Back to Blog

How to protect your family's documents with encryption

When I Die Files··Updated ·11 min read
encryptiondocument securitydigital legacy
How to protect your family's documents with encryption

My mom keeps her important documents in a fireproof lockbox in her closet. Birth certificates, the deed to the house, insurance policies. She feels good about that setup, and honestly, for a long time it was the best option available.

But here's the thing she hadn't thought about: what happens if she needs to share those documents with me, and we live in different states? What happens if a flood takes the whole house? And what about the stuff that doesn't fit in a lockbox -- passwords, account numbers, the letter she wrote to my sister?

That's where digital storage comes in. And that's where most people's eyes glaze over, because someone starts talking about "encryption protocols" and "256-bit keys" and suddenly it feels like you need a computer science degree just to keep your family's paperwork safe.

You don't. Let me explain this the way I wish someone had explained it to me.

What encryption actually means (no jargon, I promise)

Think about sending a postcard. Anyone who handles that postcard along the way -- the mail carrier, the sorting facility, a nosy neighbor -- can flip it over and read what you wrote. That's what unprotected digital storage looks like. Your files sit on a company's server, and technically, people at that company could look at them. Hackers who break into that server could read them too.

Now imagine you wrote that postcard in a code that only certain people understand. Even if someone intercepts it, they just see gibberish. That's encryption.

There are three different versions of "encryption" you'll see advertised, and they offer very different protection:

Encryption in transit (TLS). This protects your file as it travels between your device and the company's servers. Almost every reputable service uses it. It prevents someone snooping on the network from reading the data while it's moving. It does nothing once the data lands.

Encryption at rest. Your file is encrypted while it sits on the company's servers. If a hard drive gets stolen from the data center, the thief gets scrambled bytes instead of your documents. Most cloud platforms do this by default. The catch: the company holds the decryption keys, so their systems (and their employees, with the right access level) can read your data. A court order can compel them to hand it over.

End-to-end encryption (E2EE). The strongest of the three. Your file gets scrambled on your device before it ever leaves, using a key only you (and people you grant access) hold. The company carrying the file never has the key. They couldn't read your stuff even if they wanted to, even if a court ordered them to, even if a hacker broke into every server they own.

Regular at-rest encryption is like a locked mailbox where the post office has a spare key. End-to-end encryption is like a locked mailbox where only you and your chosen recipient have keys, and no spare exists.

Most products that say "encrypted" mean at-rest plus TLS. Both are worth having. Neither is E2EE. The distinction matters when you're storing things you can't afford to have read by the wrong person.

Why this matters for your most personal documents

You might be thinking: "I'm not a spy. I'm not hiding anything. Why do I need to think about this?"

Fair question. Here's my answer.

The documents you leave behind for your family are some of the most sensitive things you'll ever create. We're talking about:

  • Financial information -- bank accounts, investment accounts, insurance policies, debts
  • Legal documents -- wills, powers of attorney, property deeds
  • Medical wishes -- advance directives, DNR orders, organ donation preferences
  • Personal messages -- letters to your children, your spouse, your grandchildren

If any of this gets into the wrong hands, the consequences range from identity theft to emotional devastation. Someone stealing your bank account numbers is bad enough. But imagine a stranger reading the letter you wrote to your daughter for her wedding day.

This is exactly why important information should be securely stored for your loved ones -- not just stored somewhere, but stored in a way that keeps it appropriately private.

At-rest encryption is the industry baseline and is usually enough for routine documents. For the most sensitive items, end-to-end encryption -- or self-encrypting before uploading -- raises the bar much higher.

The three things that actually matter when choosing where to store documents

I'm not going to give you a feature comparison chart. Instead, here are the three questions worth asking about any service where you're considering storing sensitive family documents.

1. Who can read your files?

This is the big one. If a company says they use "encryption" but doesn't specify what kind, assume at-rest encryption. That means they encrypt your files on their servers -- better than nothing -- but it also means the company holds the decryption keys. Their employees could theoretically access your files. A government subpoena could compel them to hand over your data.

With true end-to-end encryption, the answer to "who can read your files?" is: only you and the people you explicitly grant access. Nobody else.

Honest services will tell you plainly which model they use. Vague language like "bank-level security" or "military-grade encryption" without specifics is a yellow flag.

2. What happens if you lose your password?

Here's the trade-off with end-to-end encryption that most people don't talk about: if the company doesn't hold your keys, they can't help you recover your account if you forget your password. There's no "reset password" magic button when E2EE is done right.

That means you need a plan. Write down your master password and keep it somewhere physically safe. Some services offer recovery keys -- long codes you can print and store in a safe deposit box. This is worth the inconvenience.

If a product offers "forgot password" recovery and end-to-end encryption at the same time, something is off. One of those claims is probably not what it sounds like.

3. Can your family actually get to the files when they need them?

Security means nothing if your family can't access your documents after you're gone. The whole point of planning and storing your legacy letters securely online is that the right people can reach them at the right time.

