Since the late 1990s, we've had PGP to exchange keys and encrypt messages or files. Now there’s TimeSeed—a simple, privacy-focused alternative that doesn’t rely on centralized servers or key pairs.
With TimeSeed, you only use pre-shared secrets. As long as you and your correspondent(s) know a shared TimeSeed (can even be public if needed), you’ll be able to start secure communication. Use differentiators like a “pepper” password that you both know for added security.
In TimeSeed, there’s no personal information involved—no email, fingerprint, ID, phone number, or hardware wallet. No central server or authority is required. It’s just pure cryptography, built for privacy. It’s also built for flexibility, using a two-layer setup:
TimeSeed + Pepper password → Derived (time-based) encryption password
TimeSeed is a deterministic password generator with built-in re-keying using pre-shared secrets.
From a single secret (the TimeSeed) and an optional pepper password, you can derive strong encryption keys on any device, online or offline.
It uses AES-GCM encryption with salting—verifiable, standard cryptography. All logic is contained in one single HTML file. No hidden components, no black boxes.
Key elements:
You can pick custom dates for more control. LockIt is also available standalone for quick use, but avoid reusing keys there.
The goal: Encrypt data before it hits any network or server, outside the “internet surveillance” bubble. Quantum-resistant methods protect against brute-force and side-channel attacks.
Ciphertexts start with a version header like “54533” (TS4 for v2) for compatibility.
Ideal for journalists, NGOs, or whistleblower platforms. Lets anyone encrypt to you without prior contact—safe even if transmitted openly.
In rare cases like emergencies, make the TimeSeed public; the pepper remains your secret anchor.
More secure: Keep ALL info private among individuals. Share TimeSeeds securely, not online. Pepper is less critical but still boosts security. Intercepted ciphertexts remain uncrackable without impossible brute-force costs.
K7pL9mX2vB8nQ4wE6rT1yU3iO5pA7sD9fG0hJ2kL4zX6cV8bN1mQ3wE5rTcorrect horse battery staple violin nebulaMy cat Luna stole my red USB stick and hid it under the radiator“Encrypt with today’s UTC date (or the current 6-month semester). We check both automatically.”They paste your TimeSeed, choose “Today” or “This semester,” encrypt their message/file, and send the result. They don’t need your pepper!
Try 2–4 combinations (takes seconds if they couldn't stipulate that and you have to guess—which can happen in an emergency for example):
The tool chooses and fills in that decrypt password instantly with the one you selected with the "use in LockIt" button.
Real protection: Secret pepper + strong Argon2id (128 MiB memory-hard hashing). Even top agencies can’t brute-force a good pepper—millions to billions of years needed.
This sort of system can be used with a proven track record: zero known breaks when the pepper stayed secret.
Stay safe and keep giving sources a secure way to reach you!
TimeSeed:
R8prjIjMdg7mr2lL5a3NtYS3Jh43WqCHfbNxDIOtFDguFMAis2
Don't paste this in the "Lockit" section (that's for passwords). Place the TimeSeed above, in the TimeSeed section!!!
Pepper:
encrypt-everything
Date:
03 01 2026 (3rd of January 2026)
Long-term key:
B2bb83c9f5000e01c0d85616676cb323a7eb06745f48dae954dd7a776768e7b7
Encrypted message:
545334040178820bf1491d69fc2f1e549ac5919d8a9a1f02d5a929b35c9ede503c72e869b989d74edb07a44f3b8f16d3cd2ab4d3a333c7aa79ec939cbee1b7814d71f09ea43590fd5c3926b2ae34b9a2b8abe8fb2a379e030b5927c7c417baabd2f9ef0b916871ec534bb3cce06a9091c38965396aa56f
Decrypted output:
“Test message created for date Jan. 3, 2026 with ….”
I’ve also encrypted a .png file (an image of a tower).
The SHA-256 hash of this image is: 645C0801FD42AF82C0E91160FF5886238E15063C6AA93085BAA6D51C29DEE473
The MD5 is: AF200B6269E2783CBE2C6D027F3F2E47
You can test this with the same information as the earlier text example (long-term key: B2bb8…).
The image in .locked (encrypted) form can be downloaded from this link, then decrypted.
Use a hashing tool (like QuickHash or free online hash checker) to compare before and after hashes to verify no changes during encryption/decryption.
See if you can decrypt the .locked file to match the original image!
TimeSeed / LockIt performs memory-hard client-side cryptography (Argon2 + AES-GCM) directly in your browser. While this works reliably on Android, Windows, macOS, and Linux browsers, Apple’s iOS platform imposes strict execution and memory limitations on browser-based cryptographic workloads when used offline, which prevents the use of strong cryptography.
On iPhone and iPad, Apple requires all browsers to use its WebKit engine, which aggressively limits long-running JavaScript, WebAssembly, and cryptographic operations. As a result, encryption buttons may appear inactive or unresponsive when used offline/locally. This is not a bug, but a platform limitation where technical choices by Apple are the direct cause.
The author of timeseed.io refuses to downgrade the security of this tool or weaken key generation merely to make it appear functional on all iOS devices. So security is not compromised for platform compatibility.
For secure operation of TimeSeed and LockIt, we recommend using a desktop browser or an Android device (offline or online doesn't matter in these cases). iPhone and iPad are not supported for offline use of this tool and will not be for the foreseeable future.
TimeSeed is free, open-source, and designed for a future where privacy is a human right.