Principle

Private keys exist in plaintext only in RAM, only during signing operations, and are zeroized immediately after use.

At rest

All private keys are encrypted with AES-256-GCM before being written to disk or transmitted. The encryption key is derived from a user-owned passphrase via Argon2id with high cost parameters. 
key_at_rest = AES-256-GCM.encrypt(
    plaintext = private_key,
    key = Argon2id(passphrase, salt, t=4, m=64MB, p=4),
    nonce = random(96 bits),
    aad = entity_did || key_purpose
)

In memory

Rust’s zeroize crate ensures private key memory is overwritten on drop: 
#[derive(Zeroize, ZeroizeOnDrop)]
struct SigningKey {
    secret: [u8; 32],
}

impl SigningKey {
    fn sign(&self, msg: &[u8]) -> Signature {
        // key used here, then dropped → zeroized
    }
}
The Debug trait is deliberately not implemented for key types — preventing accidental logging.

Hardware keys

Supported:
  • YubiKey 5 (FIDO2 / PGP slots)
  • Ledger Nano S / X (Solana app, Ethereum app)
  • Trezor Model T
For hardware-backed signing, the private key never leaves the device. Orgs sends a signing request; the device returns a signature.

Rotation

ACTs (Arsenal Capability Tokens)

  • Default: 1-hour rotation
  • Minimum: 5 minutes
  • Maximum: 24 hours
  • Automatic; no human action needed

Per-entity treasury keys

  • Recommended: every 90 days
  • Rotation is a governance action (propose, vote, sign-over)
  • Old key is zeroized + public record

Founder / hardware-backed keys

  • Rotate on founder change
  • Rotation ceremony: new key generated on new hardware, old key signs authorization, new key signs OA amendment

Master recovery key

  • Never rotated except in documented emergency
  • Stored in bank safety deposit box + co-custodian
  • Rotation requires founder + co-custodian + 72-hour cooling period

Emergency

If a key is compromised:
  1. Immediately rotate via emergency proposal
  2. All ACTs derived from compromised key are revoked
  3. Audit chain shows all actions signed by the compromised key; these are flagged for review
  4. Security incident report filed with regulators if required