Briefing 03 Business continuity
Q2 2026 Operational secrets · succession · key escrow

No single person should hold a key the business cannot afford to lose.

Root credentials. Signing keys. Treasury wallets. Recovery codes. Split them across the people and places you choose, so no single individual holds enough to act alone.

See plans Try it free
  1. The problem: single people, single failures
  2. The secrets a business cannot lose
  3. How threshold custody works
  4. Cryptography in two layers
  5. Server state: what we receive
  6. A 3-of-5 across leadership
  7. Common questions
§ 01 · The problem

Single people. Single failures.

Where the standard playbook quietly breaks.
i.
Personnel

One engineer leaves. The credential leaves with them.

One person holds the production root password. They resign, get fired, or stop responding. The business has a problem it cannot solve at the speed it needs, and every workaround starts with admitting the credential is, effectively, gone.

ii.
Physical

One safe burns, floods, or is breached.

A single physical location for the master key is a single physical risk. Fire, water, theft, or a former employee who still remembers the combination. There is no quorum to override one location and no backup to fall back on.

iii.
Vendor

One vendor holds your secret. You hold their risk.

A custodial vault provider is itself a target, a subpoena surface, and a business that might not exist in five years. Their breach is your breach. Their failure is your failure. Their bankruptcy is your operations problem.

§ 02 · Asset ledger

The secrets a business cannot lose.

EXHIBIT A · OPERATIONAL CRITICAL
Asset Risk if lost Impact
Root credentials
Production access, the password that unlocks everything else. One holder, one quit.
Critical
Signing keys
Code signing, releases, build pipelines. Lost, you stop shipping. Stolen, you ship the attacker's code.
Critical
Treasury wallet
The company's crypto holdings. A single seed phrase is a single liquidation event.
Critical
Domain registrar
Your brand and inbound traffic. A lost or hijacked registrar account takes weeks to recover, if at all.
High
Backup encryption
The key that decrypts your off-site backups. Without it, the backups are decorative.
High
API master tokens
The credentials behind the credentials. Frequently held by one person who set up the integration.
High
No single departure, no single breach, and no single failure should be enough to lock the business out.
Operating principle · Threshold Vault
§ 03 · Procedure

How threshold custody works.

i.

The secret is encrypted in the browser

The credential, key, or recovery code is encrypted with AES-256-GCM on the device of the person running the ceremony. The ciphertext alone is meaningless without the key. Nothing about this step requires a server, an account, or a connection to anyone but you.

ii.

The encryption key is split across roles

The encryption key is divided into N shares using Shamir's Secret Sharing. The threshold K is yours to set. Below K, a share reveals nothing about the key. No single officer, no single device, no single subpoena reaches the threshold alone.

iii.

Each holder receives one shard and one protocol

CEO, CFO, Counsel, a board member, a sealed copy in the safe. Each holder gets one shard card and the documents that prepare them for the day someone will try to coerce, deceive, or rush them into recovery they were not supposed to authorize.

§ 04 · Cryptography

Two layers, one guarantee.

A symmetric cipher and a threshold scheme, applied in sequence. The math is from a 1979 paper by Adi Shamir; the cipher is the same used to protect classified material at the highest civilian level.

01

AES-256-GCM encrypts

Authenticated symmetric encryption. GCM mode detects tampering on recovery. Without the encryption key, the ciphertext is meaningless and indistinguishable from random.

cipherAES-256
modeGCM, authenticated
classified-gradeyes
02

Shamir splits

From Adi Shamir's 1979 paper. Each share is a point on a polynomial over a finite field. K points reconstruct it. Fewer than K reveal zero information.

schemeShamir K-of-N
fieldGF(256)
test vectors51 published
Source on GitHub Security model
§ 05 · Server state

What our servers receive.

The threat model your security team will want to audit, stated plainly.
00
Bytes of secret material reach our servers.
Your secret is encrypted on your device. The encryption key is generated locally. Neither is transmitted to us in any form. Our breach is not your breach.
00
Subpoena surface area.
A court order against our company cannot compel what we do not hold. There is nothing to seize, freeze, or hand over. Your secret is not, in any meaningful sense, ours to give up.
00
Vendor lock-in.
Recovery runs offline from a tool shipped inside your archive. If we disappear tomorrow, your shard cards still reconstruct. Your security team can verify that today, against the open-source reference.
§ 06 · Recommended roster

A 3-of-5 across the leadership.

A typical operating-company configuration. No single departure is a crisis. No two officers acting together can reconstruct the secret. Three independent parties are required.

i.
CEO
Executive · Share 01 / 05
ii.
CFO
Finance · Share 02 / 05
iii.
General Counsel
Legal · Share 03 / 05
iv.
Board Member
Governance · Share 04 / 05
v.
Company Safe
Sealed physical backup · Share 05 / 05
Any three of five reconstruct. No two officers alone can act. No single faction can reach the threshold.
3 of 5
§ 07 · Common questions

Before you deploy.

They solve different problems. KMS and Vault handle machine-to-machine secret access at scale. Threshold Vault is for the small number of human-held, high-stakes secrets where no single person should hold the key, and where recovery needs to survive your own vendor failing.
Run a new ceremony with a new set of holders. The old shares become obsolete. The Lost-Holder Replacement Plan included with every Guardian and Legacy archive walks through the process step by step.
Each ceremony has a unique identifier and a Bearer's Reference document recording who holds what, fingerprints, the scheme, and the date. It is a recovery scheme, not a continuous operations system — the audit posture matches that role.
Yes. The cryptographic core is open source with 51 published test vectors. The recovery tool ships inside every archive and runs offline. Your team can verify exactly what runs.
For high-stakes institutional setups beyond the standard tiers — custom thresholds, additional kits, white-glove deployment — get in touch. We size the engagement to what you actually need.
Threshold Vault produces the technical primitive and the human protocol around it. Insurance coverage and compliance attestations are downstream of how your specific business uses the scheme, which is a conversation with your auditor and your counsel.

Put the keys where no single failure can reach.

Try the cryptography on a throwaway value with no signup. When it fits, choose the tier that matches the way your team actually operates.

Try it free See plans
For boards, treasuries, and institutional setups beyond a standard configuration.
Custom thresholds. Additional physical kits. White-glove deployment with a real human walking the team through the ceremony. Get in touch →