Transient Keys: Deep Dive¶

Transient Keys provide a temporary, secure encryption mechanism for sending secrets to recipients who have not yet signed in—bridging usability and zero-trust security.

For maximum data protection, Transient Keys are only used within Confidential Computing secure enclaves.

By default, when a user’s public key is known to PigeonHole, it is used for encryption.

When sending a secret to a recipient not yet known to PigeonHole, an ephemeral (transient) key is securely generated and issued on behalf of that user.

Transient Key Generation & Storage¶

Transient key content is split and securely stored using industry-standard envelope encryption.
Transient keys are generated with the OpenPGP libraries maintained by ProtonMail and stored separately from the secret and file cipher data.

Recipient Key Exchange¶

When a user signs into PigeonHole, their client-side generated keys are validated and uploaded. If transient keys exist for that user, they are rotated and the associated secrets are re-encrypted using the user’s permanent keys.

Multiple safeguards ensure the security of Transient Keys—even from PigeonHole itself.

Secret Re-Encryption Process¶

Transient key rotation is seamless and secure:

1. Recipient receives a notification.
2. Recipient signs into PigeonHole and uploads new keys.
3. PigeonHole re-encrypts secrets previously encrypted with the transient key.

Separation of Concerns¶

Beyond PigeonHole’s distributed architecture safeguards, transient keys are further protected through obfuscation and anonymization using UUIDs.

These identifiers are virtually impossible to brute-force or trace back to senders, recipients, or secrets.

Secure Enclaves¶

PigeonHole’s secure enclaves leverage Confidential Computing, ensuring that all memory and disk usage is encrypted with AES-256.