End to End Encrypted Inheritance Vaults

Straightforward security for protecting your digital estate.

Read the Upon security whitepaper

Principle 1

Trust the cryptography

Cryptography is more secure than infrastructure. Upon enforces security guarantees via cryptography over systems.

Principle 2

Intentional privacy

We can't mishandle data we never have access to. Upon is designed to minimise our collection of and access to sensitive data.

Principle 3

Openness

Explain the security design of Upon to allow others to understand and critique our decisions.

Only accessibly by you and your beneficiaries

Upon vaults are only ever accessible by vault owners and their beneficiaries. Even Upon cannot read your vault.

Locking your Upon inheritance vault, and splitting the key between your beneficiaries.
Your beneficiaries come together to reconstruct the key, and unlock your Upon inheritance vault.

End-to-end encryption

Only you and your beneficiaries can access your vault data. The vault is encrypted with keys that only you and your beneficiaries possess, meaning no third party can ever read your data, even Upon.

Beneficiary key sharing

Your vault key is split between your beneficiaries, meaning a minimum number of your beneficiaries are required to reconstruct the full key together to decrypt your vault.

Technical overview

Two secret key derivation (2SDK)

Users have both a memorable password and a secret key, and these are combined and stretched using Argon2id to derive user's authentication and encryption keys. The separate 128-bit secret key is randomly generated to provide brute-force attack resistance and supplement the lower entropy of most user passwords.

User key store

A user's key store contains vault encryption keys, and the user's Ed25519 and Kyber1024 keys. The user's key store is encrypted with Chacha20Poly1305 using a user's encryption key derived from their password and secret key via 2SDK, ensuring only the user has access.

Vault encryption

Vault encryption keys are generated client-side with a cryptographic random number generator, and are used to encrypt vault data using Chacha20Poly1305.

Vault intermediate keys

Vault intermediate keys are client-side generated and are used to encrypt the primary vault encryption key with ChaCha20Poly1305. An intermediate key is used to allow changing the beneficiaries without re-encrypting the vault; and allow re-encrypting the vault without changing the beneficiary shares.

Beneficiary key shares

The vault intermediate key is split using Shamir's Secret Sharing algorithm to create key shares for each beneficiary. Key shares are transmitted by creating a shared secret from the vault owner and beneficiary Ed25519 and Kyber1024 keys in a quantum-resistant hybrid arrangement. This shared secret is then stretched and used to encrypt the key share using ChaCha20Poly1305.

Read more about beneficiary key shares

Decryption

After the release of the vault, beneficiaries send their key share to all other beneficiaries following the same quantum-resistant shared-secret arrangement. This cryptographic setup ensures a single beneficiary cannot decrypt a vault alone, even with full access to the encrypted data. The Upon systems are also designed to ensure that beneficiaries aren't given access to the encrypted data or key shares until necessary.

Read our security whitepaper

Questions & answers

Are inheritance vaults always end-to-end encrypted?
Can Upon ever access my vault data?

No, we cannot access your data. Your data is end-to-end encrypted, meaning only you can access your vault data. Even after release your vault data remains encrypted, and only your beneficiaries will be able access your vault data.

When can my beneficiaries access my inheritance vault data?

A single beneficiary cannot decrypt your vault data alone. Only after a minimum number of your beneficiaries have agreed to release the vault will each beneficiary be able to reconstruct the vault key.

Read more about beneficiary key sharing

Do my beneficiaries need to have created an account?

Beneficiaries will need to have created an Upon account to be able to access your vault. They will be prompted to create a free beneficiary account when invited to be a beneficiary for the first time.

Read more about beneficiaries

Still have more questions?

Get in touch via

Get peace of mind

Ensure that your memories and assets will be passed on to your loved ones. Create your inheritance vault today and rest easy knowing your legacy is secured.

Create your vault Pricing