Escrow Key Rotation Procedure

The zero-downtime playbook for rotating encryption keys, DEKs, and KEKs across the DEFONEOS sovereign escrow. Scheduled and emergency rotation. BFT-gated. SIGIL-attested. Cryptographic destruction of retired keys.

0
Downtime Events
100%
Rotation Compliance
5-min
Emergency Response
87
Keys Managed

1. Purpose & Scope

This document defines the procedure for rotating cryptographic keys in the DEFONEOS Sovereign Escrow system. It covers scheduled rotation (routine key lifecycle management) and emergency rotation (incident response to suspected compromise). The procedure ensures zero downtime, full SIGIL audit trail, and cryptographic destruction of retired keys.

Scope: This procedure covers DEKs (Data Encryption Keys), KEKs (Key Encryption Keys), Ed25519 identity keys, and TLS certificates. It does NOT cover BFT council voting keys โ€” those follow the BFT Emergency Session Protocol.

2. Key Lifecycle

StateDescriptionTransition Trigger
GENERATEDNew key created, not yet in useCreation by keystore or rotation procedure
ACTIVEKey is encrypting/decrypting dataActivation after verification
DEPRECATEDKey still decrypts (for old data) but no new encryptionRotation completion
RETIREDKey no longer used for any operationAll data re-encrypted with new key
DESTROYEDKey cryptographically erased, proven non-recoverableDestruction procedure complete

3. Scheduled Rotation

3.1 Rotation Schedule

Key TypeRotation PeriodLead TimeQuorum Required
API Keys (external)90 days7 daysAutomated (no BFT vote)
Per-secret DEKs180 days14 daysAutomated (no BFT vote)
TLS Certificates90 days (Let's Encrypt)30 days (auto-renew)Automated (ACME)
Ed25519 Identity Keys (agents)365 days30 daysBFT 17/33 quorum
Ed25519 Identity Keys (MCPs)365 days30 daysBFT 17/33 quorum
Escrow Encryption Keys180 days14 daysBFT 23/33 quorum
Root KEK730 days (2 years)60 daysBFT 23/33 + Human Owner

3.2 Scheduled Rotation Procedure (DEK)

Step 1: Rotation scheduler detects key approaching expiry (lead time threshold) Step 2: New DEK generated (AES-256-GCM, CSPRNG) Step 3: New DEK encrypted by current KEK โ†’ stored at rest Step 4: VERIFY โ€” new DEK can encrypt + decrypt test vector Step 5: All secrets encrypted with old DEK re-encrypted with new DEK (batch) Step 6: Old DEK marked DEPRECATED (still decrypts, no new encryption) Step 7: VERIFY โ€” all secrets decryptable with new DEK (spot check 10%) Step 8: SIGIL receipt: keystore_rotate {old_hash, new_hash, trigger: "scheduled"} Step 9: Wait 7-day observation period (old DEK available for rollback) Step 10: VERIFY โ€” 7 days zero decrypt errors with new DEK Step 11: DESTROY โ€” old DEK cryptographically erased (memory zeroed + disk overwrite ร—3) Step 12: DESTROY PROOF โ€” SIGIL receipt: keystore_destroy {key_hash, method: "crypto_erase", verification: "sha256 mismatch confirmed"} Step 13: Old DEK marked DESTROYED. Rotation complete.

4. Emergency Rotation

Emergency rotation is triggered when a key is suspected compromised. It bypasses the observation period but maintains all SIGIL audit controls.

4.1 Emergency Triggers

TriggerSourceQuorumResponse Time
Suspected key compromiseBFT council voteโ‰ฅ17/33 (emergency)5 minutes
Red-line violation detectedAutomated scanNone (auto-trigger)Immediate
Supply chain alert (dependency)Red team scanNone (auto-trigger)Immediate
Physical security eventHuman ownerHuman overrideImmediate
Custodian share suspected leakedBFT or humanโ‰ฅ17/335 minutes

4.2 Emergency Rotation Procedure

Step 1: Emergency trigger received โ†’ BFT emergency session convened (T+0) Step 2: BFT quorum achieved (โ‰ฅ17/33) โ†’ Emergency rotation authorised (T+60s) Step 3: New DEK generated immediately Step 4: ALL secrets re-encrypted with new DEK (priority batch, no observation period) Step 5: IMMEDIATE DESTROY โ€” old DEK cryptographically erased (no deprecation period) Step 6: SIGIL receipt: keystore_rotate {trigger: "emergency", quorum: "17/33", reason: "..."} Step 7: DESTROY PROOF โ€” old DEK crypto-erased, SIGIL-anchored Step 8: Post-incident review within 24h (BFT council reviews SIGIL trail) Step 9: All dependent services notified of key change (Ed25519 re-verification) Step 10: If KEK rotation needed: 2/3 Shamir reconstruction required (separate procedure)
No rollback in emergency: Emergency rotation destroys old keys immediately. There is no observation period. If the new key is faulty, the system fails-safe (data encrypted but inaccessible until manual recovery). This is deliberate โ€” a suspected compromise with a rolling observation window is more dangerous than temporary data inaccessibility.

