How We Encrypt Your Files: A Plain-English Guide to Client-Side Encryption
Ever wondered how encryption actually works? We break down our client-side encryption in simple terms - no computer science degree required.
When we say "your files are encrypted," what does that actually mean? If you've ever felt confused by terms like "AES-256" or "client-side encryption," you're not alone. In this guide, we'll explain exactly how Inheritfy protects your files - using analogies anyone can understand.
The Lockbox Analogy: Understanding Encryption
Imagine you have a special lockbox. This isn't an ordinary lockbox - it has a unique property: when you put a document inside and lock it, the document transforms into complete gibberish. Even if someone breaks the box open, all they'd find is meaningless scrambled paper.
The only way to read the document again? Use the exact same key that locked it. When you unlock the box with the correct key, the gibberish magically transforms back into your original document.
Your Document
Encrypt
P2$vQ7H
n!wRzT4
Encrypted File
Decrypt
Your Document
That's encryption in a nutshell. Your files are transformed into unreadable data that can only be restored with the correct key.
What Is "Client-Side" Encryption?
Here's where Inheritfy is different from most services. There are two places encryption can happen:
Server-Side Encryption
Your file travels to our servers, then we encrypt it. Like mailing a letter to a locksmith who puts it in a safe for you.
Best for: Convenience. We manage keys for you, making it easy to access your files from any device.
Client-Side Encryption
Your file is encrypted on YOUR device, before it ever leaves. Like locking the safe yourself, then mailing the already-locked safe.
Best for: Maximum privacy. We never see your files - only you hold the key.
Zero-Knowledge Architecture
With client-side encryption, Inheritfy has zero knowledge of your files. Even if we were hacked, or a rogue employee tried to peek, or the government demanded access - all anyone would find is meaningless encrypted data. Without your key, it's useless.
How Your Encryption Key Is Created
The security of encryption depends entirely on the key. A weak key is like using "1234" as your password - technically locked, but easily cracked. Here's how we create genuinely strong keys:
Generate 256 Random Bits
Your browser generates 256 completely random bits using a cryptographically secure random number generator. This is like flipping a perfectly fair coin 256 times.
This Becomes Your Encryption Key
Those 256 random bits ARE your encryption key. We encode them in a format computers can use (Base64), resulting in a 44-character string.
Why 256 Bits Matters
A 256-bit key has 2256 possible combinations. That's a number with 78 digits. To put it in perspective:
1018
Grains of sand on Earth
1024
Stars in the observable universe
1077
Possible 256-bit keys
If you could try one trillion keys per second, it would take longer than the age of the universe - many times over - to try them all. That's why we call it "unbreakable."
How We Store Your Key Safely
Having an unbreakable encryption key is only half the battle. If we stored your key in plain text, anyone who accessed your browser could steal it. So we use a technique called key wrapping - we encrypt your encryption key before storing it.
Here's the clever part: we derive a separate key from your password, and use that to encrypt your actual encryption key. The wrapped key is then stored only in your browser - it never touches our servers. This means:
- Your raw encryption key is never stored anywhere - only the encrypted (wrapped) version exists, and only in your browser
- Your password is never stored either - we only use it momentarily to derive the wrapping key
- Inheritfy's servers never see your key - we couldn't decrypt your files even if we wanted to
- To unlock your vault, you enter your password → your browser derives the wrapping key → decrypts your encryption key → now you can decrypt your files
The Key-Wrapping Process
Here's how it works step by step:
Your actual encryption key is inside, protected by your password
What Gets Stored Where?
| What | Where | When It's Cleared |
|---|---|---|
| Wrapped (encrypted) key | Your browser's localStorage | When you clear browser data |
| Salt for password stretching | Your browser's localStorage | When you clear browser data |
| Unwrapped (usable) key | Your browser's sessionStorage | When you close the tab ✓ |
| Your password | Nowhere (only in memory briefly) | Immediately after use ✓ |
Security by Design
Notice that the usable encryption key only exists while your tab is open. Close the tab, and it's gone. Someone would need both your password AND access to your browser session to decrypt your files.
The 600,000 Rounds: Password Strengthening
You might wonder: if an attacker steals the wrapped key from my browser, can't they just try guessing my password until they find the right one? Technically yes - but we make it extremely slow and expensive for them to try.
