✱ CITADEL VAULT
1 / 9
Defense in Depth

Six Layers.
No Single Weak Point.

Each layer was chosen to defeat a different attack.
Compromise one. The rest still hold.
citadelvault.org

The Stack: Bottom to Top

Get past the hardware and there's the OS. Past the OS, the application. Past the application, the cryptography. Each layer is designed to exhaust a different kind of threat. Defeat the encryption and the air gap still holds. Defeat the hardware and the ceremony still blocks access. There is no single path through.

6
Recovery Protocol
Open CAF spec · Bitcoin time-proof · M-Disc archival · no vendor lock-in
5
Threshold Ceremony
k-of-n Shamir on NFC smartcards · single-owner session · memory zeroed on close
4
Cryptographic Stack
Argon2id → HKDF-SHA256 → AES-256-GCM: three algorithms, three different threats
3
Audited Application
Rust · reproducible builds · symbol audit · zero network code linked in the binary
2
Hardened OS
Minimal Debian · no network stack · no Bluetooth · no SSH · read-only root
1
Air-Gapped Hardware
No network chips · no Bluetooth · no camera · signed model manifest verified at boot
Layer 1

Air-Gapped Hardware

Physical isolation is the precondition for everything above it. A compromised OS can't steal what it can't touch. No reach, no attack.

  • No network chips soldered to the board: not disabled in software, physically absent
  • No WiFi, no Bluetooth, no LTE, no Ethernet controller
  • No camera, no microphone: no optical or acoustic side-channel
  • USB-A ports only: for the Vault Drive and keyboard. No wireless adapter can load without a driver that doesn't exist on the OS.
  • Signed model manifest checked at boot: tampering with the hardware is detectable before the OS loads

Air gap is not a setting. It is physics.

6
Recovery Protocol
5
Threshold Ceremony
4
Cryptographic Stack
3
Audited Application
2
Hardened OS
1
Air-Gapped Hardware
What this defeats
Remote code execution Wireless exfiltration Network-side supply chain attacks Acoustic side-channels
Layer 2

Hardened OS

Air-gapped hardware is necessary, not sufficient. A bloated OS carries services, daemons, and places an attacker could write to or corrupt. Hardening means removing everything that isn't Vault OS — no browser, no mail client, nothing else to compromise.

  • Read-only root filesystem: nothing written to disk at runtime. Malware has no persistence vector.
  • No SSH daemon, no cron, no print spooler, no Avahi, no cups. Nothing listening on any socket.
  • No Bluetooth stack compiled in: not just disabled, not present in the image
  • No network interfaces configured: the kernel has no IP stack to route through
  • Minimal Debian base: only packages required to run Vault OS. Fewer packages means fewer places to hide.
  • Overlayfs for transient state: anything written during a session disappears on reboot

A service that doesn't run can't be exploited. A filesystem that can't be written to can't be infected.

6
Recovery Protocol
5
Threshold Ceremony
4
Cryptographic Stack
3
Audited Application
2
Hardened OS
1
Air-Gapped Hardware
What this defeats
Persistent malware Privilege escalation via daemons Local socket attacks Bluetooth stack exploits
Layer 3

Audited Application

Before the application touches cryptographic material, three decisions have to be right: what language it's written in, whether the binary can be independently verified, and whether network calls are structurally impossible. Get any one wrong and you've left a gap in the perimeter.

  • Rust throughout: the borrow checker eliminates buffer overflows, use-after-free, and null pointer dereferences at compile time. Entire categories of exploit simply cannot exist.
  • Reproducible builds: any third party can compile from source and verify the shipped binary matches exactly. Nothing hidden in the distribution pipeline.
  • Symbol audit: the compiled binary contains zero dynamic symbols from networking libraries. It doesn't refuse to connect. It has no code path that leads there.
  • Dependency supply chain: all Rust crates are pinned and audited. No surprise transitive dependency pulling in a network stack.

Network calls aren't blocked at runtime. They can't be compiled in. The program was never written to make that call — there's no call to intercept.

6
Recovery Protocol
5
Threshold Ceremony
4
Cryptographic Stack
3
Audited Application
2
Hardened OS
1
Air-Gapped Hardware
What this defeats
Memory corruption exploits Tampered binary distribution Hidden network calls Malicious transitive dependencies
Layer 4

Cryptographic Stack

Input

Vault Master
Passphrase

Step 1: KDF

Argon2id

Memory-hard: each guess requires a full pass through RAM, with no shortcuts and no way to parallelize the work.

