Key Management & Sovereignty
The core of Planbok's security model is the absolute sovereignty of the user or organization over their assets. We achieve this through a "Blinding" mechanism that ensures Node 1's share is cryptographically locked by entropy that Planbok does not control.
The Blinding Mechanism
In self-custodial and trustless models, Node 1 does not store its key share in a usable state. Instead, it stores a Wrapped Share. To unwrap this share, a "Blinding Secret" must be provided by the client during every sensitive operation.
1. PIN-Blinding (Customer Custody)
For individual users, the blinding secret is derived from their personal PIN.
- Argon2id Hashing: The PIN is hashed client-side using Argon2id with a unique salt. This ensures resistance to brute-force and GPU-based attacks.
- Zero-Knowledge: Planbok never receives the PIN. We only receive the high-entropy result used to unwrap the share.
- Client-Side Storage: The salt required for hashing is stored in the user's browser or mobile app, adding a "something you have" factor to the "something you know" (the PIN).
2. Organization Secret (Trustless MPC)
For organizations requiring the highest level of sovereignty, we provide a Trustless MPC mode.
- Master Entropy: During organization registration, a 32-byte Organization Secret is generated and encrypted for Node 1.
- Cryptographic Barrier: Every organizational transaction must include the
Encrypted Organization Secret. Without it, Node 1 cannot participate in the signing protocol. - Recovery: The Organization Secret is the sole key required for independent Private Key Export.
Standard MPC (Managed Sovereignty)
Standard MPC is designed for businesses that prioritize operational velocity and native institutional management.
- Automated Signing: In this model, both Node 1 and Node 2 shares are managed within Planbok's secure infrastructure.
- Vault-Backed Encryption: Shares are encrypted at rest using hardware-backed secrets (HSM/Vault).
- Control via RBAC: Security is enforced through authenticated API sessions and granular Role-Based Access Control, allowing for high-frequency treasury operations without manual secret injection.
Security Model Comparison
| Custody Type | Blinding Secret | Entropy Source | Sovereignty Level |
|---|---|---|---|
| Customer Custody | User PIN | User (Client-side) | Full Self-Custody |
| Trustless MPC | Organization Secret | Organization (Client-side) | Full Sovereignty |
| Standard MPC | Platform Managed | Planbok (Vault-backed) | Institutional Managed |
Ciphertext Rotation
Planbok enforces Ciphertext Rotation to maintain high security hygiene without requiring a migration of funds to new wallet addresses. When a user updates their PIN or an organization rotates their secret ciphertext:
- Secret Retention: The underlying Entity Secret (the entropy that generates the keys) remains unchanged to ensure wallet addresses stay consistent.
- Ciphertext Re-wrapping: The client-side re-encrypts (re-wraps) this secret with the new PIN or secret using a fresh IV.
- Encrypted Update: This new ciphertext (
wrappedSecret) is updated in Planbok's database.
This ensures that even if an old ciphertext was somehow compromised, it would be useless after a rotation as the client now requires the new PIN to unlock the current ciphertext.