upload your Keys to reveal the Safe's contents.

What to do next:
1. Coordinate with other Keyholders (at least [K] Keys needed)
2. Log in to SafekeeperLife: https://safekeeperlife.com/login
3. Navigate to the Safe reveal page
4. Upload your Key file
5. Wait for other Keyholders to upload their Keys

Once [K] Keys are uploaded, the Safe will be revealed and credentials will be accessible.

SafekeeperLife Team

The Reveal Process: Step-by-Step

Prerequisites

  • You’ve received a notification that reveal is possible
  • You’ve coordinated with other Keyholders
  • You’ve retrieved your Key file from secure storage

Step 1: Register or Log In

If you haven’t registered:

  1. Go to https://safekeeperlife.com/register
  2. Use the same email address that received the Keyholder notification
  3. Create a password (your SafekeeperLife account password)
  4. Verify your email
  5. Log in

If you’re already registered:

  1. Go to https://safekeeperlife.com/login
  2. Enter your credentials
  3. Log in

Important: You must use the email address that the safekeeper designated. If you registered with a different email, the system won’t recognize you as a Keyholder.

Step 2: Navigate to the Safe

  1. After logging in, you’ll see a dashboard
  2. Look for “Safes You’re a Keyholder For” section
  3. Find the Safe for [Safekeeper’s Name]
  4. Click on the Safe

Step 3: Upload Your Key

  1. On the Safe page, you’ll see “Upload Your Key” section
  2. Click “Choose File” or drag-and-drop your Key file
  3. Select your Key file (.Key extension)
  4. Click “Upload Key”
  5. Wait for confirmation

Confirmation Message:

✅ Your Key has been uploaded successfully.

Keys uploaded: [X] out of [K] required

Waiting for [K - X] more Keyholders to upload their Keys.

Step 4: Wait for Other Keyholders

Once you’ve uploaded your Key, wait for other Keyholders to do the same.

Status updates:

  • You’ll see a progress indicator showing how many Keys have been uploaded
  • You may receive email notifications when other Keyholders upload Keys
  • When threshold is met, you’ll receive a notification

Step 5: Reveal Complete

When the threshold number of Keys is uploaded:

✅ Threshold met! Safe revealed.

You can now view the credentials.

[View Credentials Button]

Click “View Credentials” to see the safekeeper’s credentials.

Coordinating with Other Keyholders

Communication is Key

Why coordinate:

  • Ensures everyone is aware reveal is needed
  • Confirms the request is legitimate
  • Speeds up the reveal process
  • Reduces confusion

How to Coordinate

Option 1: Direct Communication

  • Call or text other Keyholders
  • Email the group
  • Use a messaging app (Signal, WhatsApp)

Option 2: Safekeeper Initiated

  • Safekeeper contacts all Keyholders with instructions
  • Provides QR codes or reveal links
  • Coordinates timing

Option 3: Lead Keyholder

  • One Keyholder takes the lead
  • Reaches out to others
  • Confirms everyone has their Keys
  • Sets a time to upload Keys together

What to Communicate

Initial Contact:

"Hi everyone, I received a notification that [Safekeeper's Name]'s Safe needs to be revealed.
We need [K] Keyholders to upload Keys. Can you all confirm you have your Key files?
Let's plan to upload Keys on [date/time]."

Confirmation:

"I've uploaded my Key. [X] out of [K] Keys are now uploaded.
[Names], please upload yours when ready."

Completion:

"Threshold met! Safe is now revealed. I can see the credentials.
Everyone should be able to view them now."

Verifying Legitimacy

Before uploading your Key, verify the request is legitimate:

Red Flags:

  • Unexpected email from unknown sender
  • Request doesn’t match known triggers
  • Safekeeper is alive and well (but inactivity trigger fired?)
  • Pressure to upload Key immediately without explanation

How to Verify:

  1. Contact the safekeeper directly (if possible)
  2. Contact other Keyholders (compare notes)
  3. Check email headers (verify sender is SafekeeperLife)
  4. Review trigger configuration (if you know what triggers were enabled)

If suspicious, DON’T upload your Key. Contact SafekeeperLife support.

