🧠Technical Breakdown

For a deeper dive in the tech underneath.

This page details a high level summary. Click here for the full article.

Secure Boot Process: Only pre-authorized firmware, kernel, and application versions can access the identity key controlled by the TPM.
Unikernel Approach: BONKbot’s KMS uses a custom, minimal Linux kernel combined with the KMS application to reduce the attack surface.
Remote Attestation: The TPM verifies that only authorized KMS applications are running in a secure state.
Encrypted Master Key: The KMS master key is encrypted and can only be decrypted by authorized systems using their identity key.
Process Isolation: The central Signer process has no direct network access and only communicates via the Message Bridge, minimizing attack vectors.
Ephemeral Key Handling: User private keys are decrypted only in memory for the duration of the signature calculation, reducing the exposure to memory-based attacks.
2FA Protection: Sensitive actions such as private key exports and withdrawals are further secured by 2FA.

Last updated 2 months ago