# Table of Contents
- [GetTrusted Overview | LastID Docs](#gettrusted-overview-lastid-docs)
- [Add Your First Contact | LastID Docs](#add-your-first-contact-lastid-docs)
- [Quickstart for Individuals | LastID Docs](#quickstart-for-individuals-lastid-docs)
- [Who and When? | LastID Docs](#who-and-when-lastid-docs)
- [Enable Backup and Restore | LastID Docs](#enable-backup-and-restore-lastid-docs)
- [Verify your first Contact | LastID Docs](#verify-your-first-contact-lastid-docs)
- [Recover Your GetTrusted Identity | LastID Docs](#recover-your-gettrusted-identity-lastid-docs)
- [Quickstart for Enterprises | LastID Docs](#quickstart-for-enterprises-lastid-docs)
- [Create your Root Account | LastID Docs](#create-your-root-account-lastid-docs)
- [Configure Single Sign-On | LastID Docs](#configure-single-sign-on-lastid-docs)
- [Validate your Domain with GetTrusted | LastID Docs](#validate-your-domain-with-gettrusted-lastid-docs)
- [Create your organization | LastID Docs](#create-your-organization-lastid-docs)
- [Google Workspaces | LastID Docs](#google-workspaces-lastid-docs)
- [Okta Identity | LastID Docs](#okta-identity-lastid-docs)
- [Configure Directory Services | LastID Docs](#configure-directory-services-lastid-docs)
- [Setup Onboarding Requirements | LastID Docs](#setup-onboarding-requirements-lastid-docs)
- [Setting up Webhooks | LastID Docs](#setting-up-webhooks-lastid-docs)
- [Create Contact Distribution Rules | LastID Docs](#create-contact-distribution-rules-lastid-docs)
- [Microsoft Entra ID | LastID Docs](#microsoft-entra-id-lastid-docs)
- [Okta Directory Provider | LastID Docs](#okta-directory-provider-lastid-docs)
- [High-Level Architecture | LastID Docs](#high-level-architecture-lastid-docs)
- [Local Data Encryption | LastID Docs](#local-data-encryption-lastid-docs)
- [Microsoft Entra Directory Provider | LastID Docs](#microsoft-entra-directory-provider-lastid-docs)
- [Setting up Webhooks | LastID Docs](#setting-up-webhooks-lastid-docs)
- [Hardware Key Operations | LastID Docs](#hardware-key-operations-lastid-docs)
- [SDK Implementation Overview | LastID Docs](#sdk-implementation-overview-lastid-docs)
- [Identity Recovery Flow | LastID Docs](#identity-recovery-flow-lastid-docs)
- [Google Workspace | LastID Docs](#google-workspace-lastid-docs)
- [Trust Exchange | LastID Docs](#trust-exchange-lastid-docs)
- [Identity Creation | LastID Docs](#identity-creation-lastid-docs)
- [Trust Verification Challenge | LastID Docs](#trust-verification-challenge-lastid-docs)
- [User Data Backup | LastID Docs](#user-data-backup-lastid-docs)
- [Enterprise Self Service Signup | LastID Docs](#enterprise-self-service-signup-lastid-docs)
- [Employee Onboarding Flow | LastID Docs](#employee-onboarding-flow-lastid-docs)
- [User Data Restoration | LastID Docs](#user-data-restoration-lastid-docs)
- [Email Protection | Cloudflare](#email-protection-cloudflare)
---
# GetTrusted Overview | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[**GetTrusted**](https://gettrusted.app/)
is a **human-to-human trust layer** that verifies identity across any communication channel targeting removing deepfakes and social engineering from your threat model and preventing before they impact their victims.
###
[](https://docs.gettrusted.app/#jump-right-in)
Jump right in
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture)

####
[](https://docs.gettrusted.app/#undefined)
**Security Foundations**
Learn how GetTrusted works.
[](https://docs.gettrusted.app/getting-started/quickstart)

####
[](https://docs.gettrusted.app/#undefined-1)
**Individuals Start Here**
Learn how to setup and exchange trust with your first contact.
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises)

