CLI Docs
Encrypt to a future UTC minute with curl and
openssl.
Encrypt
# Set the unlock time and file
UNLOCK=YYYY-MM-DDTHH:MM:00Z
FILE=plaintext.txt
# Download the public key for this minute.
# timelock.sh serves it inside a certificate file named cert.pem.
curl -s https://timelock.sh/api/v1/keys/${UNLOCK}/cert -o cert.pem
openssl cms -encrypt -in ${FILE} \
-recip cert.pem \
-keyopt rsa_padding_mode:oaep -keyopt rsa_oaep_md:sha256 \
-aes-256-gcm \
-outform DER -out ${FILE}.encDecrypt
FILE=plaintext.txt.enc
# Extract the unlock time from the file
UNLOCK=$(openssl asn1parse -inform DER -in ${FILE} \
| grep -oE '[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}Z' | head -1)
openssl cms -decrypt -inform DER -in ${FILE} \
-inkey <(curl -fsS https://timelock.sh/api/v1/keys/${UNLOCK}/key) -out decrypted.txt
The unlock minute is embedded in the encrypted file's certificate.
Before that minute, the key endpoint returns 425 Too Early.
API
A PEM is just text that stores a cryptographic key or certificate. The
/cert endpoint returns public keys you use to encrypt
files. The /key endpoint returns the matching RSA private
key only after the unlock minute, and you use it to decrypt.
/api/v1/keys/{minute}/cert |
Public key for encryption, packaged as a PEM X.509 certificate. |
/api/v1/keys/{minute}/key |
Private key for decryption, returned as PEM text. Returns
425 before the unlock minute.
|
Notes
- All times are UTC, truncated to the minute.
- Keys are pre-generated about one month (30 days) into the future.
.encfiles are standard CMS/PKCS#7 DER.-
The
-keyoptflags keep OpenSSL compatible with browser decryption. - Requires OpenSSL 3.x for GCM + OAEP support.
- Full endpoint/error reference: /llms.txt.