Viewing Revealed Credentials

Accessing Credentials

Once the threshold is met:

  1. Navigate to the Safe (if not already there)
  2. Click “View Credentials”
  3. See the list of credentials stored in the Safe

Credential Display

Each credential shows:

  • Name: Description of the credential (e.g., “Google Account Personal Account”)
  • Template: Type of credential (Google Account, 1Password, Generic, etc.)
  • Fields: Username, password, recovery email, 2FA codes, etc.
  • Notes: Additional context provided by the safekeeper

Example:

Credential: Google Account Personal Account

Email: john.doe@gmail.com
Password: SecurePassword123!
Recovery Email: john.backup@example.com
2FA Backup Codes: 12345678, 23456789, 34567890

Notes:
"Primary personal email. Uses Google Authenticator for 2FA.
Recovery email is checked weekly. If revealing, please check
shared photos folder (link in Dropbox credential)."

Copying Credentials

  • Click the copy icon next to each field to copy to clipboard
  • Use the copied credentials to log in to accounts
  • Do NOT screenshot or save credentials insecurely

Exporting Credentials (Optional)

SafekeeperLife may offer an export feature:

  • Export all credentials to a file (CSV, JSON, encrypted)
  • Store securely (encrypted password manager, secure note)
  • Share with safekeeper’s family/estate (if appropriate)

After Reveal: What to Do

Step 1: Use the Credentials

Access accounts:

  • Log in to the safekeeper’s accounts using the revealed credentials
  • Complete the tasks the safekeeper intended (access files, close accounts, etc.)

Common use cases:

  • Access password manager to get all other passwords
  • Access email to find important messages
  • Access cloud storage to retrieve files
  • Access financial accounts (with appropriate legal authority)

Step 2: Secure Credential Access

If accounts will be used long-term:

  • Change passwords (if you’re now the account owner)
  • Update recovery information
  • Enable two-factor authentication (if not already enabled)
  • Remove old 2FA devices, add new ones

If accounts will be closed:

  • Follow account closure procedures for each service
  • Download important data before closing
  • Cancel subscriptions or recurring payments

Step 3: Communicate with Other Stakeholders

Who to inform:

  • Family members or estate executor
  • Legal representatives (if estate planning)
  • Financial advisors (if financial accounts)
  • Other Keyholders (confirm everyone accessed credentials)

What to communicate:

  • “The Safe has been revealed, credentials are accessible”
  • “I’ve accessed [specific accounts] as planned”
  • “Do we need to coordinate further?”

Step 4: Remove the Safe (When Done)

Once all Keyholders have accessed the credentials and completed necessary tasks:

  1. Navigate to the Safe
  2. Click “Remove Safe” (if available)
  3. Confirm removal

This deletes the Safe and all associated data from SafekeeperLife.

Important: Only remove the Safe after you’re certain:

  • All Keyholders have accessed credentials
  • All necessary accounts have been accessed
  • Credentials have been exported or stored elsewhere (if needed long-term)

Step 5: Reflect and Learn

For future reference:

  • Was the process smooth?
  • Were credentials up-to-date?
  • Did you have enough information?
  • What would you do differently?

If you’re considering creating your own SafekeeperLife Safe, use this experience to inform your setup.

Troubleshooting

Problem: Didn’t Receive Key Email

Symptom: Safekeeper says they designated you, but you didn’t receive the email.

Possible Causes:

  • Email went to spam/junk folder
  • Wrong email address used
  • Email blocked by your provider

Solution:

  1. Check spam/junk folder
  2. Search inbox for “SafekeeperLife” or safekeeper’s name
  3. Contact safekeeper to confirm email address used
  4. Ask safekeeper to re-send the Key or re-seal the Safe

Problem: Lost Key File

Symptom: You need to reveal but can’t find your Key file.

Possible Causes:

  • File was deleted
  • Storage location forgotten
  • Backup not made

Solution:

  • If safekeeper is available: Ask them to re-seal the Safe and send new Keys
  • If safekeeper is unavailable: You cannot participate in the reveal. Other Keyholders must proceed without you (if threshold can still be met).

Prevention: Always keep multiple backups in different locations.

Problem: Key File Won’t Upload

Symptom: Upload button doesn’t work or error message appears.

Possible Causes:

  • Wrong file selected
  • File corrupted
  • You’re not using the designated email address
  • Network error

Solution:

  1. Verify you’re uploading the .Key file (not a different file)
  2. Check file size (should be a few KB, not 0 bytes)
  3. Ensure you’re logged in with the email address the safekeeper designated
  4. Try a different browser
  5. Check network connection
  6. Contact SafekeeperLife support

Problem: Can’t View Credentials After Reveal

Symptom: Threshold met, but credentials don’t display.

