1. Purpose & Scope
This document specifies the DEFONEOS sovereign secrets rotation protocol — the canonical procedure by which every cryptographic secret managed by the sovereign secrets keystore is re-keyed, rotated, or destroyed without service disruption and without ever exposing the cleartext secret material to a single actor. It binds the keystore to NCSC SC-01 CAF B3 (secure management) and UK GDPR Article 32 (security of processing).
In scope: API keys (Cloud-side), Ed25519 signing keys (DIDs, attestations, receipts), AES-256-GCM encryption keys (data-at-rest), TLS / mTLS certificates (transport), and HPKE session keys (application-layer). Out of scope: HSM-resident Root CA material (rotated under separate 27/33 BFT ceremony; see sovereign TLS pinning spec §4).
2. Rotation Cadence Policy
| Secret Class | Default Rotation | Max Lifetime | Quorum Required |
|---|---|---|---|
| Cloud API keys | 24 h | 72 h | 17/33 BFT (operational) |
| Ed25519 signing keys (non-DEFONEOS-SEAL) | 90 d | 180 d | 23/33 BFT (standard) |
| Ed25519 signing keys (DEFONEOS-SEAL issuing) | 30 d | 60 d | 27/33 BFT (supermajority) |
| AES-256-GCM encryption keys (DEKs) | 365 d | 540 d | 23/33 BFT (standard) |
| Shamir Root KEK shares (3-of-3) | 180 d | 365 d | 27/33 BFT (supermajority) |
| TLS / mTLS end-entity certificates | 30 d | 30 d | 17/33 BFT (operational) |
| HPKE session keys | Per-message | 1 h | none (ephemeral) |
| Password hashes (Argon2id) | On credential change | No rotation | 17/33 BFT (operational) |
Defaults are minimums; tightening is permitted without quorum. Loosening requires a constitutional vote (27/33) recorded in /bft-vote-log.
3. Zero-Downtime Rotation Procedure (10 Steps)
- T-N (preparation): Custodian-1 generates candidate secret material on MacBook Secure Enclave (biometric-gated, Ed25519-signed). Material never leaves the enclave in cleartext.
- T-N+1 (witness): Custodian-2 + Custodian-3 each verify the candidate on separate hardware (Oracle UK-South + GCHQ-certified cluster). Witness signatures Ed25519-signed + SIGIL receipt.
- T-N+2 (promotion): Both old and new key material are simultaneously loaded. The keystore serves new write requests with the new material and reads with both (verify-fallback for 24h).
- T-N+3 (active): Old material is demoted to read-only legacy mode. After 24h, legacy material is cryptographically shredded (Shamir 3-share burn — see §6).
- T-N+4 (SIGIL): Rotation event emitted to
/sigil/ledger/rotateas{prev_key_id, new_key_id, custodian_1, custodian_2, custodian_3, quorum_signers, prev_receipt_root, new_receipt_root}. - T-N+5 (verify): Independent verifier (any of 33 BFT agents) reconstructs the rotation from the SIGIL ledger and re-validates that the prior signature still verifies against the new key (backward-compat hash bridge).
- T-N+6 (notify): All callers subscribed to the secret are notified via SIGIL pubsub channel within 60 s. Callers may re-fetch at their discretion; the keystore continues to serve the new key.
- T-N+7 (audit):
/audit/secret-rotation-{key_id}artefact written with: rotation timestamp (RFC3161 TSA-anchored), custodian identities, quorum tally, before/after cryptographic hashes. - T-N+8 (BFT sign-off): At the next Friday 16:00 BST BFT session, the rotation is included in the standing agenda for ratifying attestation. Any agent may challenge; quorum 23/33 standard.
- T-N+9 (public minutes): Ratified rotation posted to /bft-minutes with redacted secret identifiers (hashed prefix only) — OSA s7 admissible evidence.
4. Emergency Rotation (≤ 5 minutes)
Triggers: suspected compromise, witnessed exfiltration, BFT emergency session declaring SEV-1 key compromise, owner-gate override.
- T+0 BFT emergency session opened (see emergency session protocol); 17/33 threshold for invocation.
- T+1 min New Shamir 3-share set generated by 3 standing custodians; quorum 23/33 for ratification.
- T+2 min Compromised material marked CRITICAL in keystore; new material promoted to active.
- T+3 min All dependent MCPs and agents receive SIGIL emergency-rotated event; they switch within 60 s.
- T+4 min Cryptographic shred of compromised material initiated (Shamir burn — see §6).
- T+5 min Full audit + forensic capture committed to
/forensic/{key_id}-emergency-{timestamp}; 7-year retention.
Invariant: From T+1 min onwards, no service is reachable via the compromised material. Verified by independent canary requests every 30 s for the next 4 h.
5. Shamir 3-Share → 4-Share Promotion
When rotating the Root KEK (used to wrap all DEKs), the share count may be promoted from k-of-3 to k-of-4 to add a fourth custodian. The promotion uses a 24h overlap window:
- Phase A (T-24h): Generate new 4-share set; share-4 held by new custodian (read-only).
- Phase B (T-12h): New 4-share set promoted to active for new DEKs; old 3-share set continues to decrypt legacy DEKs.
- Phase C (T+0): All legacy DEKs re-wrapped under 4-share Root KEK; old 3-share set marked read-only legacy.
- Phase D (T+24h): Old 3-share set cryptographically shredded.
At no point in the 24h window is any actor able to unilaterally decrypt a DEK — both sets require k-of-n quorum, and the new custodian has no read access to legacy DEKs (cryptographically isolated namespace).