####
[](https://docs.gettrusted.app/#undefined-2)
**Enterprise Start Here**
Get started with Enterprise GetTrusted today.
###
[](https://docs.gettrusted.app/#get-started)
GetTrusted Core Tenets
####
[](https://docs.gettrusted.app/#id-1.-human-first-security)
**1\. Human-First Security**
> Security should empower people, not burden them.
We design systems around **how humans actually live, not how we wish they did.** We know that calls, texts, email, video communications to personal cell phones is a primary business communication today and we make cryptographic verification as simple as a glance or tap. No passwords, no guesswork, no “trust me” moments.
####
[](https://docs.gettrusted.app/#id-2.-proof-over-promises)
**2\. Proof Over Promises**
> Trust should be verified, not assumed.
Every verification in GetTrusted is **cryptographic, hardware-backed, and auditable**. We don’t rely on memory, caller ID, or internal tools. We rely on math.
####
[](https://docs.gettrusted.app/#id-3.-privacy-by-design)
**3\. Privacy by Design**
> Zero knowledge. Maximum assurance.
GetTrusted never stores secrets, passwords, or private keys. We rely on your GetTrusted Identity when identifying with our servers. All identities live **on the user’s hardware**, not our servers. Encryption is end-to-end, with **no third-party exposure** or recovery access.
####
[](https://docs.gettrusted.app/#id-4.-universal-interoperability)
**4\. Universal Interoperability**
> Trust shouldn’t stop at your perimeter.
We verify across systems, organizations, and channels. Whether a call comes from HR, a partner, or a personal contact, verification just works, anywhere.
####
[](https://docs.gettrusted.app/#id-5.-recoverability-with-minimal-risk)
**5\. Recoverability With Minimal Risk**
> Identity should be durable, not fragile.
We enable secure recovery through just like your identity is recoverable, we create a recoverable backup key so that your data is recoverable only by the rightful owner, never by us. Same identity, new hardware, zero compromise.
We rely on you storing your backup information safely and securely as someone with your backup information and your passphrase can recover your identity.
####
[](https://docs.gettrusted.app/#id-7.-trust-that-scales)
**7\. Trust That Scales**
> From one person to an entire enterprise.
GetTrusted grows from a single verified exchange to an organization-wide trust fabric. Verification events build a network of proven identities, enabling safer communication everywhere.Get started
* Want to learn more about GetTrusted? [Visit our website](https://gettrusted.app/)
.
* Interested in a demo? Lets [get you booked.](https://gettrusted.app/request-demo)
* Ready to stop social engineering and deep fake threats? Check out the [Quick Start](https://docs.gettrusted.app/getting-started/quickstart)
[NextQuickstart for Individuals](https://docs.gettrusted.app/getting-started/quickstart)
Last updated 2 months ago
---
# Add Your First Contact | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
Now that you have created your identity, you can unlock GetTrusted's value by adding your trusted contacts. These are the people who can influence your decisions: the ones you'd act for out of love, loyalty, or even concern. Since trust shapes how we respond to requests, we want to help you act with confidence knowing who's really asking.
We are going to walk through this flow on both from your view and the view of the person you invited to exchange with so you can see each side of the flow and what to expect.
###
[](https://docs.gettrusted.app/getting-started/quickstart/add-your-first-contact#get-started)
Get Started
**Your View**
**Your Trusted Contacts View**

Select how you would like to start the exchange, you can display a QR Code or Send a SMS message. If you choose to Send a SMS Message we will provide a message and open the default text messaging app so you can send to the contact you would like to exchange with.
In our exchange, we are going to select QR Code as our trusted contact is next to us. Before we generate a QR Code, you will select the persona you wish to share with your contact.

You now have one additional opportunity to redact any data you wish to share or not share. We believe that not all contexts require full sharing, and since the only required field is a name, you can choose the rest of what you share.

Once you are satisfied, you can click Share Contact Information and we will generate a session and provide a QR Code for scanning following the [trust exchange process.](https://docs.gettrusted.app/core-workflows/trust-exchange)
Right now they are reading the paper, watching a movie, in a meeting, or right next to you.
**Your View**
**Your Trusted Contacts View**

At this point, your trusted contact would either receive the SMS message with the link to join the trust exchange, or, if you are next to your trusted contact, you can just show them the QR code for scanning.
Inside GetTrusted we have a QR Scanner that will automatically join the session for you. Otherwise if you scan with your phones camera or another scanner you will get a link to join the trust exchange.
That will allow them to either open the Trust Exchange in GetTrusted Application or download from the App Store for their device and then join the session.

