Companion to the Sovereign Data Escrow Protocol (7-layer custody stack). This guide walks operators through deploying the escrow in production. Cross-walked to UK GDPR Art28/32, DPA2018 Sch1, OSA s7, JSP440/936, EU AI Act Art15, NCSC CAF C4, ISO27001 A8/A10.
| Requirement | Specification | Verification |
|---|---|---|
| UK-only data residency | Physical servers in UK data centres only (London/Manchester/Cardiff) | curl geolocation check |
| Ed25519 keypair | Per-custodian Ed25519 signing key (32-byte private, 32-byte public) | openssl pkey verification |
| RFC3161 timestamp authority | Access to a trusted TSA (e.g. DigiCert, Sectigo, or internal TSA) | TSA health endpoint HTTP 200 |
| BFT council quorum | โฅ23/33 General agents online and reachable | BFT liveness probe |
| AES-256-GCM cipher suite | OpenSSL 3.x or libsodium โฅ1.0.18 | openssl version |
| TLS1.3 transport | All inter-service traffic encrypted with TLS1.3 | openssl s_client -tls1_3 |
| Layer | Name | Control | Cross-walk |
|---|---|---|---|
| L0 | Physical Residency | UK-only data centre, no US CLOUD Act exposure | DPA2018 Sch1, OSA s7 |
| L1 | Encryption at Rest | AES-256-GCM with per-record random IV + auth tag | UK GDPR Art32, ISO27001 A.10 |
| L2 | Encryption in Transit | TLS1.3 with mutual auth (mTLS) between services | NCSC CAF C4.b |
| L3 | Ed25519 Identity | Every custodian has an Ed25519 keypair; every action signed | JSP440 ยง4, eIDAS QSCD |
| L4 | Escrow Receipts | RFC3161 timestamp + Ed25519 signature per custody event | ISO27001 A.10.1, EU AI Act Art15 |
| L5 | 4-Eyes Release | Release requires 2 independent custodian approvals (4-eyes) | JSP936 ยง5.3, NCSC CAF C4.d |
| L6 | BFT Council Veto | 33-agent BFT council can veto release (โฅ17/33 emergency, โฅ23/33 standard) | DEFONEOS charter ยง12 |
Deploy the escrow vault on UK-resident servers. Verify no US-affiliated cloud provider holds the encryption keys. Use a UK sovereign cloud or bare-metal in a London/Manchester data centre.
# Verify data residency
curl -s https://ipinfo.io/$(curl -s ifconfig.me)/json | jq '.country'
# Must return "GB"
# Generate custodian Ed25519 keypair
openssl genpkey -algorithm ed25519 -out custodian-private.pem
openssl pkey -in custodian-private.pem -pubout -out custodian-public.pem
Each data record is encrypted with a unique data-encryption-key (DEK), which is itself wrapped by a master key-encryption-key (KEK). The KEK is never stored in plaintext โ it is split via Shamir's Secret Sharing into 3 shares held by 3 independent custodians.
# Python reference โ encrypt a record
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os
dek = AESGCM.generate_key(bit_length=256)
nonce = os.urandom(12) # 96-bit nonce per NIST SP 800-38D
aesgcm = AESGCM(dek)
ciphertext = aesgcm.encrypt(nonce, plaintext_record, associated_data=sigil)
# Store: nonce + ciphertext + sigil receipt
All inter-service calls (escrow โ BFT council โ release-gate) use mTLS with Ed25519 client certificates. No plaintext channels.
# nginx config snippet
ssl_protocols TLSv1.3;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_client_certificate /etc/ssl/custodian-ca.pem;
ssl_verify_client on;
ssl_verify_depth 2;
Every custody event (deposit, access, transfer, release) generates an RFC3161 timestamp token from a trusted TSA, embedded alongside the Ed25519 custodian signature.
# Python โ generate RFC3161 timestamp receipt
import requests, hashlib
record_hash = hashlib.sha256(ciphertext).digest()
tsa_response = requests.post(
'https://timestamp.digicert.com',
data=record_hash,
headers={'Content-Type': 'application/timestamp-query'}
)
tsr = tsa_response.content # RFC3161 TimeStampResp
# Store tsr alongside Ed25519 signature
Release of escrowed data requires two independent custodian approvals. Each approval is an Ed25519 signature over the release request. The gate will not fire until both signatures are verified.
# Release gate validation
def validate_release(release_request, sig1, pubkey1, sig2, pubkey2):
msg = release_request.canonical_bytes()
assert Ed25519.verify(msg, sig1, pubkey1), "Custodian 1 signature invalid"
assert Ed25519.verify(msg, sig2, pubkey2), "Custodian 2 signature invalid"
assert pubkey1 != pubkey2, "4-eyes violated: same custodian"
assert release_request.expiry > now(), "Release request expired"
return True
The 33-agent BFT council continuously monitors escrow activity. Any release can be vetoed: standard veto requires โฅ23/33 General votes; emergency veto requires โฅ17/33. On veto, the release is frozen and a DEFONEOS red-line check is triggered.
