SkillAgentSearch skills...

Timeseal

Time-locked encryption vault with Dead Man's Switch. Send encrypted messages that unlock at a specific date or auto-release if you go silent. AES-256, split-key crypto, ephemeral seals. Perfect for crypto inheritance, whistleblowing, scheduled releases. Self-hostable.

GenerateConvertImprove

Install / Use

/learn @Teycir/Timeseal
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<!-- donation:eth:start --> <div align="center">

Support Development

If this project helps your work, support ongoing maintenance and new features.

ETH Donation Wallet
0x11282eE5726B3370c8B480e321b3B2aA13686582

<a href="https://etherscan.io/address/0x11282eE5726B3370c8B480e321b3B2aA13686582"> <img src="publiceth.svg" alt="Ethereum donation QR code" width="220" /> </a>

Scan the QR code or copy the wallet address above.

</div> <!-- donation:eth:end --> <div align="center">

License Encryption Storage Status

<a href="https://timeseal.online"> <img src="public/timeseal_ascii.svg" alt="Time-Seal Animation"> </a>

Send digital time capsules that are impossible to open until the date you choose.

<a href="https://www.youtube.com/watch?v=7nwcL-pt0pA"> <img src="public/demo.gif" alt="TimeSeal Demo"> </a>

Time-Seal Architecture

Time-Seal Landing Page

"If I go silent, this speaks for me."

Create a Seal · View Architecture · Report Bug

</div>

📑 Table of Contents

⚡ Overview

TIME-SEAL is a cryptographically enforced time-locked vault system built on Cloudflare's edge infrastructure. It allows you to encrypt a file or message that mathematically cannot be opened until a specific moment in the future.

⚠️ Retention Policy: All seals are automatically deleted 30 days after their unlock time to protect database resources. Maximum seal lifetime is 60 days (30 days until unlock + 30 days retention).

Why is this different?

most "future message" apps contain "trust me bro" promises. Time-Seal is Cryptographically Enforced at the Edge.

📸 User Journey

<div align="center">

1. Create Your Seal

Seal Created

2. Keep It Alive (Dead Man's Switch)

Pulse Page

3. Unlock Your Content

Unlocked Seal

4. Manage Your Seals

My Seals Dashboard

</div>

🏗️ Architecture

<div align="center"> <h3>Zero-Trust • Edge-Native • Unbreakable</h3> </div>

🔒 Layer 1: The Vault (Encrypted D1 Database Storage)

Triple-Layer Encryption

All seals are encrypted in the database with multiple security layers:

  1. Client-Side Encryption (AES-GCM-256)

    • Your content is encrypted in your browser BEFORE sending to server
    • Uses split-key architecture: Key A (client) + Key B (server)
    • Encrypted blob stored as base64 in D1 database

  2. Server-Side Key Encryption

    • Key B is encrypted with MASTER_ENCRYPTION_KEY before database storage
    • Master key stored as environment secret (never in database)
    • Uses HKDF key derivation for additional security

  3. Database Contents (All Encrypted)

    • ✅ Encrypted blob (AES-GCM-256 ciphertext)
    • ✅ Encrypted Key B (AES-GCM-256 with master key)
    • ✅ IV (public, needed for decryption)
    • ✅ Metadata (unlock time, timestamps)
    • ❌ NO plaintext content ever stored

What an attacker with database access CANNOT do:

  • Decrypt without Key A (in URL hash, never sent to server)
  • Decrypt without master encryption key (environment secret)
  • Modify unlock time (cryptographically signed)
  • Access content before unlock time (server enforces time-lock)

🤝 Layer 2: The Handshake (Split-Key Crypto)

Trust-Minimized We use a Split-Key architecture to ensure no single party can decrypt the data early.

  • Key A (User): Stored in the URL hash. Never sent to the server.
  • Key B (Server): Stored in D1 database inside the secure enclave.
  • The Check: The server refuses to release Key B until Now > Unlock_Time.

💓 Layer 3: The Pulse (Dead Man's Switch)

Automated Release If used as a Dead Man's Switch, the user must click a private "Pulse Link" periodically. If they fail to check in, the seal unlocks automatically for the recipient.

