Bunker

Recovery without a single point of trust

Bunker splits key custody 3 ways: your FiDO compliant hardware keys, a Station70 HSM, and cloud keys. Not even Station70 can reconstruct a backup alone. Here is how that compares to keeping recovery keys in a single vendor enclave.

01 / The category

Three approaches to key backup

Backups control assets worth millions to billions and are expected to work, unannounced, on the worst day. The question is not whether keys are encrypted. It is who must show up for them to decrypt.

Zero knowledge recovery vault

Bunker

Key custody splits 3 ways: customer YubiKeys, a Station70 HSM, and cloud keys. Recovery requires your quorum, and final decryption happens with your participation. Not even Station70 can reconstruct a backup alone.

Vendor enclave recovery

Coincover Hot Storage

Recovery keys stay online inside the vendor’s cloud enclave, with recovery initiated through the vendor’s portal. However hardened, 1 environment under 1 vendor’s administration carries all the trust.

The default everyone regrets

Self managed backups

Encrypted USB drives in vaults, seed phrases in safes, spreadsheets of shards. Unverified, unauditable, and dependent on the memory and availability of whoever set it up.

02 / Side by side

Capability comparison

The architectural difference shows up in every row: who holds custody, who governs recovery, and who has to prove readiness.

Capability
Bunker
Coincover*
Trust model
3 WAY SPLIT · NO SINGLE PARTY
SINGLE VENDOR ENCLAVE
Key custody
YOUR YUBIKEYS + HSM + KMS
SHARDED IN 1 ENCLAVE · NO HSM KEYGEN
Final decryption
CUSTOMER PERFORMS IT
INSIDE VENDOR ENCLAVE
Recovery governance
CUSTOMER QUORUM · M OF N
VENDOR PORTAL · ADMIN KEY ACCESS
Approval integrity
CRYPTOGRAPHICALLY SIGNED
VIDEO CALL VERIFICATION
Recovered backup delivery
ENCRYPTED TO YOUR RECOVERY KEY
DOWNLOAD LINK
Test recovery time
ABOUT 7 MINUTES
NOT PUBLICLY STATED
Standby wallet transfer to another provider
PROVEN · LIVE MIGRATIONS
NOT PUBLICLY LISTED
Verifiable readiness
QUARTERLY CHECK INS + REPORTS
SEPARATE CERTIFIED TIER
Wallet integrations
FIREBLOCKS · FORDEFI · UTILA · ANY MPC
MULTIPLE LISTED PLATFORMS
MiCA and DORA compliance
DESIGNED FOR RAPID ADHERENCE
EXPLAINER CONTENT
Compliance posture
SOC 2 TYPE 2 · CRYPTO AUDIT BY TRAIL OF BITS
KEY GEN NOT INDEPENDENTLY AUDITED

* Statements regarding third party products are based on publicly available information and third party security assessments as of the date of publication, are provided for general comparison only, and are not warranted for accuracy or completeness. Product capabilities may change without notice. All trademarks are the property of their respective owners. No affiliation or endorsement is implied.

Switching from a competitor

White glove migration, zero fees

Customers on a competitor’s service get white glove migration and pay zero Bunker fees for the remaining duration of their competitor contract term, with a subsequent 12 month Bunker agreement.

Start a migration
03 / Common questions

What security teams ask first

Why split keys instead of one enclave?

A single environment is a single point of compromise, however hardened. Bunker requires 3 separate domains under separate administration to ever meet: your FiDO compliant hardware keys, a Station70 HSM, and cloud keys. Compromise of any 1, including Station70 itself, recovers nothing.

How do we know recovery will actually work?

Customer test recoveries average about 7 minutes. Quarterly cryptographic check ins verify every component: your devices sign in, cloud keys respond, and every ciphertext matches its fingerprint. The result is a verification report you can hand to auditors and insurers.

What if our wallet provider goes down?

Bunker transfers private key material to a standby wallet at another provider in minutes, proven in live migrations on the recovery network. Keys stay inside hardened environments the whole way; you seamlessly shift underlying wallet platforms instead of waiting out an outage.

Scope, by design

What Bunker chooses not to do

Bunker is recovery only. It never signs transactions, constructs them, or touches your day to day operations.

Customer participation in recovery is cryptographically mandatory, not a policy promise. There is no admin override.

Readiness is proven quarterly through check ins and fingerprint scans, not assumed between disasters.

See Bunker against your recovery plan

Bring your current backup setup. We will walk the trust model, the quorum design, and a live test recovery.

Learn more