Custody Models
Planbok offers different custody models tailored to the needs of different types of users and organizations. These range from fully customer-managed self-custody to institutional treasury management with varying levels of security boundaries.
Customer Custody (Self-Custody)
Inherent Trustless Architecture
For end-users, Planbok is a zero-knowledge, self-custodial solution by nature. The security of a customer-custody wallet is rooted in a client-side blinding mechanism:
- User-Blinded Share: Node 1's key share is encrypted ("blinded") by a secret derived from the user's PIN using the Argon2id hashing algorithm.
- Zero-Knowledge Storage: Planbok stores the blinded share (
wrappedSecret) but does not have the key to unwrap it. The actual PIN is never sent to or stored on our servers. - Sovereignty: No transaction can be signed without the user providing the
encrypted_secret(derived from their PIN) at the time of the request. This ensures the user has exclusive control over their assets.
Organizational Custody
Institutional users can choose between two primary MPC configurations based on their operational and compliance requirements.
1. Standard MPC
Institutional-Grade Management
In the Standard MPC model, both Node 1 and Node 2 key shares are managed by Planbok's globally distributed, secure infrastructure. This model is optimized for ease of use and rapid deployment:
- Automated Signing: Organizations can use API keys and RBAC to authorize signings without providing additional secrets.
- Maximum Convenience: Ideal for treasury management where administrative flexibility is prioritized.
- Security: Nodes are physically isolated in separate containers and environments, with protocol-level protections to prevent collusion.
2. Trustless MPC
The Cryptographic Boundary
Trustless MPC is designed for organizations that require a hard cryptographic proof that Planbok cannot unilaterally sign transactions.
- Organization Secret: During registration, the organization provides an "Organization Secret" (encrypted for Node 1). This secret is used to blind Node 1's share.
- Client-Side Authorization: Every signing request must include the
encrypted_secret. Without it, Node 1 cannot unwrap its share and the signing protocol will fail. - Full Sovereignty: This provides the organization with a cryptographic guarantee that their assets are isolated from Planbok’s internal operations.
Comparison: Standard vs. Trustless MPC
| Feature | Standard MPC | Trustless MPC |
|---|---|---|
| Primary Use Case | Treasury / High Velocity | Compliance / Custodial Sovereignty |
| Security Boundary | Infrastructure Isolated | Cryptographically Isolated |
| Key Control | Planbok-Managed | Organization-Managed Secret |
| Portability | Non-Exportable | Exportable (Requires Org Secret) |
| Selling Point | Maximum Ease of Use | Institutional Trustlessness |
| RBAC Enforcement | Full Platform RBAC | Platform RBAC + Cryptographic Check |
Regardless of the model chosen, all operations are logged with an enterprise-grade audit trail and enforced by granular Role-Based Access Control (RBAC).