The FIRM Guide

The Encryption Module

The encryption you rely on — full-disk, encrypted containers, hardware-level encryption — one entry per method, carrying the instructions your future self or an heir needs to decrypt.

Where this Module fits

S-04 Module 4 of 6 in the System area — step 1 of 4 on the dependency ladder (System → At-Home → Financial → Estate).

Fourth — locks the contents; every other module assumes The Secure Guide is protected, and this is what makes that true.

Adds to The Secure Guide: One entry per encryption method or tool — how to decrypt, key location by reference, recovery status.

Adds to The Family Guide: That encrypted storage exists, the pointer pattern, and “do not guess passwords”.

Every Module adds one section to each guide — that is how the two guides assemble as you work. See what you're building.

Download Text File Nothing is entered on this page — you fill the template in privately.

Text file — the flexible one. Use it as-is, paste it into a spreadsheet, open it in any editor, or paste it into an AI tool to reshape the blank form to fit your family: rename a field, add a row, drop one you don't need.

Print / PDF — the ready-to-use one. Print it and fill it in by hand, or choose Save as PDF and complete it in your own offline PDF app. Either way it stays with you — the finished Secure Guide template goes inside your Vault.

One rule: only ever give an AI tool the blank template. Never paste your real information — passwords, account numbers, anything you'd keep secret — into an AI tool, an online service, or anywhere outside your own Vault. Customizing an empty form is fine; filling it in happens privately, offline. That's the same rule this site follows: nothing sensitive ever leaves your hands.

Secure Guide Starter Template — Encryption

One Secure Guide entry per encryption method or tool — never per file or container. Files and containers are documented in their own Modules and marked “encrypted with <method> — see the Encryption Module”; this section holds the other half: how each method is opened by someone who is not you. Link to credentials in your password manager rather than recording them here.

Encryption sounds technical, but most of the protection is already built into your devices — the work is turning it on and keeping the keys findable by the right people. And remember: in practice, no one breaks good encryption — they talk someone out of the key. No legitimate process ever needs a passphrase or recovery key read over a phone or typed into a link; anyone asking, however convincing, is the attack. The keys themselves live in the password manager or physical Vault — never in this record, and never inside the container they open.

The method, named plainly — e.g., "BitLocker (built into Windows)", "FileVault (built into macOS)", "VeraCrypt". One entry covers every file and drive that uses this method.
Instructions to your future self — or an heir who has never seen this tool: what program opens it, on what kind of computer, what it will ask for, and what to expect. Write it like a recipe.
Where an installer or portable copy of the TOOL itself is kept, so files encrypted years ago can still be opened. Backups of the encrypted files are not recorded here — those belong to the Backup and Synchronize Module.
Where the passphrase or key lives, by reference. The key itself is high-friction — password manager or physical Vault, never here.
Yes/No + where it is stored (sealed envelope, password-manager entry).
Optional. Only if no recovery method exists — and only a hint a stranger could not derive.
e.g., annual verification; passphrase review every five years.
Date this method was last proven — something encrypted with it opened successfully, ideally on a second computer.
Encryption; secure-guide; family-guide; System

Family Guide Starter Template — Encryption

This template contains no sensitive information. It can be stored with household documents.

In the matching Secure Guide section: one entry per encryption method or tool — how to decrypt, key location by reference, recovery status.

That detail is what makes recovery possible — and it is protected in the Vault, which opens with The Vault Key. The key is never written here, by design. The people listed on this page know how it is kept, and the steward's job is to keep that path current, so this page never leads to a locked door.

One sentence, no specifics (sensitive records are kept in encrypted storage).
In plain terms, WHAT is encrypted around here — the computers protect themselves; the family archive and important records live in protected storage. No tool details; the point is that the locks exist on purpose.
Where the tools come from — built into the computer, or a program by name — and where a backup copy of the program is kept, so even years-old archived files can still be opened.
Steward and verification cadence.
What a trusted person does first — do not guess passwords; start with the password-manager note.

