Skip to content
FedTrustFederated TrustDocs

Enter at least two characters.

Type to search all documentation pages and sections. Use ↑ ↓ to move, Enter to open, and Esc to close.

Platform statuses are part of the claim

Secrets and custody

Protect business secrets without confusing them with sign-in passwords.

Federated Trust Vault is a planned, separately deployable service—not a generally available offering today. Its contracts keep recoverable secrets distinct from authentication passwords and make custody, recovery, and deployment responsibility explicit.

Businesses04 chapters
01

Planned payload protection and versioning

The target Federated Trust Vault payload suite is AES-256-GCM in versioned encryption envelopes. Deployment documentation must identify the active suite and its evidence before describing that control as implemented.

Authenticated encryption

AES-GCM protects confidentiality and detects unauthorized changes when nonces, keys, and associated data are handled correctly.

Keys are separate authority

Ciphertext storage, encryption-key custody, and authorization are separate responsibilities; possession of one should not imply the others.

No universal key target

The target architecture avoids a single provider-wide decryption key across unrelated organizations.

Federated Trust Vault target payload suite

Federated Trust Vault is not generally available. Its planned payload suite is AES-256-GCM in versioned envelopes, subject to deployment and cryptographic evidence.

NIST SP 800-38D

Governing reference for Galois/Counter Mode authenticated encryption. Reference use does not assert FIPS module validation.

02

Organization visibility requires an encryption custody policy

If a business must recover credentials created by an employee, that item must be stored as business-owned encrypted material and wrapped to an approved organization custodian or recovery quorum.

Disclose the boundary

People should be told when an organizational vault is recoverable by authorized business custodians.

Separate personal vaults

Personal material should remain outside organization recovery unless the owner makes a distinct, informed grant.

Support is delegated

A partner can assist only when the tenant grants a scoped recovery role, key recipient, or quorum share under the applicable profile.

Organization custody and quorum recovery

Explicit organization-custodian and multi-party recovery workflows are planned. They never turn an authentication password into recoverable data.

03

Pepper protects a verifier; it does not reveal a password

One-way authentication

A password verifier is designed to confirm a password without storing a recoverable copy of that password.

Pepper is defensive input

A separately held pepper can make stolen verifier data harder to attack, but losing or rotating it can require users to reset passwords.

Custody follows the authentication realm

The Federated Trust operator controls the versioned pepper for a Federated Trust-hosted sign-in realm. A business operating an isolated tenant-local or sovereign realm controls that realm’s separate pepper and reset plan.

Vault encryption is the business feature

Recoverable shared passwords belong in encrypted vault items governed by organization custody and access policy.

Organization custody and quorum recovery

Explicit organization-custodian and multi-party recovery workflows are planned. They never turn an authentication password into recoverable data.

NIST SP 800-63-4

Governing reference for risk-based identity proofing, authentication, federation, privacy, and lifecycle decisions. Assurance outcomes are service-specific.

04

Post-quantum readiness is a migration program

The crypto-agility plan targets hybrid recipient envelopes and selected durable signatures. It does not describe today’s symmetric encryption as post-quantum public-key encryption.

Key establishment

ML-KEM is planned for post-quantum key establishment after implementation and interoperability validation.

Durable signatures

ML-DSA and SLH-DSA are planned candidates for long-lived manifests, key-directory material, and audit checkpoints where appropriate.

Algorithm agility

Envelope records need explicit suite, key, and version identifiers so recipients can migrate and reject downgrade attempts.