search

Identity Creation

This page describes how GetTrusted creates identities.

Create a hardware-backed master identity that anchors all trust relationships in GetTrusted.

hashtag
Overview

The identity-creation process establishes a unique, cryptographically verifiable identity on a user’s device. It uses hardware-backed key generation, mnemonic recovery, and one-time master key delegation and master based backup encryption key to ensure that no long-term secrets exist outside secure enclaves.

hashtag
Process Flow

1

hashtag
User Input

  • Pass phrase provided by the user.

  • 2 words 3 letters or more.

  • 7 letters or more with space of additional entropy.

2

hashtag
BIP39 Mnemonic Generation

  • Generate a 24-word mnemonic (256-bit entropy).

  • Source entropy from hardware randomness.

3

hashtag
Master Key Derivation

  • Derive master key using PBKDF2-SHA512 with 100,000 iterations.

  • Inputs: mnemonic + password.

4

hashtag
Key Expansion

  • Apply HKDF-SHA256 to expand derived material.

  • Output: 32-byte key.

5

hashtag
Master Identity Components

  • Master Private Key: ECDSA P-256.

  • Master Public Key.

  • Fingerprint: SHA-256 of public key.

  • Backend ID: fingerprint of certificate.

6

hashtag
Device Key Generation in Hardware

  • Generate P-256 keypair inside secure hardware (Secure Enclave / StrongBox / TPM).

  • Private key is hardware-only (non-exportable).

  • Public key is extractable for certificate inclusion.

7

hashtag
Certificate Creation

  • Create an X.509 device certificate containing the device public key and device ID as the subject.

  • Sign the certificate with the master private key.

8

hashtag
Master Key Destruction & Hardware Storage

  • CRITICAL: Destroy the master private key after use (exists only once).

  • Store device key and certificate in platform key storage (e.g., Keychain/Keystore) as a kSecClassIdentity-like entry.

  • Result: complete hardware-backed identity with certificate delegation.

hashtag
Cryptographic Summary

Component
Algorithm
Key Size
Storage Location
Purpose

Mnemonic

BIP39 (Entropy 256-bit)

User memory / optional QR

Recovery seed

Master Key

ECDSA P-256

256 bit

Temporary memory

Signs device certificates once

Device Key

ECDSA P-256

256 bit

Secure Enclave / StrongBox

Ongoing identity operations

Encryption

AES-256-GCM

256 bit

Runtime

Protect private data at rest/in transit

hashtag
Security Guarantees

  • Master private key exists only once, then is destroyed.

  • Device private keys are hardware-bound and non-exportable.

  • Recovery is mnemonic-based, not key-based — the master key is reconstructed, never stored.

  • Certificates cryptographically prove device authority without exposing master secrets.

hashtag
Strategic Implications

GetTrusted identities are born secure-by-design: there are no static credentials to steal. Hardware-backed key generation eliminates centralized trust, enabling verifiable, user-owned identity for every interaction.

PreviousLocal Data EncryptionNextIdentity Recovery Flow

Last updated