Remote wipe: reach out and erase the device.

A device you no longer control is a breach in progress. Maybe you left it in a taxi. Maybe it was lifted from a hotel safe. Maybe it was taken at a checkpoint and is now headed for a forensics lab. Whatever the cause, the vault, identity, files and keys are sitting in someone else's hands, and time is on their side. Remote wipe lets you reach that device from anywhere and erase everything on it — and it's engineered around one non-negotiable rule: it fails safe. Only an authenticated command from you can ever trigger it.

What remote wipe is

Remote wipe is the ability to destroy the protected data on a device you're no longer holding, by issuing a command from a different device or interface. You authenticate as the owner, you send the wipe, and the target device — when it next receives the command — irreversibly destroys the Helix vault: the encrypted messages, the contacts and identity, the stored files, and the cryptographic keys. What's left is a device with nothing of yours on it worth recovering.

It's the logical extension of the one-tap burn you can fire when the device is in your hand. The burn covers "I'm holding it and need it gone now." Remote wipe covers "I'm not holding it, someone else is, and I need it gone anyway." Same destruction, different reach.

The word that matters most in that description is irreversibly. A remote wipe isn't a lock or a hide — it's destruction. There's no undo, no recovery, no "I changed my mind." Which is exactly why the second half of the feature — the part that makes sure only you can ever send that command — is just as important as the wipe itself.

It's also worth being clear about how Helix's remote wipe differs from the "find my device" wipe most people have used. Consumer remote-wipe features route through a platform account — your Apple ID, your Google account, a mobile-device-management server. That works, but it means the wipe command travels through, and depends on, an intermediary that can be compelled, breached, delayed, or simply switched off. It also means the same account that can wipe your device is a single point an attacker can target. Helix's wipe is built on the same zero-trust principles as the rest of the product: the authority to wipe is a cryptographic key you hold, not an account someone else operates on your behalf. There's no console a third party can be served a warrant for, and no platform login an attacker can phish to reach your device.

How it works under the hood

There are two ways to destroy encrypted data, and the difference is the whole game. The slow way is to overwrite every byte of storage — which on modern flash storage can't even be fully guaranteed because of wear-leveling, and which takes time the situation may not give you. The fast, complete way is crypto-shredding: destroy the keys, and every byte of ciphertext becomes permanently unreadable noise in an instant. You don't have to scrub a gigabyte of files; you destroy the few hundred bits that make those files mean anything. Helix's wipe is built on crypto-shredding first — kill the keys, and the data is gone as a practical matter immediately — backed by overwrite where it adds value.

Delivery is the other half. For a remote wipe to work, the command has to reach the device, and the device has to act on it. Helix routes the wipe command to the target so that the next time it has connectivity, it receives and executes it. A device that's offline can't be wiped yet — but it also can't exfiltrate anything while offline, and the command waits for it. This is why remote wipe pairs naturally with the dead-man's switch: the switch handles the case where the device has gone permanently dark, while remote wipe handles the case where it's still reachable.

Now the safety. The entire feature is designed to fail safe, and that phrase has a precise meaning: when anything goes wrong or is uncertain, the system defaults to not wiping. A wipe is destructive and irreversible, so the failure mode must never be an accidental wipe. Concretely:

• A wipe command is only honored if it carries cryptographic proof it came from the authenticated owner. An attacker who intercepts the channel, spoofs a message, or compromises an intermediary cannot forge a command the device will accept.
• The device verifies the command's authenticity before acting — it doesn't trust the network, it trusts the signature.
• If authentication can't be verified, the device does nothing. Ambiguity never resolves toward destruction.

That design closes the obvious attack: an adversary who wanted to weaponize your own remote-wipe feature against you — wiping your device to cause harm, or worse, learning to wipe other people's devices — simply can't, because they can't produce the authenticated command the device requires. The capability that protects you can't be turned into a weapon against you.

