Introduction
At Afterglow, we believe that security should never rely on "trusting" a service provider. Instead, it should rely on verifiable mathematics. This post explains the technical pillars that ensure your digital legacy remains private until the exact moment it needs to be released.
1. True Client-Side Encryption
When you store a password or a file in your Afterglow vault, the encryption process happens entirely within your browser.
The Process: Your Master Password is used to derive a high-entropy symmetric key via the PBKDF2 algorithm (Password-Based Key Derivation Function 2). This algorithm applies a cryptographic hash function thousands of times to transform your password into a secure encryption key.
The Result: Only "ciphertext"—data that looks like random noise—ever leaves your computer. Afterglow servers never hold your raw password or keys. Even if our servers were compromised, attackers would only see encrypted gibberish.
2. The Heartbeat Mechanism
How does the system know when to release your legacy? We use a sophisticated "Heartbeat" logic.
The Contract: Free tier users are required to perform a check-in every 180 days to confirm their active status. Base plan users check in every 90 days, and Pro plan users every 30 days.
The Grace Period: If a heartbeat is missed, the system enters a "Grace Period," triggering a sequence of escalation alerts via the Resend API to ensure you haven't simply forgotten to log in. Multiple reminder emails are sent before the inheritance process begins.
The Trigger: Only after the grace period expires without any activity does the system initiate the preset inheritance workflow.
3. Fragment A/B: The Fail-Safe Dual Key
To prevent a single point of failure, we introduced the Fragment A/B system for Pro users.
Fragment A (Cloud): An encrypted shard stored on our secure servers. This fragment alone cannot decrypt your vault.
Fragment B (Physical): A unique decryption component delivered via physical mail through ShipAny or held by a designated beneficiary. This fragment alone also cannot decrypt your vault.
Security Logic: Access to the vault requires both fragments to be combined. This mirrors real-world safety deposit boxes, where the bank's key and your key must work together to open the vault. Even if Fragment A is compromised (cloud breach) or Fragment B is lost (physical theft), your assets remain secure.
4. Beneficiary Authentication
When the inheritance process is triggered, beneficiaries must authenticate using:
Release Token: A cryptographically secure token sent to the beneficiary's email address. This token has a limited validity period and can only be used once.
Fragment Verification: For Pro plans, beneficiaries must provide Fragment B (either from physical mail or their own secure storage) along with Fragment A to complete decryption.
5. Why Not Just Share Passwords?
Many users ask: "Why not just write down passwords and give them to family members?"
Security Vulnerabilities: Plaintext password records are easily stolen by hackers, lost in physical disasters, or accessed by unauthorized individuals.
Unintended Access: Pre-sharing passwords can lead to family disputes or premature access before the right time.
No Automation: Manual password sharing doesn't account for what happens if you're incapacitated but still alive—your family might access everything prematurely.
Afterglow solves these problems by combining automated triggers, cryptographic security, and physical safeguards.
Conclusion
Digital inheritance planning is not about death; it's about control over your life's work. Afterglow's zero-knowledge architecture ensures that your digital legacy remains private, secure, and accessible only when and how you intend.
Start building your first encrypted vault at Afterglow today.
Questions? Contact us at support@digitalheirloom.app