FAQ

Questions we actually get

Including the uncomfortable ones. If an answer here seems evasive, tell us. The whole point of this product is that the honest answer is the good answer.

What happens if your company shuts down?

Recovery still works — that's the design constraint everything else was built around. Your printed cards plus your bundle copy plus the open-source offline tool are sufficient, with zero AmberKey infrastructure. The tool is a single file (recover.html) that runs in any browser with no network, mirrored on GitHub, Codeberg, Software Heritage, and the Internet Archive. The formats are open standards (SLIP-39 + age + tar), so even the tool itself is replaceable.

On top of the architecture, our terms commit to a 12-month wind-down: a year's notice, bundles downloadable the whole time, and a final release that converts the product to a fully offline flow. What you lose if we die is convenience, meaning automated check-ins and coordination. What you keep is everything. The full continuity plan.

Why don't you store my bank password? Why can't my heir just log in as me?

Because logging into a dead person's bank account, even by a well-meaning spouse, can constitute unauthorized access, and money moved outside the estate process may have to be unwound and can create personal liability for whoever moved it. Banks have estate services departments whose entire job is transferring a deceased customer's money properly, triggered by a death certificate. That process genuinely works, and it protects your survivors.

So AmberKey stores a map instead: which institutions, account types, last-4 digits, whether accounts are joint or payable-on-death, which autopays will bounce. That's what your executor actually needs. A stored password would only tempt them into trouble. This is a hard rule: regulated-account credentials never go in either layer.

What if someone in my circle loses their card?

One card below the quorum reveals nothing (mathematically nothing, not "encrypted-ly nothing"), so a lost card is a resilience problem, not a security emergency. Quarterly health checks ("is your card still safe?") catch losses early. When one happens, you press re-share: a fresh set of cards is generated from the same vault key, the old set is revoked, and the app walks you through confirming the old cards are destroyed. Your circle's thresholds also carry slack by design, so a single missing card typically doesn't block recovery even before you re-share.

What if a circle member dies before me?

Same remedy, different sadness: choose a replacement, re-share, and distribute new cards. Until you do, the group thresholds usually still leave a working recovery path. The setup wizard shows you exactly which combinations of people can recover, and warns you when you're one person away from a broken quorum. It also asks whether circle members live or travel together, so a single accident is less likely to take out a quorum's worth of cards at once.

What if a circle member and I become estranged?

Remove them and re-share. Their card becomes cryptographically useless the moment the new set exists. Revocation doesn't depend on getting the physical card back, because the new shares are incompatible with the old ones. Nothing they retain (card, photos of it, memorized words) has any power over the new set. Estrangement is common enough that re-sharing is a first-class, one-button operation, not a support ticket.

Can my family recover early? Can they collude?

They can try; you'll know. Any ceremony, even one started with a death certificate, notifies you on every channel and opens a veto window of 3 to 14 days (you pick; default 7). One check-in from you cancels it and resets everything. Collusion therefore requires a quorum of the people you trusted most and your inability to respond for the entire window, and the attempt is visible to the whole circle either way.

Honestly stated: if your entire quorum jointly decides to betray you and you can't answer for a week, they succeed. No secret-sharing scheme can protect you from everyone you chose to trust, acting together. What the design does is make betrayal loud, slow, and traceable instead of quiet and instant, and let you pick the people. More in the threat model.

What if I'm hospitalized or off-grid and miss check-ins?

Missing check-ins starts a deliberately slow ladder, not a release: first an email nudge with a 7-day grace period, then SMS with another 7 days, then a quiet question to a trusted contact with 7 more. Only after all of that can your circle even initiate a ceremony, which then has its own veto window on top. Even at the shortest settings that adds up to nearly eight weeks (30 days + three 7-day grace periods + at least a 3-day veto window) of opportunities for you, or anyone who knows where you are, to stop it with a single tap. When you resurface, one check-in resets everything to normal. Nothing is ever released automatically by silence alone.

What can your employees see? What can a subpoena get?

The same short list, because there is only one list: encrypted bundles we can't decrypt, contact-routing data (your email/phone, circle members' email/phone, card IDs, group assignments, and never their names, which live only in your encrypted bundle and on the printed sealed pages), check-in timestamps and escalation state, and audit logs. No employee can read your vault or packet; neither can a court order directed at us, because capability, not policy, is the boundary. A subpoena gets metadata: that you have a vault, who routes for it, and when checks happened.

The honest caveat: courts can compel your circle members directly, and printed cards are physical evidence like anything else in a home. No cryptography prevents lawful orders aimed at humans. The threat model covers this without flinching.

Why SLIP-39 and not something else? Why age?

SLIP-39 because the split key must survive decades on paper in non-technical hands: it's a published standard with official test vectors, it has group thresholds built in ("any 2 of: spouse, kids, attorney" is native), its wordlist and checksum are designed for humans copying words by hand, and multiple independent implementations exist, so reconstructing never depends on our code. Below the threshold it reveals nothing, information-theoretically.

age because bundle encryption should be boring: a small, formally specified modern format (X25519 + ChaCha20-Poly1305) with mature implementations in many languages and none of PGP's historical foot-guns. Both choices serve one rule: no custom crypto, ever, and nothing proprietary inside the artifacts your family will need. Longer rationale here.

Do the people in my circle need accounts or apps?

No. Never. Circle members hold a printed card and receive occasional one-time links by email or text, for quarterly health checks and, someday, for the ceremony. Links plus paper is the entire footprint. No passwords to forget, no app to keep updated for a decade, nothing to pay for. The final reconstruction happens offline in their browser with the printed cards; even that requires no account with anyone.

What about two-factor authentication on my accounts after I die?

2FA is exactly why the plan covers your phone and devices, not just passwords. The playbooks handle it in layers: keep the phone number alive (the carrier playbook's first rule: that number receives everyone else's reset codes), escrow the device passcode in the vault (an unlocked phone is most of your second factors), and escrow 2FA recovery codes in Layer 2 for critical accounts alongside their credentials. For accounts with native legacy mechanisms, like Google's Inactive Account Manager and Apple's Legacy Contact, survivors bypass 2FA entirely through the official path. The playbooks cover each case.

Is this a will?

No. A will is a legal instrument that controls who owns what, and only a court-recognized document does that. AmberKey solves the adjacent problem wills are bad at: whether your executor and family can actually find and reach what you left (accounts, credentials, instructions, the practical map). The two complement each other: your will names your executor; your AmberKey packet is what makes that executor effective. Please do both, and use a licensed estate attorney for the will. We'll say that anywhere it's relevant, because it's true.

Something we didn't answer? hello@amberkey.app