Back to Knowledge Base
KB / Vault & JIT / Trustity Vault: Advanced Key Management with Shamir's Secret Sharing (SSS)
Vault & JIT 2/28/2026

Trustity Vault: Advanced Key Management with Shamir's Secret Sharing (SSS)

How we split encryption keys to ensure mathematically proven Zero-Knowledge security.

Overview

In the modern enterprise environment, a single point of failure in cryptographic key management is an unacceptable risk. Storing a master encryption key in a single location—whether in the cloud or on-premise—creates a high-value target for attackers.

To eliminate this risk, the Trustity Vault employs Shamir's Secret Sharing (SSS), a robust cryptographic algorithm formulated by Adi Shamir. Instead of storing the master key as a whole, Trustity mathematically divides the key into multiple independent fragments (shares).

How The Trustity Vault Splits the Key

When a new secure vault is initialized, the master encryption key is generated in memory and immediately split into 3 distinct shares ($n=3$).

To ensure maximum security and adherence to Zero Trust principles, these shares are distributed across isolated environments:

  1. The Cloud Brain: One encrypted share is stored securely within the Trustity Cloud infrastructure.
  2. The Local Enforcer (TAO Agent): A second share is maintained locally within the organization's hardened environment.
  3. The Organizational Master (Admin/KMS): The third share is provided to the enterprise administrators or integrated into the organization's existing Key Management Service.

Crucially, no single environment ever holds the complete key. If an attacker manages to compromise one of the environments (for example, a server hosting the TAO Agent), the fragment they obtain is completely useless on its own.

The Cryptographic Mechanism (Under the Hood)

Shamir's Secret Sharing is not simply cutting a password into three pieces; it relies on polynomial interpolation over a finite field.

The algorithm requires a defined threshold ($k$) of shares to reconstruct the original secret. Trustity defines a polynomial $f(x)$ of degree $k-1$.

The mathematical representation of this polynomial is:

$$f(x) = a_0 + a_1x + a_2x^2 + \dots + a_{k-1}x^{k-1} \pmod p$$

  • The secret master key is placed at the constant term, $a_0$ (meaning $f(0) = a_0$).
  • The remaining coefficients ($a_1, a_2, \dots$) are generated completely at random.
  • The 3 shares distributed to the different environments are simply points on this polynomial curve (e.g., $(1, f(1))$, $(2, f(2))$, $(3, f(3))$).

Because of the mathematical properties of polynomials, holding fewer than $k$ shares gives an attacker zero information about the original key $a_0$. It is mathematically impossible to guess the secret without the required threshold of points.

Key Benefits for the Enterprise

  • Zero Knowledge Proof: Trustity Cloud cannot decrypt your organization's sensitive data unilaterally, as it only holds a fraction of the key.
  • Resilience Against Breaches: A compromise of a single server, database, or agent does not result in a data breach.
  • Compliance Ready: Fulfills strict regulatory requirements (SOC2, ISO 27001, GDPR) by demonstrating advanced cryptographic segregation of duties.

Did this article help?

No, contact support