How it works
PGE splits the key acrossN holders such that any sufficient subset (t of N) can cooperate to release it, but fewer cannot. The key is never reassembled in one place.
- A user’s data is encrypted to PGE’s public key.
- A grantee holding a valid permission asks PGE to release a key to their own key.
- PGE checks the permission onchain, gathers a quorum of decryption shares, and returns a per-request key, re-encrypted to the grantee — scoped to the data the permission covers, not a reusable master or scope key.
- The grantee decrypts that data; PGE itself only ever handles keys, never the data.
Why it matters
- Distributed trust — the key is held as shares across multiple holders, and release requires a quorum, so trust does not rest with any single holder. Committee size, threshold, and operator diversity are part of the security model.
- Permissioned by the chain — a key is released only when an onchain permission says it should be.
- Per-request release — each release is scoped to the request, so a grantee never receives a standing key to a whole scope. This is what makes expiry and revocation enforceable at the key layer, not just in an audit log.
- Rotatable without disruption — holders can be added, removed, or refreshed, and the public key never changes, so data encrypted to it stays valid.
- Key-only — PGE operates on encryption keys, not on user data; raw data never enters it.
Relationship to storage
PGE builds on the wallet-derived key model described in Storage & encryption: data is still stored encrypted and synced off-device unchanged, but the key that unlocks a scope for a grantee is released through PGE’s threshold process rather than by a single holder.Security model
A few properties worth stating directly:- Quorum trust — security holds as long as fewer than the threshold of holders collude; the committee’s composition and diversity are the trust anchor.
- Per-request scope — PGE governs future releases. Once a grantee has decrypted the data it received, expiry and revocation gate the next request, not data already delivered.
Status. The threshold cryptography, the onchain-permissioned key-release path, and encrypted local/committee backups are in place. A fully decentralized holder committee, holder rotation/resharing, and hardware-attested execution are in active development. Until PGE is the default, scopes are protected by the Personal Server’s key model.