Anti-coercion · the dead-man's switch

The dead-man's switch: protection that acts when you can't.

By Helix · Published May 25, 2026 · ~2,600 words

Every other defense assumes you're at the controls. You enter the duress code. You hit burn. You toggle travel mode. But the most dangerous moments are the ones where you can't reach your phone at all — you're detained, your device is taken, you've simply gone dark. The dead-man's switch is the one defense that works in your absence. You set a deadline. If you don't check in by it, Helix acts on your behalf — burning the vault, alerting a trusted contact, or both. Silence becomes the trigger.

What a dead-man's switch is

The term comes from heavy machinery: a control that has to be actively held by a living, conscious operator. Let go — because you fell, collapsed, or are no longer there — and the machine stops itself. The logic is inverted from a normal switch. A normal switch does something when you act. A dead-man's switch does something when you stop acting.

Applied to your data, it works the same way. You set a check-in interval — every 24 hours, every three days, before a specific deadline. As long as you check in, nothing happens; the timer simply resets. But if the deadline passes with no check-in, the switch fires. What it fires is your choice: it can burn the vault so there's nothing left to seize or extract, it can send a pre-written alert and your last-known location to a trusted contact, or it can do both. The defining property is that your inaction is the command. You don't have to do anything for it to protect you. You have to do something to stop it.

This inversion is what makes it uniquely suited to worst-case planning. Every other safeguard is a verb you have to perform: enter the code, hit burn, send the wipe. They all assume a future you who is conscious, free, and holding the device. The dead-man's switch makes no such assumption. It is the only defense whose trigger is the very condition you're most afraid of — your inability to act. Where other tools ask "what will you do if the worst happens?", the dead-man's switch asks "what should happen automatically if you can't do anything at all?" That's a fundamentally different and more honest question for anyone whose work can put them somewhere they don't control.

How it works under the hood

A dead-man's switch is, at its core, a countdown that you keep resetting. Helix arms a timer with the interval you choose. Every time you check in — opening the app and authenticating, tapping a confirmation, or whatever method you've set — the timer resets to the full interval. The check-in is lightweight by design, because you'll be doing it routinely and the whole point is that it's easy to keep alive and hard to forget.

The hard engineering problem isn't the timer; it's making the switch fire reliably even when the device is being interfered with. A naive implementation that only fires when the app is open is useless — an attacker just doesn't open the app. So the switch is designed to survive the scenarios it's meant for: it can act locally on the device when the deadline passes regardless of whether anyone opens the app, and it can rely on a server-side component so that even a device that's been powered off, isolated from the network, or destroyed doesn't prevent the alert from going out when the check-in never arrives.

That split matters. The local action — burning the on-device vault — protects the data sitting in the attacker's hands. The remote action — alerting your trusted contact — protects you, by making sure that your disappearance doesn't go unnoticed. A device that's been seized and shut off can't run code, but it also can't check in, and the absence of that check-in is itself the signal that triggers the outside alert. You build the system so that going dark is loud.

Grace periods and warnings round it out. A good dead-man's switch warns you before it fires — a reminder as the deadline approaches — so a missed alarm or a long flight doesn't accidentally torch your data. You set the interval and the warning window to match your real life, so the switch is sensitive enough to protect you but not so twitchy that it goes off because you slept in.

There's a deeper design question hiding in the check-in itself: how do you prove you're checking in freely? A switch that resets the moment anyone enters the right code can be defeated by an attacker who has coerced that code out of you — they just keep it checked in indefinitely while they work. The strongest dead-man's-switch designs anticipate this by allowing a duress check-in: a check-in method that looks normal but actually triggers the protective action rather than postponing it. Combined with Helix's duress unlock, this means that even if you're forced to "keep it alive," the act of doing so under coercion can quietly do the opposite of what the coercer intends. The switch isn't just counting time; it can be made to count whether you're free.

The interval choice is itself a meaningful piece of operational security, and it deserves real thought rather than a default. A 12-hour switch is aggressive: it protects you fast if something goes wrong, but it demands you stay reachable and reliable, and it will eventually fire over a long flight or a dead battery if you're not careful. A weekly switch is forgiving but leaves a long exposure window — a full week where seizure wouldn't trigger anything. There is no universally correct answer; there's only the answer that matches the specific situation you're walking into. The right discipline is to set the switch per situation, tightening it before a high-risk trip and relaxing it back to normal life afterward, rather than picking one number and living with it forever.

The real-world threat it stops

The dead-man's switch is built for the scenario nobody wants to plan for and everyone in a high-risk role should: you are no longer in a position to act.

What ties these together is that none of them allow you to mount a defense in the moment. A duress unlock needs you present and able to type. The dead-man's switch needs nothing from you except that, at some recent point, you were alive and free enough to check in. After that, it carries your intent forward on its own.

Why it matters to the people Helix is built for

Journalists and the targeted. This is the feature's heartland. A reporter going into a hostile environment can arm a switch so that if they're detained or disappear, source-protecting material is destroyed and an editor or lawyer is alerted automatically. The switch turns "we haven't heard from them" from a slow, helpless realization into an immediate, actionable signal.

Crypto holders and whales. Set against a kidnapping-for-ransom scenario, a dead-man's switch can be configured so that prolonged unreachability triggers protective action on accessible assets and alerts your security circle — while inheritance-grade recovery (Shamir share splitting) ensures your holdings aren't simply lost to your trusted heirs if the worst happens.