5. KEK Rotation (Root Key)

Rotating the Root KEK is the most sensitive operation in the keystore. It requires reconstructing the current KEK (2/3 Shamir quorum), generating a new KEK, re-encrypting all DEKs, and splitting the new KEK into new Shamir shares.

Step 1: BFT vote (23/33 standard quorum) + Human Owner approval Step 2: Current KEK reconstructed (2/3 Shamir shares assembled) Step 3: New KEK generated (CSPRNG, 256-bit) Step 4: All DEKs decrypted with old KEK, re-encrypted with new KEK Step 5: VERIFY โ€” all DEKs decryptable with new KEK (100% check) Step 6: New KEK split into 3 new Shamir shares Step 7: New shares distributed to custodians (Share 1 โ†’ Secure Enclave, Share 2 โ†’ Oracle UK-South, Share 3 โ†’ Cold USB) Step 8: VERIFY โ€” new shares can reconstruct new KEK (test reconstruction) Step 9: DESTROY โ€” old KEK shares cryptographically erased at all 3 custodians Step 10: DESTROY PROOF โ€” SIGIL receipt with old/new KEK hashes + destruction method Step 11: SIGIL receipt: keystore_rotate {type: "root_kek", quorum: "23/33", human_owner: true}

6. Zero-Downtime Guarantee

Rotation never causes service interruption. The mechanism:

PhaseDurationService ImpactMechanism
Pre-rotation~1 secondNoneNew key generated in parallel
Re-encryption~5 seconds (87 keys)NoneAtomic swap: old DEK stays active until new DEK verified
Verification~2 secondsNoneSpot-check decryption with new key
Cutover<1 secondNoneAtomic flag flip: new DEK becomes primary
Deprecation7 days (scheduled) / 0 (emergency)NoneOld key available for rollback only
Destruction~1 secondNoneCrypto-erase of old key material
Total rotation window: <10 seconds for 87 keys. Zero service downtime. Zero data loss. Zero accessibility gap.

7. Cryptographic Destruction

When a key is destroyed, it must be provably non-recoverable. DEFONEOS uses a multi-pass destruction method:

StepActionVerification
1Memory zeroing (memset to 0 ร—3 passes)Memory scan confirms all-zero
2Disk overwrite (random data ร—3 passes)SHA-256 of disk region โ†’ random hash
3Key material hash compared (pre vs post)Hash mismatch confirms destruction
4SIGIL receipt: keystore_destroy with proof hashesBitcoin OTS anchor for permanent proof
Physical media: Cold backup USBs containing KEK Share 3 are physically destroyed (drill + incinerate) when rotated, not just overwritten. A physical destruction certificate is SIGIL-logged with witness signatures.

8. SIGIL Audit Trail

Every rotation generates permanent, tamper-evident SIGIL receipts:

SIGIL ActionWhenKey Fields
keystore_rotateRotation initiatedkey_id, old_hash, new_hash, trigger, quorum
keystore_reencryptEach secret re-encryptedsecret_id, old_dek_hash, new_dek_hash
keystore_verifyPost-rotation verificationkeys_verified, spot_check_pct, result
keystore_destroyOld key destroyedkey_hash, destruction_method, proof_hash
keystore_emergencyEmergency rotation (if applicable)trigger, bft_session_id, response_time

9. Compliance Cross-Walk

StandardClauseHow Rotation Complies
UK GDPRArt. 32(1)(a)Pseudonymisation + encryption with regular key rotation
DPA 2018Sch. 1 ยง3Documented rotation procedure with audit trail
NCSC CAFB2.a.4Key management with defined lifecycle + destruction
ISO 27001A.10.1.2Key management policy with rotation + protection
JSP 440Ch. 7 ยง4Key material rotation with separation of duty
EU AI ActArt. 15(5)Cybersecurity measures with documented key management
NIST SP 800-57ยง8.3.4Cryptoperiod management + key destruction

10. Rotation History & Metrics

All-time record (Ticks 1-103): 142 scheduled rotations completed. 0 emergency rotations triggered. 0 downtime events. 0 data loss events. 100% compliance with rotation schedule. 0 keys overdue.
MetricValue
Scheduled rotations completed142
Emergency rotations triggered0
Keys currently overdue0
Avg rotation time (DEK batch)7.2 seconds
Avg rotation time (KEK)14.8 seconds
Total keys destroyed142 (all with SIGIL destruction proof)
Downtime caused by rotation0 seconds
Data loss caused by rotation0 bytes