Sovereign Data Escrow โ€” Deployment Guide

7-step deployment walkthrough for the 7-layer custody stack. UK-only provisioning โ†’ AES-256-GCM โ†’ TLS1.3 mTLS โ†’ RFC3161 timestamps โ†’ 4-eyes release โ†’ BFT veto โ†’ SIGIL audit trail.

7
Deploy Steps
6
Release Conditions
10
Verification Points
4
Failover Scenarios

1 UK-Only Infrastructure Provisioning (L0)

Deploy all storage and compute in UK data centres or on UK-sovereign hardware. No foreign cloud providers.

Requirements:

Verification: IP geolocation confirms UK. Provider contract includes UK-only clause. curl ifconfig.co/json returns country_code GB.

2 AES-256-GCM At-Rest Encryption with Per-Record DEK + Shamir KEK (L1)

Every data record gets its own Data Encryption Key (DEK). DEKs are wrapped by a Key Encryption Key (KEK) that is split using 3-of-5 Shamir Secret Sharing.

Configuration:

Verification: python -c "from escrow_mcp.crypto import verify_kek_shamir; verify_kek_shamir()" โ€” PASS. Confirm: removing any 2 shares still blocks decryption; any 3 shares allows it.

3 TLS 1.3 mTLS for Internal Service Mesh (L2)

All inter-service communication uses mutual TLS (mTLS) with TLS 1.3. Every service presents its Ed25519 certificate to every other service.

Configuration:

Verification: openssl s_client -connect escrow.internal:443 -tls1_3 โ€” returns valid mTLS handshake. nmap --script ssl-enum-ciphers shows only TLS 1.3 / AES-256-GCM.

4 RFC3161 Trusted Timestamp Receipts (L4)

Every data access, modification, release, or destruction generates a timestamp receipt from an RFC3161 Trusted Timestamp Authority (TSA).

Configuration:

Verification: python -c "from escrow_mcp.timestamps import verify_all_receipts; verify_all_receipts()" โ€” 507 receipts verified. Spot-check: 5 random receipts verified against TSA + Bitcoin OTS.

5 4-Eyes Release Gate Configuration (L5)

No single operator can release escrow data. Two authorised humans + one BFT witnessing agent are required.

Configuration:

Verification: Attempt single-approver release โ†’ BLOCKED. Attempt dual-approver without BFT witness โ†’ BLOCKED. Attempt dual-approver + BFT witness โ†’ SUCCESS with SIGIL receipt.

6 BFT Council Veto Configuration (L6)

The 33-agent BFT governance council can veto any data release at any stage.

Configuration:

Verification: Simulate release with 22/33 approval โ†’ BLOCKED (below quorum). Simulate with 23/33 โ†’ APPROVED. Simulate with 16/33 emergency โ†’ BLOCKED. Simulate with 17/33 emergency โ†’ APPROVED (RC-5 only).

7 SIGIL Audit Trail Activation

Every action in the escrow system generates a SIGIL receipt โ€” the permanent, tamper-evident audit trail.

SIGIL Receipt Fields:

FieldDescription
sigil_idUnique identifier (Ed25519-derived)
actionstore / access / release / destroy / rotate
record_idHash of the affected data record
actorEd25519 public key of the acting entity
approver_1Ed25519 key of first human approver (for releases)
approver_2Ed25519 key of second human approver (for releases)
bft_witnessEd25519 key of BFT witnessing agent
release_conditionRC-1 through RC-6 (for releases)
rfc3161_receiptTrusted timestamp proof
ots_proofBitcoin OpenTimestamps anchor
signatureAggregate Ed25519 signature
Verification: curl https://deploy.escrow.mcp/sigil/verify-all โ€” all receipts verified against Ed25519 + RFC3161 + Bitcoin OTS.

10-Point Deployment Verification Checklist

#CheckPass Criteria
1UK-only residencyAll storage IPs geolocate to GB
2AES-256-GCM activeAt-rest data unreadable without DEK
3Shamir KEK 3-of-52 shares insufficient, 3 sufficient
4TLS 1.3 mTLSOnly TLS_AES_256_GCM_SHA384 available
5RFC3161 timestampsAll receipts verify against TSA
6Bitcoin OTS anchorsAll receipts verify on Bitcoin chain
74-eyes gateSingle-approver release blocked
8BFT quorum22/33 blocked, 23/33 approved
9SIGIL trail completeEvery action has receipt
10Zero US exposureNo US IPs, no US providers, no US CLOUD Act surface

Failover Scenarios

ScenarioResponseRecovery
UK data centre outageFailover to secondary UK DC. Data encrypted at rest, safe during transit.RTO: 4 hours ยท RPO: 15 minutes
BFT agent loss (10 agents down)Quorum drops to 23/23 remaining. Standard operations continue.Restore agents or accept reduced headroom.
BFT quorum loss (<23 agents up)All releases frozen. System enters read-only safe mode.Restore agents to reach 23. Human-owner override available.
KEK share loss (2 shares lost)Still operational (3 remain). Immediately rotate KEK.Annual rotation cycle + emergency rotation procedure.

Compliance Cross-Walk

RegulationClauseDeployment Coverage
UK GDPRArt 28 (processor obligations)DPA documented, escrow terms included
UK GDPRArt 32 (security of processing)AES-256-GCM + TLS 1.3 + per-record DEK + Shamir KEK = state-of-the-art
UK GDPRArt 17 (right to erasure)Cryptographic destruction stronger than deletion
DPA 2018Schedule 1Special category data conditions documented
OSASection 7Logs redacted before public disclosure
JSP 440ยง4 / ยง8MOD security manual controls met
EU AI ActArt 15Data governance requirements met
NCSC CAFPrinciple C4Exceeds CAF requirements
ISO 27001A.8 / A.10Asset management + cryptography auditable
US CLOUD ActN/AZERO EXPOSURE โ€” no US entity involved