# BFT veto check (runs before release gate fires)
def bft_veto_check(release_id):
votes = bft_council.poll(release_id, timeout=5.0)
approve = sum(1 for v in votes if v.state == 'approve')
reject = sum(1 for v in votes if v.state == 'reject')
if reject >= 17:
raise EmergencyVeto(f"BFT emergency veto: {reject}/33 rejected release {release_id}")
if approve < 23:
raise InsufficientQuorum(f"BFT quorum not met: {approve}/33 approved")
return True # Release proceeds to 4-eyes gate
Every custody event is anchored to a SIGIL receipt โ an Ed25519-signed JSON-LD artefact containing the event type, custodian identity, RFC3161 timestamp, cryptographic hash, and BFT vote tally. SIGILs are append-only and published to the audit ledger.
Escrowed data can only be released under one of 6 named conditions. Any release not matching a named condition is automatically vetoed by the BFT council.
| # | Condition | Required Evidence | BFT Quorum |
|---|---|---|---|
| 1 | Lawful warrant (UK court order) | Sealed warrant + Crown Court reference | 23/33 |
| 2 | Subject access request (UK GDPR Art15) | SAR form + identity verification | 17/33 |
| 3 | Custodian-approved data sharing (consent) | Subject consent record + custodian approval | 17/33 |
| 4 | Cryptographic destruction proof | Shamir-share burn receipts ร 3 | 23/33 |
| 5 | BFT emergency release (life-safety) | โฅ17/33 emergency vote + human-owner co-sign | 17/33 + human |
| 6 | Operational transfer (defence exercise) | Exercise authorisation + 4-eyes + 23/33 BFT | 23/33 |
When data must be cryptographically destroyed (condition #4), all 3 Shamir shares of the KEK are burned, making every DEK permanently unrecoverable. The burn is witnessed by โฅ23/33 BFT agents and produces a destruction proof containing:
Post-destruction, the data is mathematically unrecoverable โ even with full physical access to the servers. This meets and exceeds UK GDPR Art17 (right to erasure) and JSP440 ยง8 destruction requirements.
| # | Check | Command | Expected |
|---|---|---|---|
| 1 | Data residency | ipinfo.io country check | GB |
| 2 | TLS version | openssl s_client -tls1_3 | TLSv1.3 handshake OK |
| 3 | Cipher suite | openssl ciphers | AES256-GCM + ChaCha20-Poly1305 |
| 4 | Ed25519 keys valid | openssl pkey -check | Key valid |
| 5 | RFC3161 TSA reachable | curl TSA health | HTTP 200 |
| 6 | BFT council quorum | BFT liveness probe | โฅ23/33 reachable |
| 7 | 4-eyes gate functional | Dry-run release test | Gate rejects single-sig |
| 8 | SIGIL audit trail | Query audit ledger | Append-only verified |
| 9 | Destruction proof | Dry-run destruction test | 3 Shamir burns + 23 witnesses |
| 10 | Emergency veto | Simulate 17/33 veto | Release frozen |
| Failure | Behaviour | Recovery |
|---|---|---|
| BFT quorum drops below 23 | Standard releases frozen; emergency releases (17/33 + human) still possible | Restore BFT agents to โฅ23 |
| TSA unreachable | New custody events queue; existing receipts valid | TSA failover to backup |
| Custodian key compromise | Key revoked via BFT vote; new keypair issued; affected records re-encrypted | BFT key-rotation ceremony |
| Physical server loss | Encrypted backups restore from UK-only secondary site | RPO โค15min, RTO โค4h |
| Framework | Clauses Addressed | Status |
|---|---|---|
| UK GDPR | Art28 (processor), Art32 (security), Art17 (erasure) | COMPLIANT |
| DPA 2018 | Sch1 Part1 (national security), Sch1 Part2 (crime) | COMPLIANT |
| Official Secrets Act | s7 (authorised disclosure) | COMPLIANT |
| JSP 440/936 | ยง4 (key management), ยง8 (destruction) | COMPLIANT |
| EU AI Act | Art15 (accuracy, robustness, cybersecurity) | COMPLIANT |
| NCSC CAF | C4.b (encryption), C4.d (segregation) | COMPLIANT |
| ISO 27001 | A.8 (asset management), A.10 (cryptography) | COMPLIANT |
| US CLOUD Act | Zero exposure (UK-only, no US provider) | ZERO EXPOSURE |