Hacker Timesnew | past | comments | ask | show | jobs | submitlogin
Show HN: TimeSeal – Cryptographic time-locked vaults with Dead Man's Switch (github.com/teycir)
2 points by teycirb 5 months ago | hide | past | favorite | 2 comments
# Hacker News Submission

## Title Show HN: TimeSeal – Cryptographic time-locked vaults with Dead Man's Switch

## Post Text

I built TimeSeal to solve a problem: most "future message" apps rely on trust. TimeSeal uses split-key cryptography to make early access mathematically impossible.

*How it works:*

Your browser generates two random AES-GCM-256 keys. Key A stays in the URL hash (never sent to server). Key B goes to Cloudflare Workers. The server refuses to release Key B until the unlock time. Without both keys, decryption is impossible—even for me.

*Three modes:*

1. *Timed Release* - Opens at exact future date (product launches, birthday messages) 2. *Dead Man's Switch* - Auto-unlocks if you stop checking in (crypto inheritance, whistleblower insurance) 3. *Ephemeral* - Self-destructs after N views (one-time passwords, confidential sharing)

*Architecture highlights:*

- Triple-layer encryption (client-side AES-GCM + server-side key encryption + master key) - Split-key design: no single party can decrypt early - Server-side time enforcement (client clock is irrelevant) - Cloudflare Workers + D1 database (edge-native, globally distributed) - Replay attack prevention with nonce-based pulse tokens - Rate limiting via SHA-256 browser fingerprinting - Open source (BSL license, converts to Apache 2.0 in 4 years)

*Security model:*

Even with full database access, an attacker cannot decrypt without: - Key A (in URL hash, never transmitted) - Master encryption key (environment secret) - Both keys combined

The server enforces time-locks via Cloudflare's NTP-synchronized infrastructure. No root access = no time manipulation.

*Use cases I didn't expect:*

- Estate planning (crypto seed phrases that unlock after 30 days of silence) - Journalist insurance (evidence auto-releases if arrested) - Marketing stunts (countdown timers for product drops) - Legal holds (contracts that activate on settlement date)

Live demo: https://timeseal.online

Source: https://github.com/teycir/timeseal

Docs cover threat model, attack scenarios, self-hosting, and trust assumptions. Happy to answer questions about the crypto, architecture, or edge cases.

---



This is cool - similar to Sarcophagus in the crypto world, but based on CloudFlare workers instead of a Blockchain. Assuming I trust that it works as intended and the site doesn't have access to my data, I'm still trusting 1. That CloudFlare workers will still be around after I die. 2. That you, the site owner, are still paying your CloudFlare bill. 3. That the cryptography behind it hasn't been cracked. 4. Governments haven't come in and forced you or CloudFlare to delete encryption keys because of some info they didn't want to leak. That's a lot of ifs.


I flagged this as undisclosed slopware being pushed as secure cryptographic engineering with no reasonable measure of human review.

All the best,

-HG




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: