> ## Documentation Index
> Fetch the complete documentation index at: https://core.vanish.trade/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Vanish's partnership with Turnkey uses secure enclaves for sensitive cryptographic operations and a key-management model where private key material is only decrypted inside an enclave.

<img title="Logo" className="mx-auto hidden dark:block" style={{ width:"70%" }} src="https://mintcdn.com/vanish/_Xn3Lkosod_bqrcT/images/LogoWhite.svg?fit=max&auto=format&n=_Xn3Lkosod_bqrcT&q=85&s=03a63650a9c62cde3307cf9b4f3f5165" alt="Logo" width="1378" height="237" data-path="images/LogoWhite.svg" />

<img title="Logo" className="mx-auto dark:hidden" style={{ width:"70%" }} src="https://mintcdn.com/vanish/_Xn3Lkosod_bqrcT/images/LogoBlack.svg?fit=max&auto=format&n=_Xn3Lkosod_bqrcT&q=85&s=858ff61c295d729845921f093a625944" alt="Logo" width="1378" height="237" data-path="images/LogoBlack.svg" />

***

## Turnkey Secure Enclaves

Vanish's signing infrastructure is powered by Turnkey  -  wallet infrastructure built on hardware Trusted Execution Environments (TEEs). Private material is never stored unencrypted and is never exposed to Vanish, Turnkey, or any external process.

Turnkey's enclaves are highly constrained compute environments that can cryptographically attest to the code running inside. They are designed with:

* No persistent storage
* No interactive access
* No external networking

In Turnkey's architecture, a standard host instance receives network traffic and calls into the enclave. The enclave's only connection is a virtual serial link to the host and its own secure co-processor  -  [the Nitro Security Module](https://docs.turnkey.com/products/company-wallets/features/security/secure-hardware#secure-hardware).

Encrypted private key ciphertext is persisted by Turnkey and decrypted only within a secure enclave running verified Turnkey applications. Raw private keys never leave the enclave.

<Frame>
  <img src="https://mintcdn.com/vanish/20oECpShreybboLa/images/deployment.avif?fit=max&auto=format&n=20oECpShreybboLa&q=85&s=68e466cd9a7cbc901996c20b28a89e11" alt="Deployment" width="1760" height="1392" data-path="images/deployment.avif" />
</Frame>

***

## QuorumOS & Remote Attestation

Turnkey's enclave stack runs [QuorumOS](https://docs.turnkey.com/security/quorum-deployments)  -  a minimal, immutable Linux unikernel designed for high-security environments with:

* A deterministic build system for reproducible, auditable artifacts
* An initialization and attestation framework ensuring only authorised code runs inside the enclave
* No mutable state, no interactive shell, no external access surface

Turnkey also uses [remote attestation](https://docs.turnkey.com/products/company-wallets/features/security/remote-attestation) so an enclave can cryptographically prove its identity and integrity. The enclave produces a signed quote containing measurements of its code and configuration  -  only quotes signed by a hardware root of trust (the AWS Nitro Security Module) are considered valid.

***

## What This Means for Vanish Users

* **Vanish never holds user private keys.** All signing happens inside the enclave, initiated only by the user's authenticated request.
* **No human approval in the loop.** All processes are fully automated  -  neither Vanish nor Turnkey can initiate or approve a transaction on behalf of a user.
* **Integrating Vanish introduces no additional custodial risk** to your platform or your users.
* **Audited by Halborn.** An independent security audit of Vanish's infrastructure was conducted by [Halborn](https://halborn.com), one of the leading blockchain security firms, trusted by Solana, Avalanche, and Coinbase.
* **Operational security by [Groom Lake](https://groomlake.io).** Staffed by NSA and CIA veterans, Groom Lake provides live threat monitoring, penetration testing, incident response, and global intelligence support.

<Info>
  Learn more: [Turnkey security model](https://turnkey.com/security) · [Halborn](https://halborn.com) · [Groom Lake](https://groomlake.io)
</Info>