Anything this page's reader should know that the sections above didn't ask for — the exceptions, the house quirks, the thing you would say out loud while handing this page over.

Worked example — Frank's family

Frank's encryption comes down to three METHODS, and that's how his entries are organized — one per method, never per file. Anything encrypted elsewhere in the system is marked with its method — “VeraCrypt — see Encryption” — and this section answers the other half: how each method opens, written for whoever has to do it without him. The rule holding it together never varies — the key never lives inside the container it opens.

All details are fictional and illustrative. The assembled example guides live at the example Secure Guide and the example Family Guide.

Secure Guide — Frank's entry

One entry per encryption method. Keys are referenced by location only; the files themselves are documented in their own Modules.

Entry 1 — VeraCrypt (encrypted containers)

VeraCrypt — encrypted container files; manual mount, no auto-mount
Open VeraCrypt → Select File → choose the container (e.g., FrankSecure) → Mount → enter the passphrase from the password manager (Vaults → the container's name). It appears as a new drive; dismount when finished. Same steps on Windows and Mac. A printed copy of these steps: FrankSecure → Estate → unlock-family-archive.pdf — walked through with Sarah 2026-01
Installer for the exact version on FireSafe-SSD → Tools (kept beside the printed instructions); current versions from the project's official site. The containers' own backups are recorded in Backup and Synchronize, not here
Password manager → Vaults → one entry per container (FrankSecure; Family Archive)
Yes — printed passphrase copies, sealed envelopes in the fire safe; Sarah and the estate attorney know they exist
None — recovery copies exist
Passphrases reviewed at the January walk
2026-01 — a container opened from its backup copy on Sarah's MacBook, proving both the method and a second machine can
Encryption; secure-guide; family-guide; System

Entry 2 — BitLocker (built into Windows)

BitLocker — full-disk encryption on Frank-Laptop; BitLocker To Go on FireSafe-SSD
Normally invisible — the laptop unlocks itself at login. If Windows demands a recovery key at boot, or a drive is moved to another computer: type the 48-digit key from the password manager (Devices → the machine's name → Recovery Key). FireSafe-SSD: plug in, enter its password when prompted
None needed — built into Windows; any Windows machine that supports BitLocker can open the drives
Password manager → Devices → per machine (recovery keys)
Yes — the password-manager entries
None — a recovery method exists
Confirmed enabled at each quarterly device audit
2026-04 quarterly audit
Encryption; secure-guide; family-guide; System

Entry 3 — FileVault (built into macOS)

FileVault — full-disk encryption on Sarah-MacBook
Invisible in normal use — the Mac unlocks at login. If locked out: sign in with Sarah's account, or use the recovery key from the password manager (Devices → Sarah-MacBook → FileVault Recovery Key)
None needed — built into macOS
Password manager → Devices → Sarah-MacBook
Yes — the password-manager entry
None — a recovery method exists
Confirmed enabled at each quarterly device audit
2026-04 quarterly audit
Encryption; secure-guide; family-guide; System

Default device encryption on the family phones rides the Devices inventory — the phones' own rows note it. Which files use which method is marked on the files' entries in their own Modules; this section only ever answers “how does that method open.”

Family Guide — Frank's entry

This entry sits in the household reference binder. It contains no keys and no tool names a stranger could act on.

Sensitive records are kept in encrypted storage — on the computers, on backup drives, and in the cloud. Locked is the normal state; nothing sensitive sits readable.
The computers protect themselves automatically. The family archive — photos, legal papers, tax records — and the family records system live in protected storage that is opened on purpose, used, and locked again.
Most of it is built into the computers. The one separate program is named in The Secure Guide, and a backup copy of it is kept with the archived files — so even a drive from years ago can still be opened. The passwords are in the password manager; a written recovery copy exists, sealed in the fire safe.
Frank; the whole setup is opened and proven once a year, every January.
Never guess passwords — some containers lock or erase after repeated wrong attempts. Start with the password-manager note; Frank first, then Sarah's emergency access. And no one legitimate will ever ask you to read a key over the phone or type it into a link.