Bunker reference architectures/On prem

Jurisdictional deployment with regional keys

For regulated customers, every cryptographic component required for recovery stays inside a designated jurisdiction: regional KMS keys, a regional CloudHSM, and customer hardware devices stored in region.

Regional KMSRegional CloudHSMData residencyFIDO2 devicesVerification reports
Customer devices
In region YubiKeys
Regulator
Residency requirement
Jurisdiction parties
Designated AWS region
BunkerRegion pinned
Regional KMS keysPINNED
Regional CloudHSMPINNED
TEE in regionATTESTED
Ciphertexts in regionSTORED
Encrypted backupsVerification reportAudit exportProof for regulators
KMS and CloudHSM in regionCustomer devices stored in regionMeets local regulatory requirements

Dataflow

01

The customer designates a storage region for cryptographic material. The enterprise is configured to use KMS keys and a CloudHSM in that region.

02

The region must support both KMS and CloudHSM; Bunker validates the configuration at enterprise setup.

03

Backup ingestion, enrollment, and the TEE all run against region pinned keys. Ciphertexts persist in regional multi zone storage.

04

The customer stores their FIDO2 hardware devices in the same jurisdiction, closing the loop on the customer domain.

05

Recovery operations execute entirely against regional components; no share or ciphertext crosses the jurisdictional boundary.

06

Verification reports give the regulator or customer standing proof that every component required for recovery remains within the jurisdiction.

Components

Region pinned KMS

Tenant keys created and held in the designated region. Decryption requests resolve regionally.

Regional CloudHSM

The operations HSM share lives in a single tenant HSM in the same jurisdiction, in a distinct AWS account.

Regional ciphertext storage

Multi zone durability inside the region; fingerprints verified by the standard scanning process.

Customer device custody

The customer keeps FIDO2 devices in region; check ins prove their continued availability.

Verification reports

Attestation the customer can hand to a regulator: components exist, verify, and reside where required.

Security considerations

Data residency is enforced at the key layer, not by policy promise: the KMS keys and HSM physically reside in the region.

The customer owns the last mile: hardware tokens must actually be stored in the jurisdiction for the guarantee to hold end to end.

Regional pinning constrains the multi region durability strategy to multi zone within the region; the fingerprint scanning cadence is unchanged.

This pattern typically pairs with the check ins reference architecture to give the regulator continuous, verifiable evidence.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures