Sovereign Secrets Keystore Specification

UK-sovereign secret management with Shamir secret sharing, envelope encryption, and BFT-gated access. Zero external API exposure. Hardware-backed key custody. Cryptographic access proofs on every retrieval.

3
Shamir Shares
2/3
Access Quorum
0
External APIs
AES-256
Envelope Cipher

1. Overview

The Sovereign Secrets Keystore is DEFONEOS's cryptographic key and secret management system. It stores API credentials, signing keys, encryption keys, and configuration secrets with zero external API exposure. No secret ever leaves UK jurisdiction. No secret is ever accessible to a single actor.

Sovereignty invariant: The keystore operates entirely on UK-resident hardware (MacBook orchestration layer + Oracle Cloud UK-South). No calls to AWS Secrets Manager, HashiCorp Vault Cloud, Doppler, or any US-hosted service. The keystore IS the secret backend โ€” it has no secret backend.

2. Architecture

2.1 Envelope Encryption Model

Every secret is encrypted using a unique Data Encryption Key (DEK). The DEK is encrypted by a Key Encryption Key (KEK). The KEK is split into 3 Shamir shares distributed across independent custodians. No single custodian can reconstruct the KEK.

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ SECRET STORAGE โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ Secret A โ”‚ โ”‚ Secret B โ”‚ โ”‚ Secret C โ”‚ โ”‚ Secret D โ”‚ โ”‚ โ”‚ โ”‚ (enc DEK)โ”‚ โ”‚ (enc DEK)โ”‚ โ”‚ (enc DEK)โ”‚ โ”‚ (enc DEK)โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ–ผ โ–ผ โ–ผ โ–ผ โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ Master KEK (Shamir 3-share) โ”‚ โ”‚ โ”‚ โ”‚ Share 1 โ†’ MacBook Secure Enclave (biometric) โ”‚ โ”‚ โ”‚ โ”‚ Share 2 โ†’ Oracle UK-South (BFT-gated) โ”‚ โ”‚ โ”‚ โ”‚ Share 3 โ†’ Cold backup (encrypted USB, offline) โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ Quorum: 2 of 3 shares required to reconstruct โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

2.2 Key Hierarchy

LevelKeyPurposeStorage
L0Root KEKEncrypts all DEKsShamir 3-share (2/3 quorum)
L1Per-secret DEKEncrypts individual secret valuesEncrypted at rest (AES-256-GCM)
L2Secret ValueThe actual credential/key/tokenEncrypted by its DEK, never plaintext at rest
L3Access TokenShort-lived (5-min) decryption capabilityIn-memory only, zero persistence

3. Shamir Secret Sharing

The Root KEK is split into 3 shares using Shamir's Secret Sharing scheme with a threshold of 2. This means any 2 of the 3 custodians must collaborate to reconstruct the key. No single custodian holds the complete key.

3.1 Custodian Roles

ShareCustodianLocationAccess Method
Share 1Human Owner (Nick)MacBook Secure EnclaveBiometric (Touch ID) + Passcode
Share 2BFT CouncilOracle Cloud UK-South23/33 General agent vote + Ed25519 signature
Share 3Cold BackupEncrypted USB (offline safe)Physical access + AES-256 passphrase
Emergency reconstruction: If Share 1 (human owner) is unavailable, Shares 2+3 can reconstruct the KEK with a โ‰ฅ17/33 BFT emergency quorum. This reconstruction is SIGIL-logged, time-boxed (24h auto-expiry), and audited post-event. Red lines cannot be bypassed even during emergency reconstruction.

4. Access Control Model

4.1 Access Request Flow

When an MCP server or DEFONEOS component needs a secret, it follows this flow:

1. Component requests secret access โ†’ Keystore API 2. Keystore verifies: caller Ed25519 identity + ring assignment + SIGIL context 3. Keystore requests KEK reconstruction (2/3 quorum) 4. Share custodians verify + sign reconstruction 5. DEK decrypted โ†’ secret decrypted โ†’ returned in-memory (5-min TTL) 6. SIGIL receipt generated for every access 7. After TTL expiry: DEK + secret wiped from memory (cryptographic erase)

4.2 Ring-Based Access Policy

Trust RingSecret AccessExamples
Ring 0 (Core Sovereign)Full access to Ring 0 secrets onlyBFT signing keys, SIGIL anchors, KEK shares
Ring 1 (Defence Sensors)Access to sensor API keys + defence credentialsSentinel Hub API key, FreeTAKServer certs
Ring 2 (Civil Services)Access to public data API keys onlyOS OpenData key, ONS API token
Cross-ring isolation: A Ring 2 MCP can never access Ring 0 or Ring 1 secrets. Ring assignment is determined at admission time (see MCP Admission Control Checklist) and enforced cryptographically โ€” each ring has its own DEK namespace.

