Security & trust
Summary of crypto keys
A single page that enumerates every key the platform relies on — what it does, where it lives, and whether it is online or offline. Transparency about key custody is the whole point: you should not have to take our word for where the powerful keys are.
Update-signing keys
| Key | Custody | Purpose |
|---|---|---|
| Root | Offline, air-gapped | The anchor of update trust; names the keys allowed to act as every other role. Used only in a ceremony. |
| Targets | Offline, air-gapped | Vouches for artifacts and delegates day-to-day publishing to the online publisher role. |
| Publisher | Online | A narrow, terminating delegation that signs published artifacts. A compromise is bounded and recoverable by re-delegating from targets. |
| Snapshot | Online | Pins a consistent set of metadata versions together. |
| Timestamp | Online | Provides freshness; re-signed frequently so a frozen repository is detectable. |
The live identifiers, thresholds and expiry for all of these are visible in the Trust Center.
Identity keys
| Key | Custody | Purpose |
|---|---|---|
| Device CA | Managed by the platform | Signs the per-device certificates that authenticate devices over mutual TLS. |
| Per-device key | On the device, never shared | Generated on the device at enrollment; the platform signs only its public half. Can be sealed in a TPM or secure element where available. |
| Serving certificate | On the platform | Authenticates the platform to devices and browsers. |
Evidence keys
| Key | Custody | Purpose |
|---|---|---|
| Audit-export signing key | Held by the platform | Signs exported audit logs so a third party can verify an export was not altered. The matching public key is published for verification. |
Secrets at rest
Connected-registry credentials are encrypted at rest with authenticated encryption and are never sent to devices. Account passwords are stored using a modern password-hashing scheme. Neither is a signing key; both are listed here for completeness.