The phrase "fail safe" is worth slowing down on, because in security engineering it has a specific and consequential meaning that's the opposite of how a lot of systems are built. A system that "fails open" defaults to permissive behavior when something goes wrong — and far too many do, because failing open is convenient and rarely complained about until it's catastrophic. A system that "fails safe" or "fails closed" defaults to the protective behavior. For a remote wipe, the protective default is emphatically not to wipe: an accidental wipe is an irreversible loss, so every ambiguous situation — a malformed command, an unverifiable signature, a confused network state — must resolve toward inaction. Helix designs the wipe so that destruction is the path requiring the most proof, and doing nothing is the path of least resistance. You should have to clear a high bar to destroy your own data; an attacker should find that bar impossible.

This is also why the wipe and the ordinary unlock are kept architecturally separate. You don't want the remote-wipe authority bundled into the same credential you use every day, because a credential you use constantly is a credential more exposed to compromise. The authority to issue an irreversible, device-destroying command is held distinctly and proven distinctly, so that the routine act of using your phone never carries the latent power to destroy it by accident.

The real-world threat it stops

Remote wipe answers the gap between "I've lost control of the device" and "the data on it has been extracted." That gap is where breaches happen, and it shows up constantly:

• Lost or stolen. The ordinary, mundane disaster — a phone left behind or pickpocketed. For most people that's an inconvenience; for someone carrying privileged communications, source identities, or wallet keys, it's a catastrophe unless the data can be reached and destroyed.
• Seized. A device taken at a border or in a raid, now in custody and bound for analysis. If it's still reachable before extraction succeeds, a remote wipe can close the window. Helix's encryption may already make extraction futile, but destruction removes even the question.
• Compromised. You discover a device has been tampered with or is suspected to be infected, and you want it cleaned out remotely rather than trusting it again.
• Decommissioning gone wrong. An old device you thought was wiped, or one that left your possession without a proper reset — remote wipe lets you reach back and finish the job.

In every case the principle is the same: data you can't physically retrieve, you can still destroy. Losing the hardware doesn't have to mean losing control of what was on it.

The reason this matters so much more for a security-focused user than for an ordinary one comes down to what's on the device. When a typical person loses a phone, the worst case is some photos and a few logged-in apps — bad, but bounded. When someone carrying privileged communications, source identities, deal documents, or wallet keys loses a device, the worst case is unbounded: a single seized phone can unravel a legal matter, expose a confidential source, compromise a negotiation, or drain an account. The value of the data is what turns "lost phone" from an annoyance into a crisis, and it's precisely that high-value data that makes the ability to destroy it remotely worth having. The more your device is worth to an adversary, the more remote wipe is worth to you.

Why it matters to the people Helix is built for

Crypto holders and whales. A stolen device that holds wallet access is an open vault. Remote wipe lets you crypto-shred the keys before a thief can move funds — and combined with self-custody and inheritance-grade Shamir recovery, wiping the device doesn't mean losing your assets, only denying them to whoever took the phone.

Lawyers. A lost device carrying privileged client material is a reportable breach and an ethical crisis. The ability to remotely and verifiably destroy that material turns a disaster into a manageable incident — the privileged data is gone before it can be accessed.

Family offices and executives. Principals and staff lose and have devices stolen like everyone else, except the devices hold deal terms, ownership structures, and security details. Remote wipe is a standing safeguard that lets a security team neutralize a lost device immediately, from anywhere.

Journalists and the targeted. A seized device is the nightmare scenario for source protection. If it's reachable for even a moment before extraction, remote wipe destroys what's on it. Paired with deniable storage and the dead-man's switch, it's part of a layered answer to "they took my phone."

How Helix implements it

Helix builds remote wipe as a core part of the anti-coercion shield, with the properties that make it both effective and safe to own:

• Owner-authenticated commands only. A wipe is honored only when it carries cryptographic proof of your authority — no forged, spoofed, or intercepted command can trigger it.
• Fail-safe by default. Any uncertainty resolves toward not wiping. The destructive path is the one that requires the strongest proof, never the default.
• Crypto-shred first. Destroy the keys and the ciphertext becomes unreadable noise instantly — fast, complete, and not dependent on scrubbing every byte.
• Reaches the device on next connectivity — and pairs with the dead-man's switch for the case where the device never comes back online.
• Total scope. Vault, identity, files and keys — gone, with nothing left to recover, just like the in-hand one-tap burn.

