Consider what happens when someone who uses full-disk encryption, a hardware security key, and end-to-end encrypted messaging dies without leaving access instructions. Their laptop is a brick. Their phone requires a PIN that only they knew. Their password manager — the master key to everything else — is encrypted with a passphrase they never wrote down. The carefully built security stack that protected them in life now protects their data from their own family.
This isn't a hypothetical edge case. It's increasingly common as security hygiene improves among technically engaged people. And unlike physical estate planning, there's no probate process that can compel Apple or Signal to unlock a dead person's device — because cryptographically, there's nothing to compel. The data is simply inaccessible.
What Actually Happens to E2EE Accounts
Different services handle death differently, and the answers are often worse than people expect:
Apple: Apple's Digital Legacy program (introduced in iOS 15.2) allows you to designate up to five legacy contacts who can request access to your iCloud account after you die. They receive an access key that, combined with a death certificate, unlocks your account. However, iCloud backups of iMessages are encrypted with Apple's key, not yours — so legacy contacts can access those. Local device data encrypted with your device passcode cannot be accessed without the passcode, regardless of legal process or family relationship.
Google: Google's Inactive Account Manager lets you designate trusted contacts to receive your data after a specified period of inactivity. The data they receive is whatever Google has access to — which for Gmail includes your emails (Google can read them), but excludes any locally encrypted content.
Signal: There is no mechanism. Signal has no server-side copy of your messages and no account recovery process. A Signal account tied to a dead person's phone number becomes inaccessible if the number is recycled or the device is lost. Messages on the receiving end remain in recipients' apps; messages on the sender's device are gone with the device.
Password managers: 1Password and Bitwarden both offer emergency access features — a designated contact can request access, and after a waiting period you specify, they receive it. This is the most important digital estate planning step for most people, because the password manager is the root of access to everything else.
| Service | Death / Legacy Access | What's Accessible | What's Permanently Lost |
|---|---|---|---|
| Apple iCloud | Digital Legacy contacts | Photos, contacts, notes, iCloud backups | Local device data (passcode required) |
| Inactive Account Manager | Gmail, Drive, Photos, YouTube | Locally encrypted files | |
| Signal | None | Nothing server-side | All messages on lost/locked device |
| 1Password | Emergency Access (wait period) | All vault items | Items not synced |
| Bitwarden | Emergency Access (configurable) | All vault items | Items not synced |
| Full disk encryption | None (by design) | Nothing without key/passphrase | Everything, permanently |
Strategies: Dead Man's Switches and Emergency Access
There are a few technically sound approaches to this problem, each with different security properties:
Password manager emergency access: The simplest and most impactful step. Set up an emergency access contact in your password manager with a wait period that matches your threat model — 7 days is common. The wait period is the security mechanism: you can cancel a request from a social engineer, but a legitimate heir will wait. Your password manager passphrase, plus emergency access setup, is the foundation of everything else — because whoever has your passwords can access most of your accounts.
Sealed document with a lawyer or trusted person: Write down your master passphrase and critical recovery keys on paper, put them in a sealed envelope, and store it with your lawyer alongside your will, or in a fireproof safe with instructions for your executor. This is low-tech but highly reliable. The risk is whoever has physical access to the document. For most people, a trusted family member or lawyer is a reasonable risk profile.
Shamir's Secret Sharing: A cryptographic technique that splits a secret into N shares, any M of which can reconstruct the original (an M-of-N scheme). For example: split your master passphrase into 5 shares, any 3 of which can reconstruct it. Give one share each to five trusted people — none of them can access your data alone, but three acting together can. Tools like Hashicorp Vault and various command-line utilities implement this. The operational complexity is higher than a sealed envelope, but it distributes trust.
Automated dead man's switch: Services like DeadManZero or hand-rolled scripts can be configured to send access instructions to designated recipients if you don't check in regularly. This is technically elegant but operationally fragile — a missed check-in due to hospitalization or extended travel can trigger it prematurely. False positives are a real operational risk.
Every mechanism that makes your data accessible after death is also a potential attack surface during your life. A sealed document can be stolen. Emergency access can be social-engineered. Shamir shares can be coerced. The right answer depends on your specific threat model — who are you protecting against, and what does the data being accessed by the wrong person actually cost? There's no universally correct answer.
The Key Escrow Question
"Key escrow" — storing a copy of your encryption keys with a trusted third party — has a troubled history. Governments have proposed mandatory key escrow for law enforcement access, and the cryptography community has consistently demonstrated that such systems create vulnerabilities that outweigh their benefits. A centrally stored copy of everyone's encryption keys is an extraordinarily high-value target.
Personal voluntary key escrow is a different proposition. Choosing to give a copy of your passphrase to your lawyer or your spouse is a decision you make about your own data, for your own reasons. The question is: who do you actually trust with this, and what are the consequences if that trust is misplaced?
For most people, the answer is a combination: use your password manager's emergency access for the bulk of your digital life (the wait period is a meaningful protection), keep one sealed physical document with your most critical credentials alongside your will, and be explicit in your estate planning documents about what digital assets exist and how to access them.
What to Document for Your Heirs
The practical minimum that makes a meaningful difference:
- Password manager: Which one you use, the master passphrase (or the emergency access contact who can unlock it), and instructions for requesting emergency access.
- Device PINs and passwords: Your phone unlock code, your laptop login password, your disk encryption passphrase if different from your OS login.
- Two-factor authentication: Where your 2FA backup codes are stored. If you use a hardware key (YubiKey, etc.), where it is physically located.
- Critical account list: Financial accounts, email accounts, anything with significant practical or sentimental value. Heirs can't know what they don't know exists.
- Cryptocurrency: If you hold cryptocurrency, your heirs need the seed phrase or hardware wallet PIN. Crypto without seed phrase access is permanently lost. This is not a recoverable situation via any legal mechanism.
The document containing this information should be stored somewhere physically secure (safe, lawyer's office, safety deposit box) and should be updated whenever you change your master passphrase or add significant accounts. The most common failure mode is a document that's accurate when written and years out of date when needed.
Encrypted Data You're Comfortable Losing
It's worth explicitly deciding which encrypted data you're comfortable having permanently destroyed at death. Private messages in an E2EE messenger may be intentionally ephemeral — the conversation privacy you maintained in life extends to your passing, and you may actively prefer that those messages aren't accessible to anyone. Disappearing messages formalize this decision during your lifetime; the same logic applies at death.
An explicit decision is better than an implicit one. "I have decided my private messages will be permanently inaccessible after I die, and that's acceptable to me" is a different situation than "I assumed someone would figure out how to get to this, and they can't." Knowing which of your encrypted data falls into each category is itself a form of digital estate planning.
Haven keeps your messages in an encrypted local database on your device. The disk encryption protects that database in transit and at rest. What's recoverable after you die depends entirely on whether your heirs have your device unlock code and your Haven passphrase — Haven itself has no server-side copy and no recovery mechanism.