Show HN: TrueLock – secure messages as encrypted files with unlock rules

3•dkatsura•1h ago

I built TrueLock for “secure messaging without a messenger”.

Instead of sending plaintext in chat, you wrap a message (and attachments) into a single encrypted capsule file (.cfcaps) and share it via any channel (Telegram/email/drive/USB). The recipient opens the file in the app.

What’s different vs “just encrypt a file” is that the unlock policy travels with the ciphertext:

time window

geo radius

password (Argon2id)

visual key (optional)

AND/OR logic across rules

Current clients: Android + Windows. Crypto: AEAD (AES-GCM / ChaCha20-Poly1305).

Threat-model boundary: policy checks are local; a fully compromised endpoint can bypass checks or exfiltrate plaintext after legitimate open.

I’d value technical feedback on:

threat-model clarity

strongest real use case

what trust artifact you’d want next (format spec, test vectors, reproducible builds)

https://truelock.pro

Comments

dkatsura•1h ago

Maker here. Quick challenge for the skeptics:

Assume the capsule file leaks (someone forwards/copies it). In your view, does embedding the access policy (time/geo/password/visual key) into the same artifact as the ciphertext add any value, or is it pure security theater?

If you think it’s theater, what’s the smallest, most realistic bypass you’d try first — and what constraint would you add to make this primitive actually useful?

dkatsura•1h ago

Maker here — adding a concrete detail to make critique easier.

Capsule = one file: header (version, KDF/AEAD ids) + encrypted payload chunks + policy tree (AND/OR over time/geo/password/visual). Password path uses Argon2id; payload encryption is AEAD (AES-GCM or ChaCha20-Poly1305).

If you were reviewing this: what would you want first — (a) public capsule format spec, (b) test vectors for decrypt/verify, or (c) a short threat-model page with explicit non-goals?

dkatsura•59m ago

Maker here. If you think this is security theater, please don’t be polite — pick one and attack it:

1. “policy travels with ciphertext” — why is that a bad idea vs external workflow? 2. geo/time gating — useless gimmick or actually valuable friction? 3. visual key — dumb novelty or practical multi-party secret?

I’m genuinely trying to find the sharpest criticism, not compliments.

Lise Meitner's Nuclear Vision

Where things stand with the Department of War

Third Kairos (Space One) launch fails

The FCC Wants Your Next Customer Service Agent to Be in the U.S.

Show HN: Multicorn Shield – Open-source permissions and approvals for AI agents

Vet

Self-Learning Customer Engagement

Show HN: Ghoten – OpenTofu fork with ORAS back end for state in OCI registries

Obfuscated C – Wordle hard mode solver

Remembering Mayhem

Au Revoir, Eleventy

Show HN: Claw Messenger, Text OpenClaw over iMessage Without a Mac Mini

Stackoverflow (Beta)

Investor Sam Lessin likens Iran war to Purim, the murder of 75,000 Persians

Gog – Google in Your Terminal

The nightmare war scenario is becoming reality in energy markets

Context Engineering

Tracking Apple's Environmental Claims Across Product Generations

GZOO Cortex – local-first knowledge graph that watches your project files

LinguaKin is an offline-first, non-addictive language encyclopedia for polyglots

FARS: Automated Research System

Xiaomi Vision Gran Turismo Makes Global Debut at MWC Barcelona 2026

The Editor Who Helped Build a Golden Age of American Letters

Can the Most Abstract Math Make the World a Better Place?

Minivum (mini-Vim)

Temporal drives demand for Durable Execution – Temporal

Show HN: Sick Clock" by Obeo – Predict your next sick day

World Monitor – Real-Time Global Intelligence Dashboard

Oracle plans job cuts as data center costs rise, Bloomberg News reports

The growth of command line options, 1979-Present