Open source

Trust the math, audit the code

The recovery-critical parts of AmberKey (the crypto core, the offline tool, and every format specification) have been open source from the first commit.

Repository and mirrors

One Rust core crate implements all cryptography (SLIP-39, age bundle handling, the card model) and is compiled to WebAssembly for the browser and natively for the CLI. The recovery tool, the app, and amberkey-recover all share that single core: no re-implementations to drift apart.

License

The published repository (crypto core, recover.html build, amberkey-recover, and all specifications) is licensed Apache-2.0. Use the code, embed it, fork it, outlive us with it. Patent protection is built into the license.

We're deliberate about the boundary: everything a recovery depends on is open and mirrored. The service around it (the coordination server, the owner console, this site) is proprietary, and no recovery ever touches it. If that boundary ever seems wrong, that's a bug in our promise: tell us.

Specifications

Bundle format

The continuity bundle: age v1 over ustar tar, the manifest schema, the exact master-secret encoding SLIP-39 splits, and forward-compatibility rules.

spec/bundle-format.md

Recovery procedure

The zero-network recovery procedure: what you need, mirror priority, verification, and troubleshooting. This is what the printed sheet points to.

spec/recovery.md

Share card format

What each printed card carries, what is deliberately left off, card ID semantics, and the QR content rationale.

spec/share-card.md

Also in the repo: the canonical threat model (summarized on the security page), updated with every change to ceremony or liveness logic.

Why SLIP-39 and age?

SLIP-39 because splitting the key is the part that must work in thirty years, held by non-technical people, on paper. SLIP-39 is a published standard (SatoshiLabs, used by Trezor hardware) with official test vectors, group thresholds built in ("any 2 of: spouse, both kids, the attorney" is native, not bolted on), a human-checkable wordlist, and a checksum that catches typos. It is information-theoretically secure below the threshold and has multiple independent implementations. Our implementation passes the complete official Trezor vector suite.

age because bundle encryption should be boring. age v1 is a small, rigorously specified modern format (X25519, ChaCha20-Poly1305) with a formal spec, mature implementations in several languages, and none of the historical foot-guns of PGP. A single recipient stanza, a binary file, done.

The common thread: your recovery must never require our code. Anything proprietary rides alongside the standard artifacts, never inside them. If you can find a SLIP-39 implementation and an age implementation (and the world has many of each), you can open your vault.

Contributing and reporting

Issues and pull requests are welcome on GitHub. Security reports go to security@amberkey.app; see SECURITY.md for the disclosure process.