A customer requests recovery. The M of N approval policy the customer configured (2 of 5, 3 of 8) must be fulfilled before anything decrypts.
Each approving member decrypts the customer recovery share in the browser with a FIDO2 hardware token, producing a share only the Station70 TEE can use.
The operations HSM, a single tenant CloudHSM in a distinct AWS account, decrypts the HSM recovery share.
The TEE uses KMS to decrypt the cloud share, then reconstructs the backup encryption key from all 3 shares with Lagrange interpolation.
The TEE decrypts the stored backup package: first the BEK layer, then KMS finishes decrypting the RSA private key that unwraps the backup.
The TEE re encrypts the backup to the designated customer recovery public key and emits it for download. Intermediate material dies with the enclave.
Customer controlled M of N approval thresholds. No recovery begins until the quorum is satisfied.
Members decrypt their share with a YubiKey tap. Shares are wrapped so only the TEE can use them, protecting against browser compromise.
Single tenant CloudHSM under separate administration. One of the 3 mandatory domains.
The only place all 3 shares ever meet. Reconstructs, decrypts, re encrypts, terminates.
Serves the encrypted backup, encrypted shares, and super encrypted RSA key to the TEE at recovery time.
Customer participation is cryptographically mandatory. Station70 cannot initiate or complete a recovery alone, regardless of intent or compromise.
Shares are transport wrapped to the TEE, so a compromised client browser cannot leak usable key material.
Redundancy inside each domain (multiple devices, multi region ciphertexts) keeps durability high without weakening the 3 of 3 requirement.
If a policy becomes unsatisfiable (lost devices, departed members), the backup is deleted and re ingested from the provider rather than weakened.
Walk through the trust model, policy design, and rollout with our security and solutions team.