Possible Causes:

  • Browser issue
  • Permission problem
  • You didn’t participate in the reveal (didn’t upload your Key)

Solution:

  1. Refresh the page
  2. Log out and log back in
  3. Try a different browser
  4. Verify you uploaded your Key (you must participate to view)
  5. Contact SafekeeperLife support

Problem: Wrong Email Used for Registration

Symptom: Registered for SafekeeperLife but the Safe doesn’t appear in your dashboard.

Cause: You registered with a different email address than the one the safekeeper designated.

Solution:

  1. Log out
  2. Register with the correct email address (the one that received the Keyholder notification)
  3. OR: Ask safekeeper to update your email and re-seal

Problem: Suspicious Reveal Request

Symptom: Received a reveal notification but something seems off.

Red Flags:

  • Safekeeper is alive and well
  • Timing doesn’t match expected triggers
  • Email looks phishing-like

Solution:

  1. Do NOT upload your Key
  2. Contact the safekeeper directly (call, text, in person)
  3. Contact other Keyholders to compare notes
  4. Verify email authenticity (check sender domain, headers)
  5. Contact SafekeeperLife support if still unsure

Frequently Asked Questions

Can I reveal the Safe alone?

Only if the threshold is 1. Otherwise, you need other Keyholders to upload their Keys.

Example: Threshold = 2, you need one other Keyholder to participate.

What if I don’t want to be a Keyholder anymore?

Contact the safekeeper and ask them to remove you from the Keyholder list. They’ll need to:

  1. Unlock the Safe
  2. Remove you from the Keyholder list
  3. Lock and re-seal (redistributes Keys to remaining Keyholders)

Can I see credentials before reveal?

No. Credentials are encrypted until the threshold number of Keyholders upload Keys. Your Key alone reveals nothing.

Can I give my Key to someone else?

No, don’t do this. The safekeeper chose you specifically. Giving your Key to someone else violates their trust.

Exception: If you’re truly unavailable (traveling, hospitalized) and the safekeeper approves, you can share your Key with another trusted person to upload on your behalf. But confirm with the safekeeper first.

What if the safekeeper is alive but trigger fired?

Inactivity trigger: The safekeeper didn’t log in for the specified period. They may be traveling, busy, or intentionally stopped using SafekeeperLife. Try contacting them before revealing.

Attestation trigger: Voters may have made a mistake. Do NOT reveal without confirming the safekeeper is truly deceased.

Scheduled trigger: This is expected if the safekeeper configured a date-based trigger.

Always verify before revealing if there’s any doubt.

Can I update my Key later?

Your Key is generated when the Safe is sealed. If the safekeeper re-seals the Safe (after editing credentials), you’ll receive a new Key. Old Keys become invalid.

How long is my Key valid?

Your Key is valid until:

  • The Safe is revealed (Key used)
  • The Safe is removed (deleted)
  • The safekeeper re-seals (new Keys generated)

What if I upload the wrong file by accident?

The system will reject invalid Key files. If you upload the wrong file:

  • You’ll see an error message
  • Try again with the correct file
  • Your attempt doesn’t count toward the threshold

Can I test my Key without revealing?

No, SafekeeperLife doesn’t provide a test mode. Uploading your Key contributes to the reveal process.

Alternative: Ask the safekeeper to create a test Safe specifically for practice.

What happens to the Safe after reveal?

After reveal:

  • The Safe moves to “revealed” state
  • Credentials remain accessible to Keyholders who participated
  • The Safe can be removed (deleted) when no longer needed
  • The safekeeper’s encryption Key is reconstructed and used to decrypt credentials

The Safe doesn’t automatically delete. Keyholders or the safekeeper must manually remove it.

What if SafekeeperLife is no longer available?

Your Key file still works. If SafekeeperLife shuts down, you will be provided with:

  1. A Safe export file containing the encrypted credentials from the database
  2. The Safe Recovery Tool – an open-source application that works offline

To recover credentials without SafekeeperLife:

  1. Gather at least K Keyholders (where K is the Safe’s threshold, shown in the export file)
  2. Each Keyholder provides their original Key file PNG
  3. Run the Safe Recovery Tool: ./safe_recovery --export safe_export.json key1.png key2.png key3.png
  4. The tool reconstructs the encryption key and decrypts the credentials

Critical: Keep your original Key file PNG safe. Do not modify, screenshot, or re-save it – the cryptographic data is embedded in the file’s metadata and will be destroyed by re-encoding.

For full details, see the Data Continuity Guide.

Questions or issues? Contact SafekeeperLife support or see the General FAQ.

Need Help?

Can't find what you're looking for? Check out our other guides or return to the documentation index.

← All Documentation Getting Started Guide →
Back to Documentation Getting Started Guide