Look for services that let you designate trusted contacts or set up some kind of inheritance mechanism. The best systems let you decide in advance who gets access and under what conditions, without compromising security while you're alive.

A perfectly encrypted vault that nobody but you can ever open is, for legacy purposes, the same as no vault at all.

How to get started (practical steps)

Alright, enough theory. Here's what to actually do.

Gather your documents first

Before you worry about encryption software, figure out what you're protecting. Pull together everything your family would need if something happened to you tomorrow. That usually includes:

  • Government-issued IDs and vital records (birth certificate, marriage certificate, Social Security card)
  • Financial account information -- not just the balances, but the account numbers and how to access them
  • Insurance policies (life, health, home, auto)
  • Legal documents (will, trust, power of attorney)
  • Medical information and wishes
  • Login credentials for important accounts
  • Personal letters or messages you want delivered

Don't try to do everything in one sitting. Start with the stuff that would cause the most chaos if it disappeared, and work outward from there.

Digitize what isn't digital yet

For physical documents, scan them or take clear photos. Most phones today take photos sharp enough to capture fine print on legal documents. Save them as PDFs when you can -- they're more universally readable than image files and they preserve formatting better.

Make sure you're doing this on a device you trust. Your personal phone or computer is fine. The shared computer at the public library is not.

Pick the right storage model for each document

Not everything you store needs the strongest level of encryption. A scan of your driver's license is sensitive, but the consequences of leaking it differ from the consequences of leaking a deeply personal letter to your daughter.

A reasonable approach:

  • Routine documents (insurance policies, account numbers): a reputable cloud storage service with TLS and at-rest encryption is usually fine.
  • Highly sensitive documents (anything you'd be devastated to see leaked): either use an E2EE service, or encrypt the file yourself first (with 7-Zip, VeraCrypt, or an encrypted PDF) and upload the encrypted version anywhere.
  • Personal letters meant for specific people after you're gone: use a service designed for legacy delivery, with clear access controls — and consider self-encrypting the most private letters before uploading them.

When you're evaluating a service, look for these things in their documentation:

  • Plain language about which kind of encryption they use (in transit, at rest, end-to-end)
  • A clear statement of what employees can and can't access
  • An honest policy about what happens if law enforcement requests your data
  • A documented account-recovery model that matches what they claim about encryption

Understanding why end-to-end encryption matters for your most personal letters goes deeper into when the stronger model is worth it.

Set up your access plan

Once your documents are stored, think about the access question. Who needs to get to these files, and when?

For most families, this means:

  • Your spouse or partner gets access to everything
  • Your adult children get access to specific documents
  • Your executor or attorney gets access to legal and financial records
  • Maybe a close friend or sibling gets access to certain personal letters

Write this plan down. Store it alongside your documents. Make sure at least one person you trust knows the plan exists and where to find it.

This is really about making sure both digital and physical copies of important documents are covered -- because having well-protected digital copies and a clear physical note about how to access them is the combination that actually works.

Keeping things secure over time

Setting up secure storage isn't a one-and-done task. A few things to stay on top of:

Update your documents when life changes. New bank account? Add it. Got divorced? Update your access list. Moved to a new state? Your legal documents might need updating too. Set a reminder once or twice a year to review what's stored and make sure it's current.

Don't reuse passwords. Your master password for any storage account should be unique -- not the same one you use for your email or Amazon account. If another service gets breached and you've reused that password, the storage account is now vulnerable. A password manager helps.

Keep your recovery information current. If you printed a recovery key two years ago and have since moved, make sure that key made it to your new home. If your trusted contact has changed, update that too.

Pay attention to notifications from your storage provider. If they notify you about a security update or a policy change, take it seriously. Read it. It takes five minutes and could save you from a real problem.

The honest truth about all of this

No system is perfectly secure. Someone determined enough, with enough time and resources, can theoretically break into anything. That's true of your bank, your email, and any document storage you choose.

Good encryption raises the bar high enough that for all practical purposes, your documents are safe from opportunistic attackers. End-to-end encryption raises it higher. Self-encrypting your most sensitive files before upload raises it higher still.

The real risk isn't that a hacker will crack your encryption. The real risk is that you never set anything up at all, and your family is left scrambling to find account numbers, legal documents, and the words you meant to say but never got around to writing down.

A place to start

If this all feels like a lot, that's okay. You don't have to build a perfect system overnight. Start with one document, one letter, one account number. Get it stored somewhere safe, with encryption appropriate to its sensitivity, and accessible to the right person.

When I Die Files was built as a place to keep your most important documents and personal messages alongside the access controls your family will need. We store data on infrastructure that encrypts in transit and at rest, with per-person sharing so the people you choose can reach what you've left them. For the most sensitive items, you can also encrypt files yourself before uploading them. We're honest about what level of protection you're getting -- because the most important thing is that you actually understand it, not that we sound impressive.

The documents you leave behind are a gift. Protecting them honestly is part of giving that gift well.

How to protect your family's documents with encryption | When I Die Files