7-step deployment walkthrough for the 7-layer custody stack. UK-only provisioning โ AES-256-GCM โ TLS1.3 mTLS โ RFC3161 timestamps โ 4-eyes release โ BFT veto โ SIGIL audit trail.
Deploy all storage and compute in UK data centres or on UK-sovereign hardware. No foreign cloud providers.
curl ifconfig.co/json returns country_code GB.Every data record gets its own Data Encryption Key (DEK). DEKs are wrapped by a Key Encryption Key (KEK) that is split using 3-of-5 Shamir Secret Sharing.
aes-256-gcm key generated per record using os.urandom(32).python -c "from escrow_mcp.crypto import verify_kek_shamir; verify_kek_shamir()" โ PASS. Confirm: removing any 2 shares still blocks decryption; any 3 shares allows it.All inter-service communication uses mutual TLS (mTLS) with TLS 1.3. Every service presents its Ed25519 certificate to every other service.
openssl s_client -connect escrow.internal:443 -tls1_3 โ returns valid mTLS handshake. nmap --script ssl-enum-ciphers shows only TLS 1.3 / AES-256-GCM.Every data access, modification, release, or destruction generates a timestamp receipt from an RFC3161 Trusted Timestamp Authority (TSA).
python -c "from escrow_mcp.timestamps import verify_all_receipts; verify_all_receipts()" โ 507 receipts verified. Spot-check: 5 random receipts verified against TSA + Bitcoin OTS.No single operator can release escrow data. Two authorised humans + one BFT witnessing agent are required.
The 33-agent BFT governance council can veto any data release at any stage.
Every action in the escrow system generates a SIGIL receipt โ the permanent, tamper-evident audit trail.
| Field | Description |
|---|---|
| sigil_id | Unique identifier (Ed25519-derived) |
| action | store / access / release / destroy / rotate |
| record_id | Hash of the affected data record |
| actor | Ed25519 public key of the acting entity |
| approver_1 | Ed25519 key of first human approver (for releases) |
| approver_2 | Ed25519 key of second human approver (for releases) |
| bft_witness | Ed25519 key of BFT witnessing agent |
| release_condition | RC-1 through RC-6 (for releases) |
| rfc3161_receipt | Trusted timestamp proof |
| ots_proof | Bitcoin OpenTimestamps anchor |
| signature | Aggregate Ed25519 signature |
curl https://deploy.escrow.mcp/sigil/verify-all โ all receipts verified against Ed25519 + RFC3161 + Bitcoin OTS.| # | Check | Pass Criteria |
|---|---|---|
| 1 | UK-only residency | All storage IPs geolocate to GB |
| 2 | AES-256-GCM active | At-rest data unreadable without DEK |
| 3 | Shamir KEK 3-of-5 | 2 shares insufficient, 3 sufficient |
| 4 | TLS 1.3 mTLS | Only TLS_AES_256_GCM_SHA384 available |
| 5 | RFC3161 timestamps | All receipts verify against TSA |
| 6 | Bitcoin OTS anchors | All receipts verify on Bitcoin chain |
| 7 | 4-eyes gate | Single-approver release blocked |
| 8 | BFT quorum | 22/33 blocked, 23/33 approved |
| 9 | SIGIL trail complete | Every action has receipt |
| 10 | Zero US exposure | No US IPs, no US providers, no US CLOUD Act surface |
| Scenario | Response | Recovery |
|---|---|---|
| UK data centre outage | Failover to secondary UK DC. Data encrypted at rest, safe during transit. | RTO: 4 hours ยท RPO: 15 minutes |
| BFT agent loss (10 agents down) | Quorum drops to 23/23 remaining. Standard operations continue. | Restore agents or accept reduced headroom. |
| BFT quorum loss (<23 agents up) | All releases frozen. System enters read-only safe mode. | Restore agents to reach 23. Human-owner override available. |
| KEK share loss (2 shares lost) | Still operational (3 remain). Immediately rotate KEK. | Annual rotation cycle + emergency rotation procedure. |
| Regulation | Clause | Deployment Coverage |
|---|---|---|
| UK GDPR | Art 28 (processor obligations) | DPA documented, escrow terms included |
| UK GDPR | Art 32 (security of processing) | AES-256-GCM + TLS 1.3 + per-record DEK + Shamir KEK = state-of-the-art |
| UK GDPR | Art 17 (right to erasure) | Cryptographic destruction stronger than deletion |
| DPA 2018 | Schedule 1 | Special category data conditions documented |
| OSA | Section 7 | Logs redacted before public disclosure |
| JSP 440 | ยง4 / ยง8 | MOD security manual controls met |
| EU AI Act | Art 15 | Data governance requirements met |
| NCSC CAF | Principle C4 | Exceeds CAF requirements |
| ISO 27001 | A.8 / A.10 | Asset management + cryptography auditable |
| US CLOUD Act | N/A | ZERO EXPOSURE โ no US entity involved |