Key Management Lifecycle

ABS Core relies on asymmetric cryptography (Ed25519) and SHA-256 hashes to guarantee the integrity of the Octagon Ledger. Proper management of these keys is the central pillar of system sovereignty.

1. Hierarchy of Trust

The ABS Core key infrastructure is divided into three levels:

1. Root of Trust (RoT): The offline master key, used exclusively to sign infrastructure keys (Infrastructure Keys). It must be stored in a physical vault or offline HSM.
2. Infrastructure Keys: Cluster-level keys that sign the identity of each individual Node (Agent Keys) that joins the network.
3. Agent Keys: Ephemeral keys generated by each instance of the Agent Node. They are used to sign transactions and the intent history in the ledger.

2. Hardware Security Module (HSM) Integration

For institutional environments (Banking, Defense), Root and Infrastructure level keys must not reside on the file system.

ABS Core supports integration via PKCS#11 and KMIP (Key Management Interoperability Protocol) to interact with:

• Thales Luna HSMs
• Entrust nShield
• AWS CloudHSM / Azure Key Vault (only in sovereign cloud deployments)

Configuration Example (PKCS#11)

security:
  hsm:
    enabled: true
    provider: "pkcs11"
    library: "/usr/safenet/lunaclient/lib/libCryptoki2_64.so"
    slot_id: 1
    pin_env: "HSM_PARTITION_PIN"

3. Key Rotation & Lifecycle

The lifecycle of Agent Keys is ephemeral by design to reduce the attack surface in case of node compromise.

4. Disaster Recovery (Cryptographic)

The loss of the Root of Trust is a catastrophic event that invalidates the entire ABS Core trust chain.

• Quorum Procedure (M-of-N): The Root Key must be generated using a Shamir secret sharing scheme (e.g., 3 out of 5 directors required to reconstruct the key).
• Generation Ceremony: Must follow NIST SP 800-57 Part 1 Rev. 5 guidelines, conducted in an air-gapped environment and video audited.