Access that outlives you — on your terms.
A delayed release flow with a cancellation window and local decryption. The server holds timing state and encrypted artifacts — never readable data.
Back to main sitePractical workflows
Delayed release with a cancellation window — not instant access to everything.
Hand off recovery instructions
Set a delay and a recipient. If you stop checking in and the delay expires without cancellation, the recipient gets the encrypted package. Not before.
Split-key handoff for shared storage
The service holds one key part and timing state. The other part stays with your storage. Neither side alone can decrypt.
Sealed instructions for continuity
Recovery packages, role handoff notes, operational runbooks — released only after the delay window closes. Not readable until then, not even by the service.
How it works
Set the policy
Configure delay, inactivity threshold, recipient tokens, and the encrypted material for the chosen release model.
Check in
Each check-in resets the timer and cancels pending requests. Inactivity is the only release trigger.
Artifact release
After the delay expires, the recipient gets an encrypted artifact. Decryption or key reconstruction happens locally — the server never sees plaintext.
Security boundaries
No plaintext on the server
The service stores timing state and encrypted artifacts or one key part. It never holds readable data.
Delay and cancellation window
Release is intentionally delayed. The owner can cancel before the window closes — no irreversible handoff without notice.
Fail-closed by default
If release state is unavailable, the system blocks access. It does not guess or release optimistically.
Limits and prerequisites
Emergency Access solves delayed handoff. It does not solve every trust problem.
- This is not live access to another vault. The service releases an artifact under policy — not an always-on backdoor.
- Notifications help, but they are not the trust model. The delay window is.
- The spec does not promise protection against a fully compromised escrow service.
What this is not
Not a “break glass and get everything now” feature. A delayed, policy-driven release with explicit constraints.
Need recovery handoff without plaintext on the server?
Set up Emergency Access as a conservative release policy. Review the threat model before relying on it.