Asked before sealing, answered with math.

You don’t hold a separate cipher key. The four phrases are how the cipher key gets reconstructed — there is no complete key stored anywhere on this earth.

A single key is a single point of failure. Lose it, lose the vault. Get hacked, lose the vault. Get coerced, lose the vault. The four-of-seven threshold solves three problems at once:

1. Loss survival.You can lose up to three shards — a trustee’s death, a basement fire, a cousin’s exile, a USB stick at the bottom of a drawer — and still recover. Seven exist so the four can come from anywhere.
2. Coercion resistance.No single trustee can open the vault unilaterally. They would need to compel three others — and in AION’s doctrine, those others live in different sovereign jurisdictions.
3. Mathematical opacity below threshold. Three shards reveal zero information about the secret. Not 3/7ths. Not a partial brute-force advantage. None.Every possible secret is equally likely to whoever holds three. That’s a property of Shamir over GF(2⁸), not a policy choice.

Nothing happens. With four-of-seven you can lose up to three shards and the vault still opens — death, dementia, lost USB sticks, broken phones, all anticipated and survivable.

Each shard alone looks like cryptographic noise. It isn’t a partial key; it’s a point on a polynomial whose curve only resolves when the fourth point arrives.

Short version: AION gives you redundancy, not magic. If one, two, or three shards are lost, the vault can still open. If five shards remain, you still have enough. If four trustees died but their envelopes are still in a safe, the envelopes count — the math cares about shards, not attendance. But if only three shards remain, or all seven are gone, AION cannot recover it. Not customer support, not the founder, not a server, not a clever argument.

That sounds strict, but it is the whole security promise. If AION had a secret rescue path for “all seven disappeared,” attackers would try to become that rescue path. So the honest answer is: losing all seven is not the product failing; it is the backup plan failing. The fix is boring and practical: yearly shard checks, replace trustees while you are alive, reseal after major life changes, and keep the encrypted Recovery Kit somewhere separate. AION can forgive messy humans up to three lost shards. It should not pretend math can recover everything after everything is gone.

The protocol survives the company. AION is built the way Bitcoin and Tor were built — as math anyone can run, not a service anyone has to keep running.

If AION goes away, your heir opens the vault three ways: with recovery.html (a self-contained file that runs in any browser, offline, with no AION server) — the Offline Recovery Folder they download at sealing time bundles it; with aion_unseal.py, a 461-line Python reference any system with cryptography can run; or by re-implementing the math from public, audited primitives — Shamir over GF(2⁸) and AES-256-GCM. None of these paths require AION to exist.

Because a dashboard is a map of what the company knows. AION should not know enough to draw that map.

A normal SaaS dashboard says: here are your records on our server. AION says the opposite: your vault is not our possession. You hold the Vault Packet, the Recovery Kit, and the envelopes. The company should not be able to list your secrets, count your vaults, or build a little museum of your private life.

So no generic /dashboard. No “recent vaults.” No profile picture beside your inheritance. That is not minimalism. That is the security model wearing a nice coat.

They do not pay because the math needs rent. The math is free to run. They pay when they want AION to do continuing work while they are not thinking about it.

Paid service will mean check-ins, trustee and heir coordination, encrypted blob mirroring, recovery-kit re-issuance, audit chain storage, support, and multi-jurisdiction custody — the continuity layer AION builds in Phase 3. The vault works without AION; the continuity service works because AION stays on watch.

Think less “Netflix for secrets” and more safe deposit box, registered agent, estate review, fire insurance. You do not open the safe every morning for entertainment. If you do, different problem.

Because AION is not trying to be the app where your legacy lives. It is trying to be the ceremony that creates artifacts your family can still use after the app is gone.

Casa, Vault12, Unchained, hardware-wallet backups, and password-manager emergency access are serious answers. The primitives are not the moat. Shamir is not magic dust. Dead-man switches are not rare. The difference AION is trying to own is this:

• Casa and Unchained are credible Bitcoin inheritance and estate-support paths for people who want a guided service around multisig and institutional process.
• Vault12 is a credible guardian-style inheritance path for people who want distributed backup and social recovery.
• Hardware wallets are excellent for living holders, but a box and a PIN do not automatically teach a grieving heir what to do.
• Password managers, including emergency access features such as Bitwarden’s, are good for everyday credentials, but they still make the account and service a major part of the recovery story.

Your heir should be able to open the vault even if the company, the server, the founder, and the login page have all disappeared.

AION wins only if that sentence is true in practice. If it is just branding, it deserves to lose.

No. A vault product should not behave like a slot machine in a velvet jacket.

The repeat loop is reassurance, not addiction: annual review, trustee drill, heir contact check, recovery-kit reprint, reseal after a major life event, and proof that someone else can open the vault without the company.

A good AION user does not visit every day. They seal carefully, test the recovery path, update it when life changes, and sleep better. The product should be memorable, not needy.

AION never sees your plaintext. Encryption happens in your browser; the cipher key is split locally; the seven shards live with seven holders not on AION servers. Even with full access to AION’s infrastructure, an attacker holds only ciphertexts.

To break those, they would need to compromise four of sevendistinct trustees — in AION’s doctrine, across different sovereign jurisdictions —simultaneously, and convince a working AES-256-GCM implementation to give up authenticated bytes. That is not a hack. That is a coalition.

The seven are not all friends. They are seven independent places a shard can live. A trustee is a role, not always a person:

• A sister, a lawyer, an oldest friend.
• A safe deposit box at a bank in a different city.
• An engraved steel plate welded inside a bookcase.
• An emailed copy under a passphrase only your heir would know.
• A copy you keep yourself, in a private drawer.

The math doesn’t see "people." It sees seven distinct holders. Diversity of kind matters more than the social label.

Text (up to 64 KiB) and files (up to 32 MiB): byte-identical. AES-256-GCM authenticates the contents — if a single byte were altered along the way, the unseal fails rather than returning corrupted data.

Photos over 32 MiB: AION does not blur, resize, or recompress behind your back. Oversized photos open a lossless cropper: you choose the rectangle that fits, and every pixel inside that rectangle survives at original resolution. What you keep is exact. What you crop away is honestly not sealed.

Audio and video: an already-created file under 32 MiB is sealed byte-for-byte. AION does not record media in this flow and does not transcode it. Full voice and video vaults need their own consent, storage, and abuse policy before they ship.

AES-256 is post-quantum-conservative. Grover’s algorithm halves the effective key length, leaving 128 bits of security — still infeasible to brute-force on any silicon physics currently makes possible.

AION’s migration to CRYSTALS-Kyber (a lattice-based KEM) is locked for end of 2026. Math is one of seven layers; the others — geography, time, memory, trust, physical, sky — defeat different attacks. A quantum break against AES alone does not open the vault if the other six layers hold.

No. Sealing is cryptographically irreversible. You can seal a new vault, but the contents of an existing vault cannot be rewritten.

This is a property, not a limitation. It is what makes the seal hold against a future you being coerced, impersonated, or deepfaked into altering what was meant for an heir. The vault is a one-way door.

Two answers, both already shipped.

The Offline Recovery Folder. A single .zip you download at sealing time, containing the universal opener (recovery.html), the encrypted Vault Packet (vault-packet.json), and a plain-text instruction sheet that says, in so many words: open recovery.html, drop the packet, paste any four envelopes. It deliberately contains no shard keys. Designed to be printable.

The public recovery tool at sealedaion.com/recovery.html. A byte-identical HTML file for every vault. A copy from 2026 will open a vault sealed in 2055. Linked from the footer of every page on this site.