Multi-Party Escrow
Share encrypted containers with granular per-layer access control.
0nVault multi-party escrow uses X25519 Elliptic Curve Diffie-Hellman key agreement to enable up to 8 parties to share a single encrypted container. Each party receives access only to the layers they need, with cryptographic enforcement.
Escrow Features
Per-Layer Access Matrix
Define exactly which layers each party can decrypt. A DevOps team member might access env_vars and site_profiles but not credentials or AI brain.
Key Agreement Without Key Sharing
X25519 ECDH derives shared secrets between party pairs without ever transmitting private keys. Each party generates their own keypair.
Revocable Access
Re-key individual layers to revoke access for specific parties without affecting other participants. The container is re-sealed with updated access controls.
Audit Visibility
The audit trail layer can be made visible to all parties regardless of other access controls, ensuring transparency and compliance.
Access Matrix Example
| Party | Workflows | Creds | Env | MCP | Sites | AI | Audit |
|---|---|---|---|---|---|---|---|
| Owner | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| DevOps | ✕ | ✕ | ✓ | ✓ | ✓ | ✕ | ✓ |
| AI Platform | ✓ | ✕ | ✕ | ✓ | ✕ | ✓ | ✓ |
| Auditor | ✕ | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ |
Each party can only decrypt the layers marked with a checkmark. Access is enforced cryptographically -- unauthorized layers are indecipherable.
Frequently Asked Questions
How does multi-party escrow work?
Each party generates an X25519 keypair. When creating a shared container, the owner performs ECDH key agreement with each party's public key to derive unique shared secrets. These secrets encrypt per-layer keys, so each party can only decrypt the layers they're authorized for.
What is the maximum number of parties?
Up to 8 parties can share a single .0nv container. This limit balances security (minimizing key material in the container) with practical team collaboration needs.
Can I revoke a party's access?
Yes. Re-key the affected layers with new AES-256-GCM keys and re-perform ECDH key agreement with the remaining authorized parties. The revoked party's derived keys will no longer decrypt the updated layers.
Is the escrow protocol auditable?
Yes. All escrow operations are logged in the audit trail layer. Access grants, revocations, key rotations, and container opens are recorded with timestamps and party identifiers.