Protect your digital legacy with zero-knowledge encryption.
SilentKey is a self-hosted Dead Man's Switch. It monitors your activity via periodic check-ins (heartbeat) and automatically delivers encrypted vaults to your designated recipients if you become unavailable.
All sensitive data is encrypted client-side using the same cryptographic primitives as Proton Mail (OpenPGP.js, Curve25519, AES-256-GCM, SRP 6a). The server never sees your passwords or plaintext data.
- If you pass away today, can your family access your bank accounts, crypto wallets, or important documents?
- If a key team member goes offline, does your company lose access to critical infrastructure?
- Existing solutions require blind trust or are too fragile to rely on.
SilentKey provides a secure, automated system to distribute the right secrets to the right people, strictly when needed — with zero-knowledge encryption so not even the server operator can read your data.
- Proton-grade cryptography — OpenPGP.js (Curve25519, AES-256-GCM), same library and algorithms as Proton Mail/Pass
- SRP 6a authentication — your password never leaves the browser
- Client-side encryption — all vault content encrypted before reaching the server
- 12-word recovery phrase — account recovery without server involvement
- Configurable check-in intervals (default: 72 hours)
- 5-stage escalation: Active → Warning → Grace Period → Triggered → Expired
- Undo window — check in during the triggered state to cancel delivery
- Pause/resume monitoring at any time
- Create multiple vaults for different purposes (family, business, legal)
- Per-vault encryption keys — each vault has its own AES-256 key
- Assign specific recipients to specific vaults
- Automatic email delivery when the heartbeat expires
- Retry logic (3 attempts) via Redis-backed job queues
- Test triggers before relying on them
- Recipient access page with client-side decryption
- 12-word recovery phrase generated at registration
- Recover your account and set a new password without server assistance
- New recovery phrase generated after each recovery
- Single Docker image — deploy with
docker-compose up - PostgreSQL + Redis — standard, battle-tested infrastructure
- AGPLv3 licensed — free to use, modify, and self-host
- Full data export (encrypted vaults + OpenPGP keys)
| Layer | Technology |
|---|---|
| Backend | NestJS + TypeScript |
| Frontend | React + Vite + shadcn/ui + Tailwind CSS |
| Database | PostgreSQL 16 + Prisma ORM |
| Auth | SRP 6a protocol + JWT sessions |
| Encryption | OpenPGP.js v6 (Curve25519, AES-256-GCM) |
| Background jobs | Bull (Redis queues) + NestJS Scheduler |
| Nodemailer + Handlebars templates | |
| Deployment | Docker multi-stage build |
- Docker & Docker Compose
- Node.js 20+
- npm 9+
# Start Postgres + Redis
docker-compose -f docker-compose.dev.yml up -d
# Install dependencies
npm install
# Build shared package (required first)
npm run build --workspace=packages/shared
# Generate Prisma client & run migrations
npx prisma generate --schema=apps/api/prisma/schema.prisma
npm run db:migrate --workspace=apps/api
# Start dev servers (API on :3000, Web on :5173)
npm run dev# Configure environment
cp .env.example .env
# Edit .env with your settings (DATABASE_URL, SMTP, JWT_SECRET, etc.)
# Build and run
docker-compose up -dThe application will be available at http://localhost:3000.
SilentKey is designed to be self-hosted. The Docker image includes both the API and the web frontend served from a single container.
Requirements:
- PostgreSQL 16+
- Redis 7+
- SMTP server (for email notifications)
Environment variables: See .env.example for the full list. Key settings:
DATABASE_URL— PostgreSQL connection stringREDIS_HOST/REDIS_PORT— Redis connectionJWT_SECRET— minimum 32 characters, required in productionSMTP_HOST/SMTP_PORT/SMTP_USER/SMTP_PASS— email deliveryAPP_URL— public URL of your instanceCORS_ORIGIN— allowed origin for API requests
Upgrading:
docker-compose pull
docker-compose up -d
# Database migrations run automatically on startupSilentKey follows a zero-knowledge architecture:
- The server never sees: your password, plaintext vault content, or unencrypted private keys
- The server stores: SRP verifier, encrypted blobs, armored public keys
- Authentication: SRP 6a — the password is used to derive a verifier on the client; the server verifies without ever receiving the password
- Key hierarchy: User Password → bcrypt hash → OpenPGP passphrase (encrypts private key) + SRP verifier (sent to server)
- Vault encryption: Random 32-byte AES-256-GCM key per vault, encrypted with the user's OpenPGP public key
- Recovery: Private key encrypted with a 12-word recovery phrase, stored as an opaque blob on the server
- Refresh tokens: httpOnly cookies (XSS-resistant), access tokens in memory only
- Phase 1 (MVP) — Heartbeat monitoring, zero-knowledge encryption, email triggers, encrypted vaults, account recovery, Docker deployment
- Phase 2 — Webhook integrations, Shamir's Secret Sharing, API keys, 2FA, email check-in
SilentKey is licensed under the GNU Affero General Public License v3 (AGPLv3).
- Free for personal and commercial self-hosting
- If you modify the code and offer it as a service, you must open-source your modifications