Vault

The Vault is Secubit’s custom firmware extension that runs inside the HSM, acting as the core of the platform’s security model. It extends the native HSM capabilities with specialized logic for wallet custody, policy enforcement, and direct user authentication. Unlike general-purpose applications, the Vault operates entirely within the HSM’s secure boundary, ensuring that sensitive processes never leave trusted hardware.

flowchart LR
    subgraph HSM["🔒 Secubit HSM"]
        V("vault")
    end

    S["☁️  </br> Secubit  </br> Cloud Service"]

    V --- S

The Vault integrates several critical functions. It executes policy checking directly inside the HSM, enforcing rules such as quorum approvals, rate limits, and key usage restrictions without relying on external servers. It also provides direct PassKey authentication, allowing the HSM to verify end-to-end user signatures without exposing credentials to intermediary services. Furthermore, the Vault manages key derivation and transaction signing, ensuring that all cryptographic operations remain confined to the secure environment.

To guarantee integrity, the Vault itself is subject to a secure loading ceremony. Before it is installed, the HSM verifies its signature, preventing the execution of unauthorized or tampered firmware. This process provides strong assurance that only trusted code governs key material and wallet operations.

The Vault also incorporates Merkle Tree support within the HSM. By storing only the root hash inside the device, it optimizes limited storage space while preserving full verifiability of wallet data and policies. This allows Secubit to guarantee data integrity without overloading the secure boundary with large datasets.

As the core security component of Secubit, the Vault represents the point where cryptographic strength, hardware protections, and advanced protocols converge. It ensures that the HSM is not only a passive key container but an active enforcement engine for security, authentication, and governance.