The Keychain Solution

The Agency Problem gives rise to a need for a new data security infrastructure that is fit-for-purpose in the most demanding, mission-critical scenarios throughout all business sectors.

The goal of Keychain is to provide companies with the tools and framework to solve the Agency Problem by taking ownership of the responsibility for data security without having to entrust it to unaccountable third parties. We do that by providing an application development framework that makes data security easy to implement and integrate with a focus on easy key management, exchange, and replacement.

Strategy

We solved the Agency Problem by providing a decentralized public-key infrastructure and data-centric security modules with which you can secure your data both at rest and in flight.

Data provenance refers to the ability to answer the following three questions about data:

  1. Who created/approved the data?

  2. Who has access to the data?

  3. Has the data been altered/tampered with?

By allowing companies to answer these questions in a self-sovereign way, they will be able to take back responsibility for the security of their data in a wide range of environment configurations, thereby solving the Agency Problem.

Given that data usage and sharing tends to span geo-political borders, data provenance is best done with a consistent security threat model and an infrastructure that is decentralized and immutable. This pairs well with the concept of blockchains, and in fact Keychain natively supports multiple common blockchains. The Keychain solution uses robust, reachable fabrics such as blockchains to store public keys for discovery and data provenance.

This approach allows developers who build applications on top of Keychain to focus on the business logic and increase productivity. The security primitives, encryption, verification of identities and credentials, etc are all done by the Keychain core at the center of Keychain-enabled apps.

Traditional Approach vs. Keychain

The difference between traditional security approaches and Keychain becomes clear when you see them side by side:

  • Traditional (Vulnerable)

  • Keychain (Secure)

# Traditional approach - keys stored in configuration
API_KEY = "sk_live_abc123def456..."  # Exposed in code/config
DATABASE_PASSWORD = "mypassword123"   # Shared secrets

# Encrypt data with shared keys
encrypted_data = encrypt_aes(user_data, API_KEY)
# Problem: Anyone with access to config can decrypt
# Keychain approach - hardware-secured identities
from keychain import Gateway, SecurityLevel, SerializedData

# Initialize secure gateway
settings = Gateway.init("/path/to/config.json")
gateway = Gateway(settings)

# Create hardware-secured identity
my_persona = gateway.create_persona("alice", "work", SecurityLevel.MEDIUM)

# Encrypt with hardware-secured keys (self-encryption)
data = SerializedData("Sensitive user data")
encrypted = my_persona.encrypt(data, [])  # Encrypt for self
# Keys never leave secure hardware, instant results!

Solving Data Provenance

Keychain enables you to answer the three critical data provenance questions with cryptographic certainty:

  • Who Created/Approved?

  • Who Has Access?

  • Has Data Been Tampered With?

#include "keychain/gateway/gateway.hpp"
#include "keychain/cache/persona.hpp"

// Sign data to prove authorship
kc::serialized_data document("Contract v2.1");
kc::verifiable_data signed_doc = my_persona.sign(document, true);

// Verify the signature (immediate verification)
bool is_valid = gateway.verify(signed_doc);
std::string signer = signed_doc.did().string();
// ✓ Instant cryptographic proof of authorship
#include "keychain/gateway/gateway.h"

// Encrypt for secure storage (self-encryption)
kc_encrypted_data_t* encrypted;
kc_gateway_encrypt(gateway, &encrypted, my_persona, cleartext,
                  NULL, 0);  // Empty recipients = encrypt for self
// Only the persona that encrypted can decrypt
# Sign and verify data integrity (single persona)
signed_data = my_persona.sign(SerializedData("Important document"))

# Later: verify integrity
try:
    is_valid = gateway.verify(signed_data)
    print("✓ Data is authentic and untampered")
except KeychainVerificationError:
    print("✗ Data has been tampered with!")