Every SealedFor capsule is encrypted with AES-256-GCM, the same standard used by banks and intelligence agencies. For most people, that's more than enough. Your data is encrypted immediately after upload, the plaintext is deleted, and no one can read it without authorization.
But some things demand an even higher level of protection. A crypto wallet seed phrase worth six figures. A confession you wrote for someone you trust completely but still want shielded from every possible breach. A whistleblower document that could cost you your career if anyone, even a rogue server administrator, ever saw it. For these cases, SealedFor offers Privacy Shield.
Privacy Shield is an optional add-on (+$5.99 (incl. tax) per capsule) that fundamentally changes how your data is encrypted. Instead of the server holding the key to decrypt your files, you hold it. It's called a Viewing Key, and it works like this:
The result: even if someone gained access to our entire infrastructure, every server, every database, every backup, they still could not read your capsule. The key simply doesn't exist on our side.
With standard SealedFor encryption, your files are protected by a server-side master key. This is extremely secure: an attacker would need to breach both the database and the server environment simultaneously to decrypt anything. That's a very high bar, and it protects the vast majority of users perfectly well.
Privacy Shield raises that bar to its absolute maximum. Here's how the two compare:
| Scenario | Standard Encryption | Privacy Shield |
|---|---|---|
| Database breach | Safe. Encrypted keys need master key. | Safe. Encrypted keys need Viewing Key. |
| Storage breach | Safe. Files are encrypted. | Safe. Files are encrypted. |
| Database + storage + server environment breach | Vulnerable. Attacker has all keys. | Still safe. Viewing Key was never on the server. |
| Rogue administrator | Theoretically possible. | Impossible. No key to find. |
The technical term for this is "Server-Blind at Rest": the server physically cannot access your data while it's stored, because the decryption key doesn't exist anywhere in our infrastructure.
Privacy Shield isn't for everyone. For a birthday message or a family photo capsule, standard encryption is more than sufficient. But there are situations where the extra layer matters enormously:
If your capsule contains wallet seed phrases or private keys, a breach could mean losing everything. With Privacy Shield, even a total infrastructure compromise wouldn't expose your keys. Combined with a dead man's switch, it's one of the safest ways to pass on crypto to your family.
Attorney-client privilege. Sensitive evidence. Internal documents that could trigger retaliation. If you're storing something that absolutely cannot be seen by anyone except your intended recipient, Privacy Shield ensures it stays that way.
Proprietary formulas, source code, client lists, strategic plans. If your capsule contains business-critical information that could damage your company if leaked, Privacy Shield provides the strongest available protection.
You don't need a dramatic reason. Some people prefer knowing that no one, not even the service provider, can access their data under any circumstances. That's a perfectly valid reason on its own.
Setting up Privacy Shield takes about 30 seconds longer than creating a standard capsule.
Start creating a capsule as usual: choose your tier, upload your files, write your message, set the delivery date or dead man's switch.
In the content step, you'll see the Privacy Shield option. Toggle it on. The add-on costs $5.99 (incl. tax) per capsule (one-time, no subscription).
After finalizing your capsule, you'll see your Viewing Key displayed on screen. This is the only time you'll ever see it. Copy it immediately, ideally writing it down on physical paper or putting it in an offline password manager. Store it somewhere safe. We cannot recover it for you. No one can.
Your recipient will need the Viewing Key to open the capsule. Send it to them through a different channel than the capsule notification:
The key point: the Viewing Key should travel through a different path than the capsule itself. This way, even if someone intercepts the capsule notification email, they still can't read anything.
When the capsule is delivered, your recipient will see that it's protected by Privacy Shield. They enter the Viewing Key you gave them, and the capsule unlocks. If they enter the wrong key, nothing happens. The data stays sealed.
This is the most important thing to understand about Privacy Shield: if the Viewing Key is lost, your data is gone forever. We cannot recover it. No support ticket, no exception, no backdoor. This is by design.
The whole point of Privacy Shield is that no one except the key holder can access the data. If we could bypass it, so could an attacker. The security guarantee and the risk of loss are two sides of the same coin.
That's why Privacy Shield isn't enabled by default. It's a conscious choice for people who understand the tradeoff and have a plan for keeping the key safe.
Privacy Shield works seamlessly with dead man's switch delivery. Here's a common setup:
This combination provides the highest possible level of security for posthumous data delivery. Your crypto keys, passwords, and sensitive documents are protected from everyone, including us, until the moment your loved ones need them.
We believe in being honest about what Privacy Shield is and what it isn't. Here's what you should know:
We call it "Server-Blind at Rest" because that's exactly what it is: while your capsule is stored on our servers, we are blind to its contents. We think that's a more honest description than "zero-knowledge," and we'd rather earn your trust through transparency than marketing.
Privacy Shield is a one-time add-on of $5.99 (incl. tax) per capsule. No subscription, no recurring fees. It works with any tier (Capsule, Capsule+, Capsule Pro) and any delivery type (date-based or dead man's switch).
For context: you're paying $5.99 to ensure that even in the worst-case scenario, a total breach of our entire infrastructure, your data remains completely unreadable. For anyone storing crypto keys, sensitive legal documents, or deeply private messages, that's a meaningful investment.
Ready to create a Privacy Shield capsule? Here's what to do:
The whole process takes less than 10 minutes. Your most sensitive data deserves the strongest protection available. Privacy Shield gives you exactly that.