Stable

Vault Scale

Secrets that stay secret.

Vault Scale

The Vault Scale is Tophan’s secrets management system. It stores, distributes, and rotates secrets using a TPM-backed three-key architecture that ensures no single compromise can expose your data.

The Three-Key Architecture

┌─────────────────────┐
│    Master Key       │  Derived from TPM + passphrase
│    (never stored)   │  Exists only in memory at unlock time
├─────────────────────┤
│    Node Key         │  Sealed to TPM PCR values
│    (per-node)       │  Only valid on this hardware + this OS state
├─────────────────────┤
│    Agent Keys       │  Issued to Scales and services
│    (per-consumer)   │  Scoped to specific secret paths
└─────────────────────┘

Master Key: Derived from a combination of TPM hardware state and a passphrase. Never written to disk. Exists only in memory during vault operations.
Node Key: Sealed to the TPM’s PCR values. If the hardware changes, the BIOS changes, or the OS image changes, the node key becomes invalid. This prevents offline attacks and boot-level tampering.
Agent Keys: Issued to individual Scales and services with scoped access. A Scale can only read the secrets it’s authorised for.

Features

Feature	Description	Status
Encrypted Storage	All secrets encrypted at rest with AES-256-GCM. Keys derived from the TPM-backed hierarchy.	Stable
REST API	Full CRUD API for secrets management. Authenticated, authorised, and audited.	Stable
Namespaces	Hierarchical secret organisation. Per-Scale, per-application, or per-environment isolation.	Stable
Audit Logging	Every secret access logged: who, what, when, from where. Immutable audit trail.	Stable
Certificate Management	Issue, renew, and revoke TLS certificates. Automatic renewal before expiry.	Beta
Secret Rotation	Automatic rotation of secrets on a configurable schedule. Consumers are notified of changes.	Beta
Access Control	Fine-grained policies: which agent keys can access which secret paths. Deny by default.	Stable
Unsealing	Vault unseals automatically on boot using TPM state. No manual intervention for routine restarts.	Stable
Cluster Sync	Secrets replicate across cluster nodes. Encrypted in transit, re-sealed to each node’s TPM.	Beta
Backup	Encrypted vault export for disaster recovery. Backup is useless without the master key.	Stable

Why TPM?

Software-only secret stores protect secrets with a key that’s… also stored on the same disk. An attacker who compromises the OS can read the key and decrypt everything.

TPM-backed storage binds secrets to specific hardware. An attacker who steals the disk gets encrypted data and no way to decrypt it. An attacker who modifies the OS gets a node key that no longer validates. The TPM ensures that secrets are only accessible on the right hardware running the right software.

Integration with Other Scales

Every Scale in Tophan uses the Vault for its secrets:

Hypervisor: VM disk encryption keys
Networking: VPN keys and certificates
Storage: Volume encryption keys
NAS: Service account credentials
Backup: Encryption keys for backup data
Era: Database credentials

No Scale stores its own secrets. No configuration file contains a password. Everything flows through the Vault, everything is audited, and everything is encrypted.