Private Vault · Architecture · Workflow

The Vault, rendered.

Every ArcaKey session runs the same architecture — an encrypted envelope around a trusted enclave, opened only long enough to think, closed the moment you’re done. What follows is how that works in plain English, and where the tradeoffs live.

Request accessRead the architecture paper
Session lifecycle

How the vault works, plainly.

Five steps, in order. Nothing is abstract — every step maps to a named primitive in the whitepaper.

  1. Session init
    Your client negotiates a hybrid key: X25519 for classical, ML-KEM-768 for post-quantum. Both halves must fail before the transport is exposed.
  2. Encrypted prompt
    Your prompt is sealed under the session key before it leaves your device. The application server sees ciphertext only — it is a postbox, not a reader.
  3. TEE inference
    The ciphertext enters an NVIDIA H100 in Confidential Computing mode. Memory is encrypted on-die. Attestation is verified before the session key is released inside the enclave.
  4. Signed response
    Every response chunk is signed with ML-DSA-65 inside the TEE. Your client verifies the signature; unsigned or tampered chunks are rejected before they render.
  5. Session close
    The session key is zeroized. Ghost Mode leaves no ciphertext behind; a retained session writes only the envelope your vault policy permits.
Ghost Mode

A per-session toggle. Not a tier.

Ghost Mode is available on every paid tier. It is a posture, not a product — a declaration, at the start of a session, that nothing written during the session will survive it.

No ciphertext at rest
Conversations live only in TEE memory for the duration of the session. Nothing is written to disk, nothing is committed to the memory ledger.
No shadow log
Audit log records that a Ghost session occurred and at what time. It does not record the content, and there is no parallel transcript kept “for quality.”
Zeroized on close
The session key is wiped and the TEE region is reset. After session close, there is no mechanism by which the content can be reconstructed.
Attestation

Every TEE session emits a signed artifact.

Not a marketing document. A cryptographic artifact that names the hardware, the firmware, the measurement, and the ArcaKey binding signature over all of it. Download a freshly-signed sample and verify it offline.

Download signed samplePublished pubkeyClaims & artifact index

Pre-launch note: the NRAS evidence layer is stub-sourced until GCP A3 Confidential VM capacity is active. The ArcaKey binding signature over the artifact is real and verifiable today; transition to live NRAS is automatic on capacity cutover — the artifact shape does not change.

User-held keys

On Executive and above, you hold the key.

A tradeoff, stated plainly. User-held keys are the reason ArcaKey cannot read your vault. They are also the reason we cannot recover it for you.

What it means

Your vault’s content-encryption key is wrapped by a key derived from your passphrase or a FIDO2 token. The wrapping key never leaves your device. ArcaKey stores ciphertext. We do not hold the plaintext, and we do not hold anything that can unwrap it.

What it costs

Lose the passphrase or token, lose the data. There is no backdoor, no “contact support.” This is stated explicitly in the retainer and acknowledged at checkout — because the moment a vendor can recover your vault, so can anyone who can impersonate you to that vendor.

In use

The vault, at a conversation’s pace.

A preview of how the vault reads during a working session — ink, ivory, and a single restraint of champagne. The aesthetic of a private bank, in digital form.

The Vault
ExecutiveML-KEM-768Ghost: offSession Encrypted
Pull the restructuring memo we drafted two weeks ago. I need to redraft the indemnity section before co-counsel’s Thursday call.
Retrieved. Opening the Nov 3 draft. The indemnity section currently runs from §7.1 to §7.4 and references the two jurisdictional carve-outs we flagged. Shall I redline against the version you accepted on Oct 28, or draft fresh against co-counsel’s last markup?
Fresh against co-counsel’s markup. Keep my carve-outs.
Understood. Drafting now.
Return to send

Open a vault for the work that will not live on anyone else’s server.

Start an Executive pilot, or request a Sovereign call. Thirty days at a contracted rate, then the standard fee — or cancellation.

Request accessSecurity overview