Key Management
This document describes how Paratro manages cryptographic key shares throughout their lifecycle.Key Share Storage
Key shares are stored using multiple layers of protection:SaaS Deployment
| Layer | Protection |
|---|---|
| Application | Key shares encrypted with AES-256-GCM before storage |
| Encryption Key | Master keys stored in AWS KMS / GCP Cloud KMS |
| At Rest | Database-level encryption |
| In Transit | TLS 1.3 for all communications |
| In Memory | Shares erased from memory immediately after use |
Private Deployment
In private deployments, customers control:- Choice of HSM (hardware security module) or cloud KMS
- Encryption key hierarchy and rotation policies
- Physical security of hosting infrastructure
- Backup and recovery procedures
Key Lifecycle
Generation
Key shares are generated via the Distributed Key Generation (DKG) protocol. See MPC Protocol for details.Active Use
During normal operations:- Key shares are loaded into secure memory only during signing ceremonies
- Shares are never transmitted in plaintext
- Each signing operation uses fresh randomness
- Signing logs capture participant details without exposing key material
Rotation
Regular key rotation is recommended to limit exposure:- New shares are generated that correspond to the same public key
- Old shares are securely overwritten
- The wallet address does not change
- All active policies remain in effect
Backup
Key share backups are:- Encrypted with a separate backup encryption key
- Stored in a customer-designated secure location
- Required for disaster recovery scenarios
- Tested periodically to ensure recoverability
Destruction
When a wallet is permanently decommissioned:- All key shares are cryptographically erased
- Backup shares are scheduled for destruction
- Audit logs are retained per retention policy
Access Controls
Access to key management operations is restricted:| Operation | Required Role | Additional Requirements |
|---|---|---|
| Create wallet | Admin | — |
| Key rotation | Admin | MFA confirmation |
| Backup export | Owner | MFA + time-delayed |
| Wallet destruction | Owner | Dual approval + MFA |
Compliance
Paratro’s key management practices are designed to align with:- SOC 2 Type II controls
- ISO 27001 information security management
- Cryptocurrency Security Standard (CCSS) Level III