CHTR Ceremony Console

The master key that protects every chain-signed surface — audit logs, the Lahti–Iris™ Codex, compliance attestations, IP register, per-entity action chains — is split into 5 Shamir shares held by 5 custodians. Any 3 of 5 must release their share to unseal the key for a rotation or recovery ceremony. A single compromised account or device cannot unseal the system alone.

BETA — WebAuthn proof is in flight, not yet enforced. The frontend signals mfa_factor: "guardianorb_biometric" on share release but does not yet sign a WebAuthn challenge; the backend stores mfa_proof_id as received without verification (Phase 1, Task #125). Until that ships, only audit_dry_run ceremonies should be exercised. A backend interlock to refuse production grants without a verified proof is on the open list — see audit_logs #24686 for the chain-stamped infrastructure-fix bundle from earlier today.

Ceremonies must be initiated by a senior officer (role ≥ 4). Each share release is locked behind GuardianOrb^™ biometric MFA — phishing-resistant. Every step is signed in the Codex.

System status

Custodians

—

KEK gen.

—

Active

—

My custodian status

Loading…

Initiate ceremony

Officer-only (role ≥ 4). All custodians will be notified out-of-band. A 5-minute cooling-off window precedes acceptance of any share grant. Ceremonies expire after 30 minutes.

Active ceremonies

loading…

Conceptual Health Trust Root^™ · 3-of-5 Shamir threshold · 90-day cryptoperiod · HKDF subkey isolation · every step chain-signed in the Lahti–Iris^℠ Codex.