> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/security/custody-free.md). # Custody-free design Andromeda is built so that a compromise of Andromeda does not expose user keys or let an attacker move user funds outside of policy. This page states that as a security posture; for the mechanics, see [Custody-free model](/hub/andromeda/concepts/custody-free.md). ## What Andromeda does not hold * **No complete private key for a dWallet.** A dWallet's key is split (Ika 2PC-MPC). Andromeda never assembles the whole key. * **No private key material for the Encrypt surface.** For FHE transactions, Andromeda returns unsigned transactions and only ever sees what you already signed. * **No KMS private material.** The keys used for audit-log signing and for FHE-decision authority live in a KMS with sign-only policies; Andromeda uses the sign operation but never reads the key. See [Key management](/hub/andromeda/security/key-management.md). ## What Andromeda does hold * **One gas-sponsor keypair.** Used to pay Solana fees and act as the fee payer on transactions Andromeda assembles for the flows it controls (recovery deploys, primary recovery, quorum sessions, policy admin actions). It is never an authority over a dWallet and is never treated as the user by the on-chain programs. * **Operational state.** API keys (only SHA-256 hashes), quotas, idempotency cache, webhook config, audit log, identity records where identity is enabled (encrypted at rest, see [Data protection](/hub/andromeda/security/data-protection.md)). ## The two custody-free patterns * `prepare -> submit`: Andromeda builds an unsigned transaction; you sign it client-side; you submit it; Andromeda broadcasts. The key never leaves the client. * `challenge -> submit`: Andromeda issues a 32-byte challenge; the user signs it off-chain; Andromeda assembles the Solana transaction, includes a precompile instruction so the runtime verifies the signature, pays the gas, and broadcasts. Andromeda never produces the user's signature. ## The blast radius of a compromise If Andromeda were compromised, the attacker could choose when to submit transactions, batch them, see request metadata, and decide whether to pay gas. The attacker could not: produce a user's signature, satisfy a policy that requires a signature it does not have, or move a dWallet's authority in a way the on-chain rule forbids. See [Threat model](/hub/andromeda/security/threat-model.md) and [Zero attestor](/hub/andromeda/security/zero-attestor.md). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shinkalabs.gitbook.io/hub/andromeda/security/custody-free.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.