Family offices and executives. For principals traveling in high-risk regions, the switch is a standing instruction that executes itself: if check-in lapses, the security team is alerted with last-known location, and sensitive material on the device is protected without anyone having to remember to act.

Lawyers. When carrying privileged material into uncertain situations, a dead-man's switch ensures that an involuntary absence doesn't leave that material exposed indefinitely — the protection executes on schedule, not on availability.

A short history of the idea

The dead-man's switch isn't a software invention; it's an old safety principle that software inherited. The classic example is the lever on a train's controls that the driver must hold down — release it, through incapacitation or worse, and the train brakes itself automatically. The same logic shows up in industrial presses, chainsaws, and aircraft: a control that requires a live, conscious operator, so that the failure of the operator becomes the trigger for a safe state. The genius of the design has always been that it turns the most catastrophic event — the operator no longer being able to operate — into the very thing that activates protection.

Moving the concept into the digital realm changed what "the safe state" means. For a train, safe means stopped. For your data, safe means destroyed before it can be exploited, and your circle alerted before too much time passes. The principle is identical: your absence is the trigger, and the system fails toward safety rather than toward exposure. What modern implementations add is the split between a local action that protects the data and a remote action that protects the person — a refinement the original lever never needed, because a train doesn't have to phone a friend when its driver collapses. Your situation is more complicated, and the tool has grown to match.

How Helix implements it

Helix exposes the dead-man's switch as a part of the anti-coercion layer you arm in advance, with the controls that matter:

You decide everything up front, calmly, before you walk into a situation you might not walk out of cleanly. After that, the only thing the switch asks of you is the simplest possible act: check in. Keep checking in and it sleeps. Go silent and it speaks.

The honest limits

A dead-man's switch is genuinely powerful, but its limits are real and you should set yours knowing them.

The local burn needs the device to be able to act. If an adversary immediately pulls the storage, clones it, and works on the offline image, the on-device timer may never get the chance to fire on the original data. This is precisely why the technique pairs a local action with a remote one — and why remote wipe and deniable storage matter alongside it. The switch is one layer of a defense-in-depth, not a single guaranteed kill.

The remote alert depends on connectivity at the right moment. A server-side component makes the alert far more resilient than a purely on-device timer, but no system can promise delivery against every possible network condition. You set the intervals to give the system the best chance, and you treat the alert as a strong signal to your circle, not a courtroom-grade guarantee.

It can fire when you didn't mean it to. The flip side of "silence triggers it" is that any silence triggers it — including a dead battery, a long flight, a lost phone, or simply forgetting. That's why the warning window exists and why you should size the interval to your actual life. A switch set too tight will eventually torch your data over nothing; a switch set too loose leaves a long window where you're unprotected. The right interval is a deliberate trade-off only you can make.

Used thoughtfully — with an interval that fits your routine, an action that fits your threat, and an understanding that it's one layer among several — the dead-man's switch is the closest thing there is to protection that keeps working after you've lost the ability to protect yourself. That's a rare and valuable thing. It is not magic, and we won't pretend it is.

Setting yours: a practical walkthrough

Configuring a dead-man's switch well is a small exercise in thinking clearly about your own risk, and it's worth doing deliberately rather than accepting a default. Walk through it in four questions.

First: what should fire? Decide whether silence should burn the vault, alert your circle, or both. A journalist protecting sources may want both — destroy the material and tell the editor something's wrong. Someone whose main concern is not losing access to their own data unexpectedly might prefer alert-only, so that a missed check-in summons help without destroying anything. There's no default that's right for everyone; the right answer falls out of what you're actually afraid of.

Second: how long is your window? Pick the interval that matches the situation, not your calendar in the abstract. Routine daily life might warrant a generous window or no active switch at all; a two-day trip into a high-risk environment might warrant a tight one. The interval is the single most consequential setting, because it defines both how fast you're protected and how easily an innocent silence can fire the switch.

Third: who gets the alert, and what does it say? Choose a trusted contact who will actually act on a message, and pre-write the alert so it's clear and actionable rather than cryptic. "If you receive this, I have not checked in; contact my lawyer and treat my devices as compromised" is worth far more than a bare notification. The alert is only as useful as the recipient's ability to understand and act on it.

Fourth: how will you check in, and can you do it under duress? Make the routine check-in easy enough that you'll actually keep it alive, and consider whether you want a duress check-in option — a way to "check in" that secretly triggers protection instead of postponing it, for the case where you're forced to keep the switch alive against your will. Then rehearse all of it, so that under stress the right action is reflex.

Spend ten minutes on those four questions before a risky situation and the switch becomes a genuine safeguard. Skip them, accept a default, and you've armed something you don't fully understand — which, with an irreversible burn on the line, is its own kind of risk.

The bottom line

Most security tools fail at the exact moment you need them most: when you can't reach them. The dead-man's switch is the one that's designed for your absence. It converts your silence into action — destroying what shouldn't be found and summoning help that needs to be summoned — so that being detained, disappeared, or simply out of reach doesn't mean your data, or your safety, goes unguarded. For anyone whose work can put them somewhere they might not come back from cleanly, that's not paranoia. It's preparation.

Get Helix — from $199See every feature

Core $199 · Operator $499 · Sovereign $999 — fixed, published pricing, paid in crypto, no account required.

The duress unlock The deniable hidden volume Remote wipe a seized device All features