Castle reference architectures/Hybrid

Device lifecycle without seed rotation

Enrollment is peer approved, every device holds its own keypair, and a departure is a one tap revocation. The seed and the policies never change.

Device keypairsPeer approvalLayered key wrappingRevocationRe enrollment
New device
Peer or admin
Biometric approval
Enrollment flow
CastleKeys move, seeds stay
Device keypairGENERATED
Peer approvalRE ENCRYPTED
Key wrappingLAYERED
RevocationONE TAP
Wrapped user keyWrapped enterprise keyPurged ciphertextsLayered key hierarchy
Departures without rotationLost devices re enrollPer device revocation

Dataflow

01

A member signs in on a new phone. The app generates a device specific keypair in the phone’s hardware enclave; the private key never leaves it.

02

Enrollment must be approved by another authorized device, the same member’s other device or an admin’s. The approver’s tap triggers re encryption of the necessary wrapped keys to the new device key.

03

The layered hierarchy does the work: the device key unwraps the user key, the user key unwraps enterprise secrets and code chunks. Nothing about the seed changes.

04

When a member departs, an admin revokes their devices. Their wrapped key ciphertexts are purged; the member cryptographically exits every policy.

05

A member who loses every device re enrolls: a new keypair, an admin approval, and purge of the old ciphertexts. No seed rotation, no policy rebuild.

06

Every enrollment, approval, and revocation is an audit event with actor, device, and timestamp.

Components

Hardware backed keypairs

Per device keys generated in the mobile secure enclave; compromise of one device never exposes another.

Peer approval enrollment

A second authorized device co signs every enrollment, closing the silent device injection channel.

Layered key wrapping

Enterprise, user, and device keys wrap in sequence, so membership changes are re encryption events, not crypto migrations.

Revocation workflow

Purging a device’s ciphertexts removes its access instantly and permanently; policies stay intact.

Re enrollment path

Losing every device means a fresh keypair and an approval, not an operational crisis.

Security considerations

The expensive failure mode in shared credential systems is offboarding. Here it is a revocation, not a rotation of every downstream account.

Peer approved enrollment means a stolen password alone cannot add an attacker’s device.

Purged ciphertexts are cryptographic removal: a revoked device holds keys that no longer unwrap anything.

Future device checks (MDM posture before approval) slot into the enrollment gate without changing the hierarchy.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures