Bunker reference architectures/Hybrid

3 of 3 trusted recovery

A quorum approved recovery brings all 3 security domains together inside a trusted execution environment. The backup is re encrypted to the customer and never exists in the clear outside the enclave.

FIDO2 YubiKeysCloudHSMAWS KMSLagrange interpolationNitro EnclaveM of N approvals
Customer quorum
YubiKeys
M of N approvals
Recovery policy
Customer domain
BunkerAll 3 domains required
Customer sharePOSTED
HSM shareDECRYPTED
Cloud share ยท KMSGATED
BEK reconstructionLAGRANGE
Recovered backupCustomer pubkeySecure downloadRe encrypted out
TEE only reconstructionNo clear text outside the enclaveCustomer participation mandatory

Dataflow

01

A customer requests recovery. The M of N approval policy the customer configured (2 of 5, 3 of 8) must be fulfilled before anything decrypts.

02

Each approving member decrypts the customer recovery share in the browser with a FIDO2 hardware token, producing a share only the Station70 TEE can use.

03

The operations HSM, a single tenant CloudHSM in a distinct AWS account, decrypts the HSM recovery share.

04

The TEE uses KMS to decrypt the cloud share, then reconstructs the backup encryption key from all 3 shares with Lagrange interpolation.

05

The TEE decrypts the stored backup package: first the BEK layer, then KMS finishes decrypting the RSA private key that unwraps the backup.

06

The TEE re encrypts the backup to the designated customer recovery public key and emits it for download. Intermediate material dies with the enclave.

Components

Recovery policy engine

Customer controlled M of N approval thresholds. No recovery begins until the quorum is satisfied.

Browser decryption site

Members decrypt their share with a YubiKey tap. Shares are wrapped so only the TEE can use them, protecting against browser compromise.

Operations HSM

Single tenant CloudHSM under separate administration. One of the 3 mandatory domains.

Nitro Enclave TEE

The only place all 3 shares ever meet. Reconstructs, decrypts, re encrypts, terminates.

Ciphertext manager

Serves the encrypted backup, encrypted shares, and super encrypted RSA key to the TEE at recovery time.

Security considerations

Customer participation is cryptographically mandatory. Station70 cannot initiate or complete a recovery alone, regardless of intent or compromise.

Shares are transport wrapped to the TEE, so a compromised client browser cannot leak usable key material.

Redundancy inside each domain (multiple devices, multi region ciphertexts) keeps durability high without weakening the 3 of 3 requirement.

If a policy becomes unsatisfiable (lost devices, departed members), the backup is deleted and re ingested from the provider rather than weakened.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures