A TrustVault Account is an arrangement between a client and a service provider to send, receive and keep safe digital assets. 

When someone signs up to use TrustVault, a user account is created which stores personal information about them.  This personal information is used for contact, billing and access purposes. 

The user account also stores a unique reference to a user's instruction key.  An instruction key is a private key created and stored in a user's phone's secure enclave.
It uniquely identifies the phone to a specific account.  In other words - linking the instruction key to a user account in effect registers the device to the user. that particular phone can be used to access their account and authorise transactions - guaranteeing their authenticity and integrity. 

Once the client logs into their user account on the registered phone, they can create new key accounts. 

Creation of a key account involves generation of new private and public key pair inside hardware security modules, or HSMs. An HSM is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. Our HSM are hosted in secure data centres. We call the private key inside the HSM a transaction key.

Once a key pair is generated, a policy file is created linking the transaction key to the instruction key that was used to sign the key account creation request. Any subsequent transaction key signing instructions must be signed by the linked instruction key. As the instruction key is linked to the user account, there is now a cryptographic link between the user and the transaction key.

Once the key account is created, clients can transfer their assets to the public address associated with the transaction key's public key. To transfer assets out of the key account, instructions must be signed on the registered device with the instruction key linked to transaction key in the policy file.

If the client loses their phone, they lose their instruction key, as that key is only stored on the phone, and cannot be extracted. To recover access, the client will need to install the TrustVault app on a new phone, thereby generating a new instruction key, and then undergo a recovery procedure to update policies and register the new instruction key versus the lost one.

The recovery procedure relies on clients being able to supply the same proofs of their identity as were submitted at on-boarding and possibly a video call.

Did this answer your question?