Bunker reference architectures/Hybrid

Verifiable backups and cryptographic check ins

Quarterly device check ins and automatic ciphertext scanning prove to auditors, regulators, and insurers that every backup can actually be recovered, before it is ever needed.

FIDO2 check insSHA 256 fingerprintsQuarterly scansVerification reportsKMS availability checks
Customer devices
Quarterly tap
Signatures
Check in notifications
Customer domain
BunkerReadiness, proven
Device signaturesVERIFIED
KMS key checksAVAILABLE
Fingerprint scansMATCHED
Verification reportISSUED
AuditorsRegulatorsInsurersIndependent verification
Proof of backup readinessAlerts on any mismatchIndependently verifiable signatures

Dataflow

01

Customers receive quarterly notifications to check in their devices. A check in is a login, a page, and a YubiKey tap.

02

The tap produces a digital signature over a check in specific message, uploaded and verified against the device public keys Station70 holds.

03

Asynchronous processes verify every KMS key in the production environment is available for decryption.

04

The ciphertext scanner walks every backup component and verifies contents against the SHA 256 fingerprints stored in a separate system.

05

Any missing or tampered component raises an engineering alert before a recovery is ever needed, not during one.

06

Everything lands in a backup verification report the customer retrieves from the site and can hand to auditors, who can independently verify the device signatures.

Components

Check in workflow

Quarterly, low burden device attestations: insert, tap, done. Proves accounts and devices are alive.

Signature verification

Station70 verifies each check in against registered device public keys; auditors can re verify independently.

KMS availability checks

Asynchronous verification that every cloud key required for recovery responds.

Ciphertext scanner

Periodic sweep of all backup components against fingerprints held in separate storage.

Verification report

The customer facing artifact: proof of backup for auditors, regulators, and insurers.

Security considerations

Backups fail silently: lost devices, forgotten PINs, and departed employees only surface at recovery time unless check ins force the question quarterly.

Signatures are independently verifiable, so proof of backup does not require trusting Station70’s word.

Fingerprints live in a separate storage system from ciphertexts, so tampering with one without the other is detectable.

Check ins double as personnel audits: they enumerate exactly which accounts and devices remain active on each policy.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures