๐Ÿ” DEFONEOS Sovereign Data Escrow โ€” Deployment Guide

Companion to the Sovereign Data Escrow Protocol (7-layer custody stack). This guide walks operators through deploying the escrow in production. Cross-walked to UK GDPR Art28/32, DPA2018 Sch1, OSA s7, JSP440/936, EU AI Act Art15, NCSC CAF C4, ISO27001 A8/A10.

๐Ÿ“‹ Prerequisites

RequirementSpecificationVerification
UK-only data residencyPhysical servers in UK data centres only (London/Manchester/Cardiff)curl geolocation check
Ed25519 keypairPer-custodian Ed25519 signing key (32-byte private, 32-byte public)openssl pkey verification
RFC3161 timestamp authorityAccess to a trusted TSA (e.g. DigiCert, Sectigo, or internal TSA)TSA health endpoint HTTP 200
BFT council quorumโ‰ฅ23/33 General agents online and reachableBFT liveness probe
AES-256-GCM cipher suiteOpenSSL 3.x or libsodium โ‰ฅ1.0.18openssl version
TLS1.3 transportAll inter-service traffic encrypted with TLS1.3openssl s_client -tls1_3

๐Ÿ—๏ธ The 7-Layer Custody Stack

LayerNameControlCross-walk
L0Physical ResidencyUK-only data centre, no US CLOUD Act exposureDPA2018 Sch1, OSA s7
L1Encryption at RestAES-256-GCM with per-record random IV + auth tagUK GDPR Art32, ISO27001 A.10
L2Encryption in TransitTLS1.3 with mutual auth (mTLS) between servicesNCSC CAF C4.b
L3Ed25519 IdentityEvery custodian has an Ed25519 keypair; every action signedJSP440 ยง4, eIDAS QSCD
L4Escrow ReceiptsRFC3161 timestamp + Ed25519 signature per custody eventISO27001 A.10.1, EU AI Act Art15
L54-Eyes ReleaseRelease requires 2 independent custodian approvals (4-eyes)JSP936 ยง5.3, NCSC CAF C4.d
L6BFT Council Veto33-agent BFT council can veto release (โ‰ฅ17/33 emergency, โ‰ฅ23/33 standard)DEFONEOS charter ยง12

๐Ÿš€ Deployment โ€” Step by Step

1Provision UK-only infrastructure

Deploy the escrow vault on UK-resident servers. Verify no US-affiliated cloud provider holds the encryption keys. Use a UK sovereign cloud or bare-metal in a London/Manchester data centre.

# Verify data residency
curl -s https://ipinfo.io/$(curl -s ifconfig.me)/json | jq '.country'
# Must return "GB"

# Generate custodian Ed25519 keypair
openssl genpkey -algorithm ed25519 -out custodian-private.pem
openssl pkey -in custodian-private.pem -pubout -out custodian-public.pem
2Configure AES-256-GCM at-rest encryption

Each data record is encrypted with a unique data-encryption-key (DEK), which is itself wrapped by a master key-encryption-key (KEK). The KEK is never stored in plaintext โ€” it is split via Shamir's Secret Sharing into 3 shares held by 3 independent custodians.

# Python reference โ€” encrypt a record
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os

dek = AESGCM.generate_key(bit_length=256)
nonce = os.urandom(12)  # 96-bit nonce per NIST SP 800-38D
aesgcm = AESGCM(dek)
ciphertext = aesgcm.encrypt(nonce, plaintext_record, associated_data=sigil)
# Store: nonce + ciphertext + sigil receipt
3Wire TLS1.3 mutual authentication

All inter-service calls (escrow โ†” BFT council โ†” release-gate) use mTLS with Ed25519 client certificates. No plaintext channels.

# nginx config snippet
ssl_protocols TLSv1.3;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_client_certificate /etc/ssl/custodian-ca.pem;
ssl_verify_client on;
ssl_verify_depth 2;
4Configure RFC3161 timestamp receipts

Every custody event (deposit, access, transfer, release) generates an RFC3161 timestamp token from a trusted TSA, embedded alongside the Ed25519 custodian signature.

# Python โ€” generate RFC3161 timestamp receipt
import requests, hashlib

record_hash = hashlib.sha256(ciphertext).digest()
tsa_response = requests.post(
    'https://timestamp.digicert.com',
    data=record_hash,
    headers={'Content-Type': 'application/timestamp-query'}
)
tsr = tsa_response.content  # RFC3161 TimeStampResp
# Store tsr alongside Ed25519 signature
5Deploy the 4-eyes release gate

Release of escrowed data requires two independent custodian approvals. Each approval is an Ed25519 signature over the release request. The gate will not fire until both signatures are verified.

