timevault

timevault encrypts a file until a future drand randomness beacon is published. The vault requires both:

• the drand beacon signature for the selected future round
• the user password (necessary because drand beacons are public; once the round finishes, anyone can open the timelock)

Usage

Build:

cargo build --release

Encrypt until an absolute UTC time:

TIMEVAULT_PASSWORD='use a real passphrase' \
  cargo run -- encrypt \
  --input secret.txt \
  --output secret.tvault \
  --until 2026-05-15T12:00:00Z

Encrypt for a relative delay:

TIMEVAULT_PASSWORD='use a real passphrase' \
  cargo run -- encrypt \
  --input secret.txt \
  --output secret.tvault \
  --after 2

--after is measured in hours and accepts decimals, for example --after 1.5.

Decrypt after the drand round has been published:

TIMEVAULT_PASSWORD='use a real passphrase' \
  cargo run -- decrypt \
  --input secret.tvault \
  --output secret.txt

Inspect metadata without decrypting:

cargo run -- inspect --input secret.tvault

If TIMEVAULT_PASSWORD and --password are omitted, the CLI prompts for the password.

Format

The file starts with TIMEVAULT1, a JSON metadata length, JSON metadata, and a tlock-age ciphertext payload.

Encryption order:

1. The plaintext is encrypted with Argon2id-derived ChaCha20-Poly1305 using the vault metadata as authenticated data.
2. That password ciphertext is encrypted with tlock_age for a future drand round.

The default drand chain is quicknet:

https://api.drand.sh/52db9ba70e0cc0f6eaf7803dd07447a1f5477735fd3f661792ba94600c84e971