The result is a feature you can hold in reserve without anxiety: it can reach your device anywhere, it destroys everything that matters, and it can only ever be fired by you.

The honest limits

Remote wipe is powerful, and its limits are physical and worth understanding before you rely on it.

It can't wipe a device that never comes back online. The command has to reach the device. If an adversary immediately pulls the storage, clones it offline, and works on the image while the original stays powered off and isolated, the wipe command may never arrive at the data being attacked. This is the fundamental limit, and it's why remote wipe is a layer, not a lone solution — deniable storage means there may be nothing useful to extract even if the wipe never lands, and the dead-man's switch covers the permanently-dark device. Defense in depth exists precisely because no single layer covers every case.

Storage physics still apply. Crypto-shredding makes the data unreadable by destroying the keys, which is the strongest practical guarantee available — but at the raw-storage level, flash wear-leveling means an overwrite can't promise that every physical trace of every byte is obliterated. In practice, destroying the keys is what matters: noise without a key is just noise. We mention the physics because honesty about storage is part of how we build, and because a sophisticated lab is the only adversary for whom the distinction could ever matter.

It only covers this device's copy. Anything that already left — synced elsewhere, backed up, screenshotted by a contact — is outside the reach of a wipe on this device. Remote wipe destroys what's on the target, not every copy that ever existed.

Within those limits, remote wipe does exactly what it promises: it lets you destroy the protected data on a device you can no longer touch, safely, with the certainty that no one but you can ever pull that trigger. For the all-too-common moment when a device leaves your control, that reach is the difference between an inconvenience and a breach.

Crypto-shred versus overwrite: why the method matters

It's worth understanding the two philosophies of data destruction, because they explain why a well-designed remote wipe is both fast and trustworthy where a naive one would be slow and uncertain.

The intuitive approach is overwrite: march through the storage and replace every byte of sensitive data with zeros or random noise, so there's nothing left to read. On the spinning hard drives of decades past, this worked well. On modern flash storage — the kind in every phone and most laptops — it runs into a physical wall called wear-leveling. To extend their lifespan, flash chips constantly remap where data physically lives, so when the operating system says "overwrite this block," the chip may quietly write the new data somewhere else and leave the old copy sitting in a region the OS can no longer address. You can't reliably overwrite what you can't reliably point at. Overwrite on flash reduces recoverability; it can't honestly promise zero.

The better approach for encrypted data is crypto-shredding, and it sidesteps the whole problem. If your data is encrypted — and on Helix, all of it is — then the data is already unreadable noise without the key. Destroy the key and every byte of that noise becomes permanently meaningless, no matter how many stale copies wear-leveling has scattered around the chip. You don't have to find and obliterate gigabytes of files; you have to destroy a few hundred bits of key material, which is fast, precise, and complete. A crypto-shred turns "erase everything" into "erase the one small thing that makes everything readable," and that's a problem flash storage can't quietly defeat.

This is why Helix's wipe — local burn and remote wipe alike — is crypto-shred first. It's the destruction method that's actually honest about how modern storage works, backed by overwrite where overwrite genuinely adds value. We'd rather destroy the key with certainty than promise a byte-by-byte scrub that the hardware won't fully honor.

The bottom line

Losing a device shouldn't mean losing control of what's on it. Remote wipe extends your reach past the moment of loss — letting you crypto-shred the vault, identity, files and keys from anywhere, while guaranteeing that the command can only ever come from you. It's the safety net under every other defense: when the phone is gone but the data must not survive, you can still make sure it doesn't. For anyone carrying secrets that matter, that reach is worth having long before the day you need it.

Core $199 · Operator $499 · Sovereign $999 — fixed, published pricing, paid in crypto, no account required.