# Release gate validation
def validate_release(release_request, sig1, pubkey1, sig2, pubkey2):
    msg = release_request.canonical_bytes()
    assert Ed25519.verify(msg, sig1, pubkey1), "Custodian 1 signature invalid"
    assert Ed25519.verify(msg, sig2, pubkey2), "Custodian 2 signature invalid"
    assert pubkey1 != pubkey2, "4-eyes violated: same custodian"
    assert release_request.expiry > now(), "Release request expired"
    return True
6Wire the BFT council veto (Layer 6)

The 33-agent BFT council continuously monitors escrow activity. Any release can be vetoed: standard veto requires โ‰ฅ23/33 General votes; emergency veto requires โ‰ฅ17/33. On veto, the release is frozen and a DEFONEOS red-line check is triggered.

# BFT veto check (runs before release gate fires)
def bft_veto_check(release_id):
    votes = bft_council.poll(release_id, timeout=5.0)
    approve = sum(1 for v in votes if v.state == 'approve')
    reject = sum(1 for v in votes if v.state == 'reject')
    if reject >= 17:
        raise EmergencyVeto(f"BFT emergency veto: {reject}/33 rejected release {release_id}")
    if approve < 23:
        raise InsufficientQuorum(f"BFT quorum not met: {approve}/33 approved")
    return True  # Release proceeds to 4-eyes gate
7Generate SIGIL-anchored audit trail

Every custody event is anchored to a SIGIL receipt โ€” an Ed25519-signed JSON-LD artefact containing the event type, custodian identity, RFC3161 timestamp, cryptographic hash, and BFT vote tally. SIGILs are append-only and published to the audit ledger.

๐Ÿ”“ Named Release Conditions

Escrowed data can only be released under one of 6 named conditions. Any release not matching a named condition is automatically vetoed by the BFT council.

#ConditionRequired EvidenceBFT Quorum
1Lawful warrant (UK court order)Sealed warrant + Crown Court reference23/33
2Subject access request (UK GDPR Art15)SAR form + identity verification17/33
3Custodian-approved data sharing (consent)Subject consent record + custodian approval17/33
4Cryptographic destruction proofShamir-share burn receipts ร— 323/33
5BFT emergency release (life-safety)โ‰ฅ17/33 emergency vote + human-owner co-sign17/33 + human
6Operational transfer (defence exercise)Exercise authorisation + 4-eyes + 23/33 BFT23/33

๐Ÿ›ก๏ธ Cryptographic Destruction

When data must be cryptographically destroyed (condition #4), all 3 Shamir shares of the KEK are burned, making every DEK permanently unrecoverable. The burn is witnessed by โ‰ฅ23/33 BFT agents and produces a destruction proof containing:

Post-destruction, the data is mathematically unrecoverable โ€” even with full physical access to the servers. This meets and exceeds UK GDPR Art17 (right to erasure) and JSP440 ยง8 destruction requirements.

๐Ÿ“Š Verification Checklist

#CheckCommandExpected
1Data residencyipinfo.io country checkGB
2TLS versionopenssl s_client -tls1_3TLSv1.3 handshake OK
3Cipher suiteopenssl ciphersAES256-GCM + ChaCha20-Poly1305
4Ed25519 keys validopenssl pkey -checkKey valid
5RFC3161 TSA reachablecurl TSA healthHTTP 200
6BFT council quorumBFT liveness probeโ‰ฅ23/33 reachable
74-eyes gate functionalDry-run release testGate rejects single-sig
8SIGIL audit trailQuery audit ledgerAppend-only verified
9Destruction proofDry-run destruction test3 Shamir burns + 23 witnesses
10Emergency vetoSimulate 17/33 vetoRelease frozen

๐Ÿ”„ Failover & Degradation

FailureBehaviourRecovery
BFT quorum drops below 23Standard releases frozen; emergency releases (17/33 + human) still possibleRestore BFT agents to โ‰ฅ23
TSA unreachableNew custody events queue; existing receipts validTSA failover to backup
Custodian key compromiseKey revoked via BFT vote; new keypair issued; affected records re-encryptedBFT key-rotation ceremony
Physical server lossEncrypted backups restore from UK-only secondary siteRPO โ‰ค15min, RTO โ‰ค4h

๐Ÿ“œ Compliance Cross-Walk Summary

FrameworkClauses AddressedStatus
UK GDPRArt28 (processor), Art32 (security), Art17 (erasure)COMPLIANT
DPA 2018Sch1 Part1 (national security), Sch1 Part2 (crime)COMPLIANT
Official Secrets Acts7 (authorised disclosure)COMPLIANT
JSP 440/936ยง4 (key management), ยง8 (destruction)COMPLIANT
EU AI ActArt15 (accuracy, robustness, cybersecurity)COMPLIANT
NCSC CAFC4.b (encryption), C4.d (segregation)COMPLIANT
ISO 27001A.8 (asset management), A.10 (cryptography)COMPLIANT
US CLOUD ActZero exposure (UK-only, no US provider)ZERO EXPOSURE