# Wallet Security / 2FA

**Overview:** BONKbot's **Next-Generation Key Management System** (KMS) is a custom-built software and hardware solution designed to enhance the security of crypto transactions. It includes a Hardware Security Module (HSM) specifically tailored for this purpose.

**Hardware Components:**

* **Server Hardware:** BONKbot uses dedicated servers equipped with AMD processors and Trusted Platform Modules (TPM) Version 2.
* **Secure Boot:** Only BONKbot-signed images can be booted, ensuring that unauthorized software cannot run on the servers.
* **RAM Encryption:** RAM encryption is enabled to protect data even if hardware is compromised.

**Software Components:**

* **Custom Unikernel:** BONKbot's KMS software is built as a custom unikernel, combining the Linux kernel with the KMS application into a single, secure binary.
* **TPM-Based Security:** The TPM measures and verifies each stage of the boot process, ensuring that only authorized firmware, kernel, and application versions can access critical keys.

**Key Management:**

* **Master Key:** The KMS master key encrypts and authenticates all other keys managed by the system. It is never exposed to engineers and can only be decrypted by authorized systems.
* **Key Isolation:** The KMS application is divided into three isolated processes:
  1. **Message Bridge:** Synchronizes encrypted keys and manages communication with BONKbot's business logic.
  2. **HTTPS Client Pool:** Ensures secure communication with Telegram.
  3. **Signer:** Manages encrypted private keys and handles signature requests securely.

**User Interaction & Security:**

* **Transaction Verification:** When a transaction signature is requested, the KMS generates a human-readable description of the transaction and sends it to the user via Telegram. The user confirms their intent by selecting a response that is securely transmitted back to the KMS.
* **Master Key Protection:** To protect against attacks, the master key is stored using a method that requires specific memory pages to be accessed in the correct order.
* **Additional Security:** Users can enable 2FA or Passkey (e.g., Face ID) for added security. These features ensure that even if a Telegram account is compromised, the user's funds remain secure.

**Backup and Rollout:**

* **Private Key Backup:** Users will have the opportunity to back up their private keys. This step is essential for maintaining control over assets and is necessary for upcoming features like multiwallet support.
* **Three-Phase Rollout:**
  1. **Phase 1:** Gradual migration of user keys to the new system without any need for user intervention.
  2. **Phase 2:** Users will be prompted to back up their private keys and enable 2FA, ensuring they have secure control over their assets.&#x20;
  3. **Phase 3:** Users will receive new private keys, and can choose to transfer their assets to the new key gradually or all at once.

**Conclusion:**

BONKbot's new KMS sets a new standard for security while maintaining the user-friendly experience that our users love. This is just the beginning of what BONKbot has in store, and we’re excited to share more in the future!\ <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bonkbot.io/bonkbot/features/wallet-security-2fa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.