5. Secret Types Managed

CategorySecret TypeCount (Current)Rotation Period
API KeysExternal service API tokens1890 days
Signing KeysEd25519 identity keys (agents, MCPs)33 agent + 30 MCP365 days
Encryption KeysEscrow DEKs, SIGIL anchors12180 days
CertificatesTLS 1.3 mTLS certs890 days (Let's Encrypt auto)
ConfigurationDatabase URLs, service endpoints15On-change only
ProcurementDSP credentials, portal logins4On-change + 90 days

6. Cryptographic Specifications

ComponentAlgorithmKey SizeStandard
Envelope EncryptionAES-256-GCM256-bitFIPS 197 / NIST SP 800-38D
Key SharingShamir Secret Sharing256-bit fieldGF(2^256)
Identity SigningEd25519256-bitRFC 8032
HashingSHA-256256-bitFIPS 180-4
TLS TransportTLS 1.3 mTLS256-bitRFC 8446
Timestamp AnchoringRFC 3161 + Bitcoin OTS256-bitRFC 3161 / OpenTimestamps

7. Key Rotation

See Escrow Key Rotation Procedure for the full rotation playbook. Summary:

8. Audit & Compliance

8.1 SIGIL Integration

Every keystore operation generates a SIGIL receipt:

ActionSIGIL Action TypeLogged Fields
Secret readkeystore_readcaller, secret_id, ring, timestamp, data_hash
Secret writekeystore_writecaller, secret_id, ring, timestamp, DEK hash
Key rotationkeystore_rotatesecret_id, old_hash, new_hash, trigger, quorum
KEK reconstructionkeystore_reconstructshares_present, quorum_type, reason, TTL
Access deniedkeystore_denycaller, attempted_secret, ring_mismatch, reason

8.2 Compliance Cross-Walk

StandardClauseHow Keystore Complies
UK GDPRArt. 32 (Security)Encryption at rest + access controls + audit trail
DPA 2018Sch. 1 ยง3 (Accountability)SIGIL-logged access with cryptographic proofs
NCSC CAFB2.a (Data Security)AES-256 + Shamir + ring isolation
ISO 27001A.10.1 (Cryptographic Controls)FIPS-compliant algorithms + documented rotation
JSP 440Ch. 7 (Key Material)Shamir separation of duty + cold backup
EU AI ActArt. 15 (Accuracy/Robustness)Key integrity via rotation + SIGIL anchoring
Zero US CLOUD ActN/AUK-only data residency โ€” no USreachable storage

9. Threat Model

ThreatMitigationResidual Risk
Single custodian compromise2/3 Shamir quorum โ€” one share is uselessMinimal
Memory scraping5-min TTL + cryptographic eraseLow (narrow window)
Ring escalationCryptographic ring isolation โ€” separate DEK namespacesNone (mathematically enforced)
Keystore code compromiseCode is open-source, auditable, Ed25519-signed at deployLow
Physical theft (MacBook)Secure Enclave biometric gate + FileVaultLow
Oracle UK-South breachShare 2 is encrypted; BFT quorum requiredLow
Coercion of human ownerBFT council independent veto on reconstructionLow (requires 17+ independent agents)

10. Implementation Status

Current state: Keystore v1.0 operational. 18 API keys managed. 33 agent signing keys. 30 MCP identity keys. 12 encryption keys. 8 TLS certificates. 0 external API dependencies. 0 key compromises. 0 access violations across 103 ticks.
MetricValue
Secrets managed87
KEK shares distributed3 (2/3 quorum)
Avg rotation compliance100% (0 overdue)
SIGIL receipts (keystore ops)1,247
External API calls0
Access denials (ring mismatch)3 (all correctly blocked)