Offline Backup HSMs

Secubit’s custody architecture is designed so that even extreme scenarios—such as the simultaneous loss of all online HSMs across every datacenter—can be recovered without compromising cryptographic integrity. While the probability of such an event is very low, Secubit ensures resilience by maintaining secure air-gapped backup HSMs.

Two dedicated cold backup HSMs are provisioned to hold an encrypted copy of the master keys. These devices are FIPS 140-2 certified, providing the same level of assurance as the online network HSMs. During the key generation ceremony, a secure transfer is performed directly between a network HSM and the backup HSMs. The process uses end-to-end encryption between the HSMs, so at no point do keys appear in plaintext outside of secure hardware. A quorum of HSM officers must physically authorize this operation using hardware tokens, providing strong multi-factor control.

flowchart LR
    Q(["👮👮👮 Officers"])
    HSM["🔒 Online HSM"]
    B1["❄️ Backup HSM 1 </br> (air-gapped)"]
    B2["❄️ Backup HSM 2 </br> (air-gapped)"]

    HSM -- "encrypted keys" --> B1
    HSM -- "encrypted keys" --> B2

In a disaster recovery event, the same quorum of HSM officers must again present their hardware keys to authorize restoration. Encrypted key material is securely transferred from a backup HSM into new blank network HSMs. To complete recovery, the system also needs the latest Merkle root, which is not stored in backup HSMs. Instead, Secubit maintains a chain of Merkle root history, each signed with an HMAC inside the HSM as part of synchronization mechanism. The Secubit server provides the most recent signed Merkle root to the recovered HSMs, which verify the HMAC before accepting it.

Through this mechanism, Secubit can bring new network HSMs online and restore service quickly, even under catastrophic conditions. The combination of offline key escrow, multi-factor approval, and verifiable Merkle root history ensures that disaster recovery is both practical and cryptographically trustworthy, while keeping the security guarantees of the platform intact.