The double-sided black box.
The usual way to secure data is a harder vault around a shared collection bin — the vendor data-lake every breach headline is about. The Locker refuses the bin. Data is sealed so whoever carries it holds ciphertext they cannot read; the cover lifts only with your key. The most secure container is no container.
Seal a box now ↓Seal a note, then reveal it — or fail to, with the wrong key.
Watch where your data goes: nowhere. The reveal runs entirely in your browser using the Web Crypto API. Nothing you type is sent anywhere; there is no server in this demo. That is not an implementation detail — it is the thesis.
Write a note and a passcode, then Seal. You see the opaque box — that is all a custodian, or any hop in transit, ever sees. Then type the passcode and Reveal. A wrong code is refused, never approximated. The seal and the reveal both run here, on your device; nothing you type is sent anywhere.
A demonstration — use throwaway text, though nothing here leaves your browser anyway.
A holder can carry the box and still never open it.
Crosses / is held — opaque
- ·The sealed box — ciphertext, nonce, and salt (no plaintext, no key)
- ·A tiny proof of identity (a hash), small enough for a satellite or QR link
- ·A content-free ledger entry per cover-lift
- ·A custody trail — provable, hashed, never named
Never moves / never exposed
- ·The plaintext — it exists only once the cover is lifted, on your device
- ·Your key — it never travels with the box
- ·Any contents on the ledger — only hashes are recorded
- ·A breachable middle — there is no collection bin
No-custody is preserved even when the data is handed off — the cover lifts only at the destination, only with the key. The handoff is designed so a carrier cannot decrypt the box it holds; independent audit pending. Ciphertext size and event timing remain observable metadata — named, not hidden.
Where the Locker stands, layer by layer.
The federal post-quantum migration is framed around “harvest now, decrypt later.” Here is exactly where the Locker stands — the gap shown plainly rather than buried under a blanket “post-quantum” claim.
| Layer | Algorithm | Quantum status |
|---|---|---|
| Data at rest (the box) | AES-256-GCM | Resistant Quantum-resistant — Grover only halves the strength (~128-bit) |
| Tamper-evident ledger (Knox) | SHA-256 hash-chain today; ML-DSA-87 (FIPS 204) on the production Knox rail | Resistant Hash-chain is quantum-resistant; ML-DSA-87 is a NIST post-quantum signature standard |
| The key-grant (handoff) | X25519 (classical) | Gap Not yet post-quantum — a hybrid ML-KEM-768 / X25519 upgrade is tracked, not shipped |
Bonis will not describe the key-grant as post-quantum until the hybrid wrap ships. The word does no work it has not earned.
Run the boundary on your data, as a design partner.
The Bonis OS is built and checkable today — you just sealed a box on your own machine. It is offered to a small number of organizations as a hands-run design-partner pilot: your data, your environment, sealed and handed off without a readable copy in any middle. Describe what you would put in a box; a person — not a bot — replies.