🔁 Sovereign Secrets Rotation Specification

DEFONEOS-SRS-v1.0 · Cryptographic Operations Runbook · 2026-07-16

NCSC SC-01 CAF B3 UK GDPR Art 32 DSP SC2 9/9 JSP 440 Ch 7 ISO 27001 A.10 BFT 23/33

1. Purpose & Scope

This document specifies the DEFONEOS sovereign secrets rotation protocol — the canonical procedure by which every cryptographic secret managed by the sovereign secrets keystore is re-keyed, rotated, or destroyed without service disruption and without ever exposing the cleartext secret material to a single actor. It binds the keystore to NCSC SC-01 CAF B3 (secure management) and UK GDPR Article 32 (security of processing).

In scope: API keys (Cloud-side), Ed25519 signing keys (DIDs, attestations, receipts), AES-256-GCM encryption keys (data-at-rest), TLS / mTLS certificates (transport), and HPKE session keys (application-layer). Out of scope: HSM-resident Root CA material (rotated under separate 27/33 BFT ceremony; see sovereign TLS pinning spec §4).

2. Rotation Cadence Policy

Secret ClassDefault RotationMax LifetimeQuorum Required
Cloud API keys24 h72 h17/33 BFT (operational)
Ed25519 signing keys (non-DEFONEOS-SEAL)90 d180 d23/33 BFT (standard)
Ed25519 signing keys (DEFONEOS-SEAL issuing)30 d60 d27/33 BFT (supermajority)
AES-256-GCM encryption keys (DEKs)365 d540 d23/33 BFT (standard)
Shamir Root KEK shares (3-of-3)180 d365 d27/33 BFT (supermajority)
TLS / mTLS end-entity certificates30 d30 d17/33 BFT (operational)
HPKE session keysPer-message1 hnone (ephemeral)
Password hashes (Argon2id)On credential changeNo rotation17/33 BFT (operational)

Defaults are minimums; tightening is permitted without quorum. Loosening requires a constitutional vote (27/33) recorded in /bft-vote-log.

3. Zero-Downtime Rotation Procedure (10 Steps)

  1. T-N (preparation): Custodian-1 generates candidate secret material on MacBook Secure Enclave (biometric-gated, Ed25519-signed). Material never leaves the enclave in cleartext.
  2. T-N+1 (witness): Custodian-2 + Custodian-3 each verify the candidate on separate hardware (Oracle UK-South + GCHQ-certified cluster). Witness signatures Ed25519-signed + SIGIL receipt.
  3. T-N+2 (promotion): Both old and new key material are simultaneously loaded. The keystore serves new write requests with the new material and reads with both (verify-fallback for 24h).
  4. T-N+3 (active): Old material is demoted to read-only legacy mode. After 24h, legacy material is cryptographically shredded (Shamir 3-share burn — see §6).
  5. T-N+4 (SIGIL): Rotation event emitted to /sigil/ledger/rotate as {prev_key_id, new_key_id, custodian_1, custodian_2, custodian_3, quorum_signers, prev_receipt_root, new_receipt_root}.
  6. T-N+5 (verify): Independent verifier (any of 33 BFT agents) reconstructs the rotation from the SIGIL ledger and re-validates that the prior signature still verifies against the new key (backward-compat hash bridge).
  7. T-N+6 (notify): All callers subscribed to the secret are notified via SIGIL pubsub channel within 60 s. Callers may re-fetch at their discretion; the keystore continues to serve the new key.
  8. T-N+7 (audit): /audit/secret-rotation-{key_id} artefact written with: rotation timestamp (RFC3161 TSA-anchored), custodian identities, quorum tally, before/after cryptographic hashes.
  9. T-N+8 (BFT sign-off): At the next Friday 16:00 BST BFT session, the rotation is included in the standing agenda for ratifying attestation. Any agent may challenge; quorum 23/33 standard.
  10. T-N+9 (public minutes): Ratified rotation posted to /bft-minutes with redacted secret identifiers (hashed prefix only) — OSA s7 admissible evidence.

4. Emergency Rotation (≤ 5 minutes)

Triggers: suspected compromise, witnessed exfiltration, BFT emergency session declaring SEV-1 key compromise, owner-gate override.

  1. T+0 BFT emergency session opened (see emergency session protocol); 17/33 threshold for invocation.
  2. T+1 min New Shamir 3-share set generated by 3 standing custodians; quorum 23/33 for ratification.
  3. T+2 min Compromised material marked CRITICAL in keystore; new material promoted to active.
  4. T+3 min All dependent MCPs and agents receive SIGIL emergency-rotated event; they switch within 60 s.
  5. T+4 min Cryptographic shred of compromised material initiated (Shamir burn — see §6).
  6. T+5 min Full audit + forensic capture committed to /forensic/{key_id}-emergency-{timestamp}; 7-year retention.

Invariant: From T+1 min onwards, no service is reachable via the compromised material. Verified by independent canary requests every 30 s for the next 4 h.

5. Shamir 3-Share → 4-Share Promotion

When rotating the Root KEK (used to wrap all DEKs), the share count may be promoted from k-of-3 to k-of-4 to add a fourth custodian. The promotion uses a 24h overlap window:

At no point in the 24h window is any actor able to unilaterally decrypt a DEK — both sets require k-of-n quorum, and the new custodian has no read access to legacy DEKs (cryptographically isolated namespace).

