HSM Workflows

At the core of Secubit’s custody platform, Hardware Security Modules (HSMs) enforce all critical cryptographic guarantees. To support secure wallet operations at scale, HSMs not only protect private keys but also manage wallet state, derive signing keys, and remain synchronized across distributed deployments.

Wallet data is committed into a balanced Merkle tree, where the HSM stores only the root hash while the server maintains the full structure. Whenever a wallet is added, updated, or removed, the HSM verifies the change through Merkle proofs. This design keeps secure storage inside the HSM minimal while still guaranteeing the integrity of all wallet records.

Key material is managed through a process of sealed derivation inside the HSM. Wallet seeds are encrypted under a sealing key derived from the HSM’s master key and the wallet hash. The server holds only encrypted seeds, while the HSM decrypts them on demand and deterministically derives signing keys. For compatibility across blockchain ecosystems, derivation follows BIP-32 for secp256k1 or SLIP-10 for ed25519. At no stage does plaintext key material ever leave the secure hardware boundary.

In distributed environments, synchronization across multiple HSMs ensures that state remains consistent. Each HSM validates root transitions using both the Merkle root update and an HMAC generated with a shared sync key. Updates are applied only when the HMAC matches and the current root aligns with the expected state, preventing forgery, replay, or divergence across devices.

Together, these workflows form the operational backbone of Secubit’s security model. They guarantee that wallet state is compact, auditable, and cryptographically verifiable, that key derivation remains confined to secure hardware, and that multiple HSMs operate in lockstep to preserve institutional-grade trust.