Security
Secure Hardware
Secure hardware provides strong isolation and attestation for sensitive operations:
- Hardware-enforced isolation: secure enclaves have no external networking or persistent storage.
- Root quorum: use ≥3 members with threshold ≥2; each critical user should set up multiple authenticators (e.g., Touch ID, YubiKey).
- Store API keys securely in hardware security modules (HSMs) or encrypted vaults; never hard-code keys in code or client-side.
- Use HPKE-based secure channels for enclave ↔ end-user communication.
- Leverages hardware root-of-trust modules (e.g., AWS Nitro Security Module) for cryptographic attestation.