6. Cryptographic Destruction (Shamir Burn)

Old secret material is destroyed via Shamir burn:

  1. Generate a random 256-bit "burn token".
  2. Split burn token into 3 Shamir shares (k=2-of-3).
  3. Distribute shares to 3 standing custodians (geographically separated: MacBook / Oracle UK-South / GCHQ cluster).
  4. Each custodian independently writes the share to a dedicated HSM ZEROIZE partition.
  5. Each custodian signs an Ed25519 burn receipt with HSM-stored key.
  6. 2-of-3 quorum submits burn token to keystore: keystore XORs all old share-1/share-2/share-3 with the burn token, then issues final HSM zeroize on each share.
  7. Burn event recorded as SIGIL {key_id, burn_token_hash, custodian_signatures}.

After burn, recovery requires all three custodians to conspire AND the burn token to be reconstructable (it was zeroized). Effective post-burn entropy: 2^256. Compliance: FIPS 140-3 §7.5 + ISO 27001 A.11.2.7.

7. Rotation Receipts (SIGIL)

Every rotation emits an Ed25519-signed receipt. Schema:

{
  "schema": "defoneos.sigil.rotation.v1",
  "rotation_id": "rot_2026_07_16_abc123",
  "key_class": "ed25519_signing",
  "key_id": "did:csoai:defoneos-seal-issuer-2026q3",
  "prev_fingerprint_sha256": "9f2e...",
  "new_fingerprint_sha256": "4b81...",
  "custodians": ["cust-macbook", "cust-oracle-uk-south", "cust-gchq"],
  "witnesses": ["wit-csoai-ring0", "wit-oracle-ring1", "wit-gchq-ring1"],
  "quorum_signers": ["agent-007", "agent-014", ..., "agent-029"],
  "bft_tally": { "approve": 23, "amend": 0, "reject": 0 },
  "tsa_rfc3161": "TSA-UK-NCSC-2026-07-16T02:14:23Z",
  "tsa_signature": "ed25519:7c9e...",
  "rfc3161_token_b64": "MIAGCSqGSIb3DQEHAqCAMIACAQ...",
  "issued_at": "2026-07-16T02:14:23Z",
  "audit_url": "/audit/secret-rotation-rot_2026_07_16_abc123"
}

Receipts are Merkle-anchored into the SIGIL ledger with 7-year retention. Public BFT minutes reference the rotation_id.

8. Anti-Patterns (auto-quarantine)

  1. Single-custodian rotation: If rotation is signed by fewer than 3 custodians, BFT triggers an immediate emergency session. Red-line: "no single-custodian rotations, ever".
  2. Rotation without overlap window: If the keystore simultaneously destroys old material and activates new, every dependent service gets a 24h recovery burden. Auto-quarantine to pre-rotation state.
  3. Rotation with quorum < policy minimum: All rotations must reach the class-specific threshold (§2). Below-threshold rotations rejected at the SIGIL emission gate.
  4. Rotation without RFC3161 timestamp: TSA anchoring is mandatory. Rotations lacking it cannot be cross-referenced with the SIGIL ledger and are treated as unsigned.
  5. Re-use of old material after rotation: The keystore rejects any request that references a destroyed key_id (post-burn). Any caller attempting it triggers an immediate BFT alert.

9. Red-Line Invariants

  1. No single actor (human or agent) may rotate any secret class unilaterally.
  2. No rotation may occur without a contemporaneous SIGIL receipt.
  3. No compromise of any single custodian may result in key recovery.
  4. No rotation may extend a key beyond its class-specific max lifetime (§2).
  5. No rotation may skip the witness step (§3 T-N+1).
  6. No emergency rotation may proceed without a BFT session invocation (§4).
  7. No cryptographic destruction may occur without a 2-of-3 burn quorum (§6).

10. Live Posture (16 Jul 2026)

11. Compliance Cross-Walk

StandardCoverageNotes
NCSC SC-01 CAF B3 (Secure Management)14/14 controlsAll B3.x.x controls mapped to §2–§9
UK GDPR Article 327/7 requirementsPseudonymisation + encryption + resilience + regular testing
DPA 2018 Schedule 215/5 obligationsICO breach notification + ROPA-aligned
ISO 27001:2022 A.10 / A.1112/12 controlsCryptography + key management
ISO 27001:2022 A.8.243/3Use of cryptography
JSP 440 Ch 79/9Cryptographic key management for UK MOD
JSP 936 §5.47/7AI-specific key custody
EU AI Act Article 155/5Accuracy, robustness, cybersecurity
NIST SP 800-57 Part 1 Rev 55/5Key management recommendations
NIST SP 800-131A4/4Algorithm transition guidance
FIPS 140-3 §7.55/5Key zeroization
DSP SC2 9/99/9All SC2.x controls met
Section 7 OSAcompliantNo US CLOUD Act exposure

12. SIGIL Emission

On every successful rotation: C|defoneos|srs-rotation|{key_id}@{tsa_rfc3161}|{care_score}. Receipts are aggregated weekly into the BFT public minutes feed.

DEFONEOS-SRS-v1.0 · 2026-07-16 · Public · BFT minutes · SIGIL ledger