Inside ORBTR's Three-Tier Key Hierarchy
Why key hierarchy matters
In a zero-trust system, every action needs to be cryptographically verified. But who verifies the verifiers? ORBTR uses a three-tier Ed25519 key hierarchy that separates concerns and limits blast radius if any single key is compromised.
The three tiers
Platform Root (PR)
The Platform Root is HSM-backed and signs Tenant Root certificates, Root Descriptors, TUF metadata, and Seed Manifests. It can also issue emergency policy overrides. On Enterprise plans, multiple compliance-segmented PRs (HIPAA, FedRAMP, IRAP, PCI) allow different regulatory frameworks to have independent trust chains.
Tenant Root (TR)
Each tenant gets its own Tenant Root key. The TR signs policies, job manifests, and co-signs the Root Descriptor alongside the PR. This dual-signature requirement means that compromising either key alone is insufficient to issue valid artifacts to agents. Tenants can export their TR for sovereignty purposes.
Agent Key
Each device generates a unique Ed25519 key pair during enrollment. The private key never leaves the device — it's stored in the OS keychain (DPAPI on Windows, Keychain on macOS, encrypted store on Linux). Agent keys sign heartbeats, mesh sessions, and DDNS updates.
Dual-signed Root Descriptors
The Root Descriptor (RD) is the trust anchor that agents use to verify everything else. It contains the OR public key, PR certificate, and TR certificate. Both the TR and PR must sign the RD — this dual-validity requirement is the foundation of the zero-trust model.
Agents verify the RD on enrollment and refresh it periodically. Epoch-based anti-rollback prevents downgrade attacks, and rate limiting on the agent side detects key compromise patterns.