Continuity

You're never locked in

Everything you need to open your vault is already in your hands: the printed cards, your own copy of the bundle, and an open tool anyone can run. AmberKey being here makes it convenient; AmberKey is never what makes it possible. Here's exactly how that independence works.

The recovery spec, in one paragraph

Your continuity bundle is a single file: a tar archive encrypted with age v1 to your vault's X25519 key. That key's raw 32 bytes are split with SLIP-39 across your circle's printed cards. Recovery is therefore three standard steps: reconstruct the 32-byte secret from enough cards (any conforming SLIP-39 implementation), re-encode it as an age identity, and decrypt the bundle (any conforming age implementation). The full specifications (bundle format, recovery procedure, card format) are public, versioned, and committed to backward compatibility forever. Nothing proprietary is required at any step.

In practice nobody has to know any of that: the offline tool does it all. The point of spelling it out is durability. In 2045, a competent stranger with only the spec could rebuild the tool from scratch, which is why your access has no expiry date.

Where to get the recovery tool

recover.html is one self-contained file. Open it in any modern browser directly from disk. It makes no network requests and needs none. There is also a command-line version, amberkey-recover. Mirrors, in priority order (this same list is printed on every instruction sheet):

  1. recover.amberkey.app: hosted copy; save the page to disk
  2. GitHub releases: github.com/amberkey-app/amberkey (primary repository)
  3. Codeberg mirror: codeberg.org/amberkey/amberkey
  4. Software Heritage archive: permanent snapshots of both mirrors
  5. Internet Archive: release artifacts including recover.html

Four of the five are institutions or platforms with no business relationship to us, so your copy of the tool stays reachable independently of anything we do.

Verify what you downloaded

Every release is signed and built from pinned source, so the published hashes can be checked by anyone, not just trusted from us. (We build deterministically within a fixed environment and are working toward fully reproducible arbitrary-machine builds — a known gap tracked openly.) Releases are signed with minisign, and every printed card carries the tool's SHA-256 hash and the minisign public key fingerprint.

To verify a downloaded copy against a printed card:

# 1. Hash must match the printed value for that release
sha256sum recover.html

# 2. Signature must verify against the printed minisign public key
minisign -Vm recover.html -P <printed public key>

If the hash differs, your card may simply predate a newer release; any genuine release's signature still verifies against the printed key. When in doubt, use the exact release whose hash is printed on the card. Step-by-step instructions for non-command-line users: verifying the recovery tool.

Our commitment if we ever wind down

The architecture above already guarantees your access. On top of it, we make a promise in our Terms of Service: if AmberKey ever stops operating, we hand things off gracefully rather than going dark. Specifically:

  • Twelve months' notice. Announced on the site, by email to every owner, and in the repository, before any service degradation.
  • A final-state offline conversion. The last product release converts every account to a fully offline flow: guided bundle export, re-print of kits with fresh verification data, and the offline ceremony procedure in place of the hosted one.
  • Bundles downloadable the entire time. Your encrypted bundle remains exportable throughout the full wind-down period, and the client keeps a full local copy at all times anyway. Local-first is the architecture, not a feature.

Even in the worst case, a sudden shutdown with no notice at all, you lose nothing essential: your cards, your local bundle copy, and a mirrored tool that needs nothing from us are the real safety net. The commitment above makes a hand-off orderly; the architecture is what makes your access unconditional either way.

The one thing we ask of you: export your continuity bundle when the app nags you (annually, and after any change). A current bundle in your own keeping, plus the USB copies your circle holds, is what makes every promise on this page unconditional.