Bunker FAQs

What type of cryptography does Bunker use, layer by layer?

Bunker applies encryption at four layers:

Layer Encryption Used
Backup received from Fireblocks RSA PKCS1 OAEP (Fireblocks-specified ciphersuite)
Cloud encryption via AWS KMS AES-256-GCM (KMS's symmetric ciphersuite)
Operator YubiHSMs Hybrid Public Key Encryption — P256_HKDF-SHA256-AES-GCM-128, using the YubiHSM's ECDH derive over the P256 curve
Customer YubiKeys Hybrid Public Key Encryption — P256_HKDF-SHA256-AES-GCM-128 (same as YubiHSMs)

How does Station70 secure backup packages so no internal employee or outsider can access my secrets?

Station70 uses 3-of-3 encryption: the encryption key is split into shards that each live in a separate environment, including a shard held by your own customer quorum via hardware devices. No single party — internal or external — ever holds enough of the key on its own to access a backup package.

What is White Glove Onboarding?

A comprehensive assessment of your organization's existing disaster recovery operations, paired with a tailored recommendation and implementation plan onto the Station70 platform.

What's included in the insurance?

Station70 holds its own insurance policy covering negligence, misuse, or unavailability of your backup keys. Clients can also purchase additional coverage under their own name through our preferred insurance brokers.

What is a Failover Wallet?

In the event of a disaster, the Failover mechanism lets you hydrate new wallets or workspaces using your existing keys — removing the need to expose private keys through a traditional recovery process. (See also: What is SWAT?, which covers Station70's related Standby Wallet transfer feature.)