Overview
The dead man’s switch ensures your trusted contacts can access your vault if you become incapacitated or inactive for an extended period. After a configurable inactivity timeout, PassAgent initiates a secure key exchange to transfer vault access to designated recipients.How it works
Configure
Enable the dead man’s switch and set your inactivity threshold (e.g., 30, 60, or 90 days).
Add trusted contacts
Designate trusted recipients by email. Each recipient receives an encrypted invite.
Select transfer scope
Choose to transfer your full vault or selected credentials only. Optionally include or exclude notes.
Trusted recipients
Each trusted recipient:- Receives an encrypted invite token containing a wrapped copy of the family vault key
- Must have a PassAgent account to accept the transfer
- Goes through a key exchange process using RSA-OAEP encryption
- Can be removed at any time before activation
Transfer scope
- Full vault
- Selected credentials
All credentials in your vault are included in the transfer. This is the simplest option for full estate planning.
Security model
- Vault keys are wrapped using AES-KW and encrypted with the recipient’s public key
- Invite tokens are generated with unique salts using
generateInviteSalt() - Key exchange status is tracked per recipient (“Key ready” vs “Pending key”)
- The switch can be disabled at any time — removing all pending transfers
Activity log
The dead man’s switch maintains a detailed activity log:- Last activity: your most recent login timestamp
- Days remaining: countdown to activation
- Check-in reminders: notifications before the threshold is reached
- Transfer events: when and to whom transfers were initiated