When we derive a key from your password, we run it through a process called PBKDF2 (Password-Based Key Derivation Function) with 600,000 iterations. This means every single password guess requires 600,000 cryptographic operations. Here's why that matters:
For You (Legitimate User)
Running 600,000 rounds takes about 0.5 seconds on your device. A tiny delay you won't even notice when unlocking your vault.
For An Attacker (Guessing Passwords)
To try 1 million password guesses, they need to run 600,000 × 1,000,000 = 600 billion operations. That would take years.
This technique (called "key stretching") means that even if an attacker gets your wrapped key, guessing your password is computationally prohibitive.
The Encryption Algorithm: AES-256
When we actually encrypt your files, we use AES-256-CBC. Let's break down what that means:
AES (Advanced Encryption Standard)
The encryption algorithm used by banks, governments, and security agencies worldwide. It's been scrutinized by cryptographers for over 20 years and remains unbroken.
256 (Key Size)
The 256-bit key we discussed earlier. This is the "military-grade" encryption you hear about - it's what the US government uses to protect TOP SECRET information.
CBC (Cipher Block Chaining)
A mode that makes each block of encrypted data depend on all previous blocks. This means you can't isolate and attack small portions - you need the whole key to decrypt anything.
The IV: One More Layer
Each time we encrypt something, we generate a random "Initialization Vector" (IV) - think of it as a random starting point. This means encrypting the same file twice produces completely different encrypted output.
Same file + Same key + Different IV = Different encrypted result
First encryption:
7x9Kp2mN...Second encryption (same file):
Qw3Lm8vR...This prevents attackers from recognizing patterns or detecting if you've uploaded the same file twice.
The Complete Flow: What Happens When You Upload
Let's walk through exactly what happens when you upload a file to your encrypted vault:
You Select a File
You click "Upload" and choose tax_return_2024.pdf from your computer.
Your Browser Reads the File
JavaScript reads, encrypts, and uploads the file in chunks. The unencrypted file never leaves your device.
Generate Random IV
Your browser generates 16 random bytes for this specific encryption. This IV is unique to this upload.
Encrypt with AES-256 🔐
Using your encryption key and the random IV, your browser encrypts the entire file. The output is complete gibberish without the key.
Prepend the IV
The IV is attached to the beginning of the encrypted file. It's not secret - it just needs to be unique. Format: [16 bytes IV][encrypted data]
Upload Encrypted Data
Only now does data leave your device - and it's just encrypted gibberish. Our servers store it without ever knowing what's inside.
Optional: BIP39 Recovery Phrase
For users who want extra backup security, we offer an alternative to remembering your password: a 24-word recovery phrase.
Example recovery phrase (never use this one!):
This uses the BIP39 standard (the same used by Bitcoin wallets). The 24 words contain 256 bits of entropy - the same as your encryption key. In fact, the words ARE the key, just in human-readable form.
✓ Advantages
- Easy to write down and store in a safe
- Can be memorized with practice
- Works across devices
- Industry-standard (understood by security experts)
✗ Considerations
- Anyone with the 24 words has full access
- Must be stored securely (not on your computer)
- If lost and you forget your password, files are unrecoverable
Summary: Your Files Are Protected By...
256-bit Key
More combinations than atoms in the universe
AES-256-CBC
Bank and government-grade encryption
Key Wrapping
Your key is encrypted too
600K Iterations
Password guessing takes years
The bottom line: with client-side encryption, your files are encrypted on your device before they ever reach us. We can't read them, hackers can't read them (even if they breach our servers), and no one can compel us to hand over what we don't have.
Ready to Protect Your Files?
Create your encrypted vault in minutes. Client-side encryption is available on our Premium and Legacy plans, giving you complete control over your data with zero-knowledge security.
Start Your Free TrialRelated Articles
Understanding Encryption Modes: SSE vs CSE vs CSE+Escrow
Not all encryption is created equal. Learn the differences between server-side encryption, client-side encryption, and zero-knowledge architectures.
Emergency Access: How We Share Your Encryption Keys Without Ever Seeing Them
What happens to your encrypted vault if you become incapacitated or pass away? We built Emergency Access - a way to securely share your encryption keys with loved ones, without Inheritfy ever having access to them.
Password Managers Aren't Enough: The Digital Inheritance Gap
You use 1Password, Bitwarden, or LastPass religiously. Great for security. But when you die, your family still can't access anything. Here's the gap no one talks about.