🗑️ Layer 4: Auto-Cleanup (Database Protection)

30-Day Retention Seals are automatically deleted 30 days after unlock time via scheduled cron job. This ensures:

  • Maximum seal duration: 30 days (configurable limit)
  • Post-unlock retention: 30 days
  • Total maximum lifetime: 60 days
  • Prevents database overflow and ensures compliance

🧠 Logic Flow

sequenceDiagram
    participant User
    participant Browser
    participant API
    participant D1_DB

    Note over User, Browser: Phase A: Sealing
    User->>Browser: Select Template (Optional)
    Browser->>Browser: Auto-fill settings
    User->>Browser: Enters Secret + Time/Mode
    Browser->>Browser: Generate Key A + Key B
    Browser->>Browser: Encrypt Secret (Key A + Key B)
    Browser->>API: Send EncryptedBlob + Key B + Time + Mode
    API->>API: Validate (20h buffer for timezones)
    API->>D1_DB: Store Blob + Key B + Time + Metadata
    API-->>Browser: Return Seal ID + Pulse Token (if DMS)
    Browser->>Browser: Encrypt & Save to Local Vault (Optional)
    Browser-->>User: Show Link (#KeyA) + Options (Copy/Download/Save)

    Note over User, Browser: Phase B: Waiting (Seal Active)
    User->>Browser: Opens Link (#KeyA)
    Browser->>API: Request Seal Status
    API->>D1_DB: Check Time + View Count (if Ephemeral)
    D1_DB-->>API: Locked
    API-->>Browser: Status 403: "LOCKED" (Key B Withheld)
    Browser-->>User: Show Countdown Timer ⏳

    Note over User, Browser: Phase C: Unlocking (Seal Broken)
    User->>Browser: Opens Link (After Time)
    Browser->>API: Request Seal Status
    API->>D1_DB: Check Time + Increment View Count
    D1_DB-->>API: Unlocked + Key B
    API-->>Browser: Status 200: Return Key B + Encrypted Blob
    Browser->>Browser: Combine Key A + Key B
    Browser->>Browser: Decrypt Secret
    Browser-->>User: Display Decrypted Message 🎉

    Note over API, D1_DB: Auto-Cleanup (Background)
    API->>D1_DB: Delete if maxViews reached (Ephemeral)
    API->>D1_DB: Delete 30 days after unlock (All types)

🎯 Use Cases

💡 Quick Start Templates: Time-Seal now includes 10 pre-configured templates for common scenarios. Click any template button on the homepage to auto-fill settings and get started instantly.

🔥 The Confidential Sender

Scenario: "I need to send a one-time password that self-destructs after the recipient reads it."

How it works:

  1. Create ephemeral seal with maxViews=1
  2. Set unlock time to immediate or specific time
  3. Share vault link with recipient
  4. Recipient views content once
  5. Seal automatically deletes after first view
  6. No trace remains in database or storage

💀 The Crypto Holder

Scenario: "I have my seed phrase in a Time-Seal. If I die, it unlocks for my wife after 30 days of silence. If I'm alive, I reset the timer."

How it works:

  1. Create a Dead Man's Switch seal with your seed phrase
  2. Set pulse interval to 30 days
  3. Share the public vault link with your wife
  4. Keep the private pulse link secret
  5. Click the pulse link every 30 days to keep it locked
  6. If you die/disappear, the seal auto-unlocks for your wife

🕵️ The Whistleblower

Scenario: "I have evidence. If I am arrested and can't click the reset button, the evidence goes public automatically."

How it works:

  1. Upload sensitive files to a Dead Man's Switch seal
  2. Set pulse interval to 7 days
  3. Share the public vault link with journalists/activists
  4. Pulse every week to keep evidence locked
  5. If arrested/silenced, evidence automatically releases
  6. Creates accountability and protection

🚀 The Marketer

Scenario: "I'm dropping a limited edition product. The link is public now, but nobody can buy until the timer hits zero."

How it works:

  1. Create timed release seal with product details/access codes
  2. Set exact launch date and time
  3. Share vault link publicly on social media
  4. Build anticipation with countdown timer
  5. Product automatically unlocks at launch time
  6. Creates viral marketing buzz

🎁 The Gift Giver

Scenario: "I want to send a birthday message that unlocks exactly at midnight on their birthday."

How it works:

  1. Write personal message or upload file
  2. Set unlock time to birthday midnight
  3. Send vault link in advance
  4. Recipient sees countdown until birthday
  5. Message unlocks at perfect moment
  6. Creates magical surprise experience

🏛️ The Legal Professional

Scenario: "I need to ensure this contract becomes active only after the settlement date."

How it works:

  1. Seal legal files with specific unlock date
  2. Share vault link with all parties
  3. Documents remain cryptographically locked
  4. Auto-unlock when settlement period expires
  5. Ensures compliance and timing
  6. Provides immutable proof of timing

❓ FAQ: How It Works

How does Time-Seal prevent early access?

Split-Key Architecture:

  1. Your browser generates two random keys: Key A and Key B
  2. Both keys are needed to decrypt your content
  3. Key A stays in your browser (in the URL hash)
  4. Key B is sent to the server (encrypted with master key)
  5. Server refuses to release Key B until unlock time
  6. Without both keys, decryption is mathematically impossible

Server-Side Time Enforcement:

  • All time checks happen o

Teycir

View profile

View on GitHub
GitHub Stars49
CategoryProduct
Updated4h ago
Forks6
Teycir/Timeseal

Languages

TypeScript

Security Score

80/100

Audited on Mar 21, 2026

No findings