Step 2: Key Split

HKDF-SHA256

Derives two independent subkeys. Compromising one reveals nothing about the other.

Step 3: Seal

AES-256-GCM

Encrypts and authenticates. Any modification (even one bit) is detected on read.

Output

Encrypted
Vault Block

65 MB RAM per guess. GPU clusters can't parallelize it. An attacker running full clusters would still be guessing long after the hardware running it is a museum piece.

Two keys derived independently. A flaw in one key's usage tells an attacker nothing about the other.

Encryption is the lock. Authentication is the seal. A lock keeps people out — a seal tells you someone was already in. One tampered bit and the vault won't open.

What this defeats: Password brute force GPU dictionary attacks Key reuse cascade Silent ciphertext tampering
Layer 5

Threshold Ceremony

Holding the Vault Drive gets you nothing. Think of a safe-deposit box that requires two keys held by two different people — neither one can open it alone. The vault works the same way. The drive is encrypted with a passphrase split across Vault Cards. A "ceremony" here means a required gathering: the right people, the right cards, the same room. Without that quorum, the vault cannot be opened.

  • Shamir's Secret Sharing: the passphrase is mathematically split across Vault Cards. Below the threshold, a card doesn't just resist attack — it reveals nothing. Mathematically nothing. Not "hard to extract." Zero.
  • Standard 2-of-3 setup; 3-of-5 available. Six cards ship per kit: two per shard position, so a lost card has a backup.
  • EAL6+ secure elements: same evaluation level as biometric passports and banking chips. Cards self-wipe after repeated failed PIN attempts.
  • Single-owner session: Vault OS runs one reconstruction ceremony at a time, with no concurrent sessions possible.
  • Memory zeroed on session close: the reconstructed passphrase is actively overwritten before the session ends. No window for a cold-boot read.

Your heir must bring the right people together, in person. A vault that one person can open alone is a vault that one person can be forced to open — under pressure, or in grief.

6
Recovery Protocol
5
Threshold Ceremony
4
Cryptographic Stack
3
Audited Application
2
Hardened OS
1
Air-Gapped Hardware
Spouse
Card 1
Attorney
Card 2
Adult Child
Card 3
What this defeats
Single-point compromise Physical coercion of one holder Cold-boot RAM attacks Brute-force card PIN
Layer 6

Recovery Protocol

The top layer isn't about cryptography. It protects against vendor shutdown, media failure, and any attempt to force the vault open before its time — whether through a court order or physical coercion. A vault that stops working when we do isn't really yours.

You're not trusting us to stay in business. You're trusting math that has been public for decades.

  • Open CAF format: published specification. Any developer can write a compatible reader independently. The vault does not depend on CitadelVault remaining in business.
  • Bitcoin block-height timelock: the heir presents block headers from a microSD. The chain verifies elapsed time. No vendor, no notary, no server enforces the waiting period. Bitcoin's proof of work is the clock.
  • M-Disc archival: 1,000-year rated optical media. Outlasts USB drives, consumer SSDs, and magnetic storage in a drawer.
  • 3-3-3 backup standard: three copies across three media types, all air-gapped. Losing any single item leaves recovery intact.
  • Every cryptographic primitive is public domain, independently implemented in dozens of open-source libraries. Decades of public scrutiny. Nothing has broken. Nothing proprietary.
6
Recovery Protocol
5
Threshold Ceremony
4
Cryptographic Stack
3
Audited Application
2
Hardened OS
1
Air-Gapped Hardware
What this defeats
Vendor lock-in Media failure Premature forced access Company failure Single copy loss
Early Bird: 21 Units Only
$2,395
Regular price $2,995
Pre-sale opens May 12

No subscription, no telemetry, no cloud dependency — just math that doesn't expire.

citadelvault.org

Six layers. One design principle.

  • Layer 1: no network chips. No remote access. The attack surface is gone before the OS boots.
  • Layer 2: read-only root. Malware that lands doesn't survive a reboot.
  • Layer 3: Rust eliminates memory corruption at compile time. Zero network symbols in the binary.
  • Layer 4: 65 MB RAM per guess. Two independent keys. Every byte authenticated.
  • Layer 5: below the threshold, a card reveals nothing. Not hard to crack — mathematically impossible.
  • Layer 6: open spec. M-Disc outlasts any USB drive. The timelock runs on Bitcoin, not on us.

Your instructions are sealed inside. When you're gone, your family will know exactly what to do.