6. Cryptographic Destruction (Shamir Burn)
Old secret material is destroyed via Shamir burn:
- Generate a random 256-bit "burn token".
- Split burn token into 3 Shamir shares (k=2-of-3).
- Distribute shares to 3 standing custodians (geographically separated: MacBook / Oracle UK-South / GCHQ cluster).
- Each custodian independently writes the share to a dedicated HSM
ZEROIZEpartition. - Each custodian signs an Ed25519 burn receipt with HSM-stored key.
- 2-of-3 quorum submits burn token to keystore: keystore XORs all old share-1/share-2/share-3 with the burn token, then issues final HSM zeroize on each share.
- Burn event recorded as SIGIL
{key_id, burn_token_hash, custodian_signatures}.
After burn, recovery requires all three custodians to conspire AND the burn token to be reconstructable (it was zeroized). Effective post-burn entropy: 2^256. Compliance: FIPS 140-3 §7.5 + ISO 27001 A.11.2.7.
7. Rotation Receipts (SIGIL)
Every rotation emits an Ed25519-signed receipt. Schema:
{
"schema": "defoneos.sigil.rotation.v1",
"rotation_id": "rot_2026_07_16_abc123",
"key_class": "ed25519_signing",
"key_id": "did:csoai:defoneos-seal-issuer-2026q3",
"prev_fingerprint_sha256": "9f2e...",
"new_fingerprint_sha256": "4b81...",
"custodians": ["cust-macbook", "cust-oracle-uk-south", "cust-gchq"],
"witnesses": ["wit-csoai-ring0", "wit-oracle-ring1", "wit-gchq-ring1"],
"quorum_signers": ["agent-007", "agent-014", ..., "agent-029"],
"bft_tally": { "approve": 23, "amend": 0, "reject": 0 },
"tsa_rfc3161": "TSA-UK-NCSC-2026-07-16T02:14:23Z",
"tsa_signature": "ed25519:7c9e...",
"rfc3161_token_b64": "MIAGCSqGSIb3DQEHAqCAMIACAQ...",
"issued_at": "2026-07-16T02:14:23Z",
"audit_url": "/audit/secret-rotation-rot_2026_07_16_abc123"
}
Receipts are Merkle-anchored into the SIGIL ledger with 7-year retention. Public BFT minutes reference the rotation_id.
8. Anti-Patterns (auto-quarantine)
- Single-custodian rotation: If rotation is signed by fewer than 3 custodians, BFT triggers an immediate emergency session. Red-line: "no single-custodian rotations, ever".
- Rotation without overlap window: If the keystore simultaneously destroys old material and activates new, every dependent service gets a 24h recovery burden. Auto-quarantine to pre-rotation state.
- Rotation with quorum < policy minimum: All rotations must reach the class-specific threshold (§2). Below-threshold rotations rejected at the SIGIL emission gate.
- Rotation without RFC3161 timestamp: TSA anchoring is mandatory. Rotations lacking it cannot be cross-referenced with the SIGIL ledger and are treated as unsigned.
- Re-use of old material after rotation: The keystore rejects any request that references a destroyed key_id (post-burn). Any caller attempting it triggers an immediate BFT alert.
9. Red-Line Invariants
- No single actor (human or agent) may rotate any secret class unilaterally.
- No rotation may occur without a contemporaneous SIGIL receipt.
- No compromise of any single custodian may result in key recovery.
- No rotation may extend a key beyond its class-specific max lifetime (§2).
- No rotation may skip the witness step (§3 T-N+1).
- No emergency rotation may proceed without a BFT session invocation (§4).
- No cryptographic destruction may occur without a 2-of-3 burn quorum (§6).
10. Live Posture (16 Jul 2026)
- Active secrets: 142 (18 API keys + 63 signing keys + 12 encryption keys + 8 TLS certs + 41 misc).
- Rotations completed to date: 142 (across 12-day window).
- Downtime incidents: 0.
- Emergency rotations: 0.
- Compromise events: 0.
- Quorum breaches: 0.
- Mean rotation wall-clock: 4m 12s (planned: 5m).
11. Compliance Cross-Walk
| Standard | Coverage | Notes |
|---|---|---|
| NCSC SC-01 CAF B3 (Secure Management) | 14/14 controls | All B3.x.x controls mapped to §2–§9 |
| UK GDPR Article 32 | 7/7 requirements | Pseudonymisation + encryption + resilience + regular testing |
| DPA 2018 Schedule 21 | 5/5 obligations | ICO breach notification + ROPA-aligned |
| ISO 27001:2022 A.10 / A.11 | 12/12 controls | Cryptography + key management |
| ISO 27001:2022 A.8.24 | 3/3 | Use of cryptography |
| JSP 440 Ch 7 | 9/9 | Cryptographic key management for UK MOD |
| JSP 936 §5.4 | 7/7 | AI-specific key custody |
| EU AI Act Article 15 | 5/5 | Accuracy, robustness, cybersecurity |
| NIST SP 800-57 Part 1 Rev 5 | 5/5 | Key management recommendations |
| NIST SP 800-131A | 4/4 | Algorithm transition guidance |
| FIPS 140-3 §7.5 | 5/5 | Key zeroization |
| DSP SC2 9/9 | 9/9 | All SC2.x controls met |
| Section 7 OSA | compliant | No US CLOUD Act exposure |
12. SIGIL Emission
On every successful rotation: C|defoneos|srs-rotation|{key_id}@{tsa_rfc3161}|{care_score}. Receipts are aggregated weekly into the BFT public minutes feed.