Show HN: TimeSeal – Cryptographic time-locked vaults with Dead Man's Switch

https://github.com/Teycir/Timeseal

2•teycirb•2h ago

# Hacker News Submission

## Title Show HN: TimeSeal – Cryptographic time-locked vaults with Dead Man's Switch

## Post Text

I built TimeSeal to solve a problem: most "future message" apps rely on trust. TimeSeal uses split-key cryptography to make early access mathematically impossible.

*How it works:*

Your browser generates two random AES-GCM-256 keys. Key A stays in the URL hash (never sent to server). Key B goes to Cloudflare Workers. The server refuses to release Key B until the unlock time. Without both keys, decryption is impossible—even for me.

*Three modes:*

1. *Timed Release* - Opens at exact future date (product launches, birthday messages) 2. *Dead Man's Switch* - Auto-unlocks if you stop checking in (crypto inheritance, whistleblower insurance) 3. *Ephemeral* - Self-destructs after N views (one-time passwords, confidential sharing)

*Architecture highlights:*

- Triple-layer encryption (client-side AES-GCM + server-side key encryption + master key) - Split-key design: no single party can decrypt early - Server-side time enforcement (client clock is irrelevant) - Cloudflare Workers + D1 database (edge-native, globally distributed) - Replay attack prevention with nonce-based pulse tokens - Rate limiting via SHA-256 browser fingerprinting - Open source (BSL license, converts to Apache 2.0 in 4 years)

*Security model:*

Even with full database access, an attacker cannot decrypt without: - Key A (in URL hash, never transmitted) - Master encryption key (environment secret) - Both keys combined

The server enforces time-locks via Cloudflare's NTP-synchronized infrastructure. No root access = no time manipulation.

*Use cases I didn't expect:*

- Estate planning (crypto seed phrases that unlock after 30 days of silence) - Journalist insurance (evidence auto-releases if arrested) - Marketing stunts (countdown timers for product drops) - Legal holds (contracts that activate on settlement date)

Live demo: https://timeseal.online

Source: https://github.com/teycir/timeseal

Docs cover threat model, attack scenarios, self-hosting, and trust assumptions. Happy to answer questions about the crypto, architecture, or edge cases.

---

Comments

pants2•1h ago

This is cool - similar to Sarcophagus in the crypto world, but based on CloudFlare workers instead of a Blockchain. Assuming I trust that it works as intended and the site doesn't have access to my data, I'm still trusting 1. That CloudFlare workers will still be around after I die. 2. That you, the site owner, are still paying your CloudFlare bill. 3. That the cryptography behind it hasn't been cracked. 4. Governments haven't come in and forced you or CloudFlare to delete encryption keys because of some info they didn't want to leak. That's a lot of ifs.

Dr. Claw: Claude's First CVE. AI's First CVE

Show HN: Voice-first todo list that updates live as you talk

How AI coding agents work–and what to remember if you use them

Gaia finds hints of planets in baby star systems

Lwlog 1.5.0 Released

Childhood and Education #16: Letting Kids Be Kids

Janet Jackson had the power to crash laptop computers (2022)

The Mythical Non-Roboticist (2024)

USD Share as Global Reserve Currency Drops to Lowest Since 1994

Our Rationality Future: Quit, All-In, or Bust

A Way with Words: Thomas Merton's Orwellian Thoughts on Language [pdf]

I was sold a fake calculator [video]

Emotion is the enemy of reason [video]

Gpg.fail

Ask HN: Thoughts on US drone industry after Chinese production ban

Why JavaScript Needed Docker

Trump's First Year Back, in 10 Charts

Show HN: Net Sentinel – Network Monitoring with a Pseudo-Code Engine

Thought-Terminating Cliché

Show HN: I'm 15. I built an offline AI Terminal Agent that fixes errors

Employee commits suicide after MongoDB fired her during mental health leave

'Artificial intelligence' myths have existed for centuries

The False Colours of Astronomy

Study: Everyday conversations can delay eye movement, essential for safe driving

Clip2type: Bypass clipboard pasting restrictions by emulating keystrokes

Rcarmo/PhotosExport: Export All Your Data from Apple Photos

VSCode rebrands as "The open source AI code editor"

Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot

Spotify leak: why so many 2-minute songs

This PNG shows a different version when loaded in Chrome than in Safari