Root of Trust
The root of trust establishes the foundation for all cryptographic operations.
Root of Trust
The root of trust establishes the foundation for all cryptographic operations.
Root key
The root key is the top of the key hierarchy:
- Generated in HSM during initialization
- Never exported from HSM
- Used only to wrap Tenant Master Keys
Initialization ceremony
Root key creation follows a ceremony:
- Quorum assembly: Required custodians present
- HSM initialization: Fresh HSM cluster
- Key generation: Root key created in HSM
- Backup: Encrypted backup with split keys
- Verification: Test wrap/unwrap operations
- Audit: Ceremony documented and signed
Key custodians
- Minimum 3 custodians required
- M-of-N threshold for recovery
- Geographic distribution
- Regular attestation
Recovery
If HSM fails:
- Provision new HSM cluster
- Assemble custodian quorum
- Restore root key from backup
- Verify operations
- Resume service
Attestation
Root of trust verified via:
- HSM attestation reports
- Firmware version verification
- Tamper-evident seals
- Audit logs
Security properties
- Root key never in software
- Hardware-enforced access controls
- Tamper-resistant storage
- Cryptographic binding to HSM identity