Trust exchange sessions are only valid for 15 minutes, this is intentional as you should be actively participating in a trust exchange.
**Your View**
**Your Trusted Contacts View**

While your trusted contact is going through the process of reviewing your information and selecting the persona they wish to share in return you will be directed to a 6 digit code screen. You are waiting for the last digit to complete the pin number and create trust. Your trusted contact will need to provide to you over voice or text the last digit in the 6 digit pin code.

After scanning the QR code, or joining through the SMS Link, You will get a preview of the contact that they wish to share with you. Additionally we will show a little additional information.
This information will show a little about who trusts, and their trust network. If there are mutual connections we will share them here. This is to help you make a decision, but shouldn't be the only data in your decision. The first should be do you know this person?

After you have reviewed, you can select yes or no to continue. Upon continuing you will be prompted to select your persona you wish to share back, and have an opportuntity to redact from what you share.

Once you select and redact you will continue through and confirm your profile you are sharing.

After that you will be displayed a 6 digit code, you will need to share with the person who invited you to the trust exchange the last digit. In this case 4.

**Your View**
**Your Trusted Contacts View**

Congrats, your requested trust exchange is complete and you can now verify your new trusted contact.

After they enter the last digit you both will get a success screen and trust is established. If you go back to view your contacts you will see the new contact.
[PreviousQuickstart for Individuals](https://docs.gettrusted.app/getting-started/quickstart)
[NextVerify your first Contact](https://docs.gettrusted.app/getting-started/quickstart/verify-your-first-contact)
Last updated 1 month ago
---
# Quickstart for Individuals | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/getting-started/quickstart#welcome-to-gettrusted)
**Welcome to GetTrusted!**
----------------------------------------------------------------------------------------------------------------
**If you have not already downloaded the application to your phone, take a moment now.**
[GetTrusted App - App StoreApp Store](https://apple.co/3WqTzsC)
[GetTrusted - Apps on Google PlayGooglePlay](https://play.google.com/store/apps/details?id=co.lastid.GetTrusted)
###
[](https://docs.gettrusted.app/getting-started/quickstart#lets-get-started)
Lets get Started!
We want this to be a quick process and get you up and running quickly, protecting yourself and your closest contacts from impersonation.
Your first choice is choosing to create a new identity or recover an existing one. If you are looking to [recover your identity please follow this guide.](https://docs.gettrusted.app/getting-started/quickstart/recover-your-gettrusted-identity)
Click "**Create New Identity"** and continue with this guide.

###
[](https://docs.gettrusted.app/getting-started/quickstart#creating-your-identity)
Creating your Identity.
The first step in onboarding is to create your identity by choosing a pass phrase. What we require is 2 words 3 letters or more. This phrase should be memorable and include any words you want that you will remember. You will only require this phrase during the recovery of your identity.
In this example I used "phone calls lose millions".
I now have a second choice to make which is do I want to protect the key that acts as my identity further, its currently secured in the hardware on your phone but without biometrics it is unlocked for anyone with access to your phone. When you apply biometrics we will require a biometric backed session to access the key, enforced by the phone itself. It is recommended to continue with biometrics.
We rely on system level biometrics, anyone who is able to access your phone through its biometrics will be able to access your identity.
After you continue from this screen, your identity will be created in the background following the [identity creation workflow.](https://docs.gettrusted.app/core-workflows/identity-creation)

###
[](https://docs.gettrusted.app/getting-started/quickstart#your-identity-is-created-lets-ensure-we-can-recover)
Your Identity is Created! Lets ensure we can recover.

Now that your identity is created, we want to make sure that you can easily and safely recover your identity, we show you a QR code and a few options.
This QR code coupled with your pass phrase is all the data you need to restore your identity onto a new device.
You will see a few options at the bottom.

**Print** - We recommend that you print your recovery information. You should store this document with your other important documents. Preferably in a safe or fireproof box.
If someone gets access to this document and you write your pass phrase on it they will be able to recover your identity.
**Copy** - If you have an existing password manager or secure storage you can copy the data from the QR code and store it in secure storage.
**Do nothing** \- You also can just continue at this point as this data will continue to be available to you on your original device.
###
[](https://docs.gettrusted.app/getting-started/quickstart#create-your-persona-and-choose-how-you-show-up)
Create your Persona and choose how you show up.
Welcome to GetTrusted, you have created your identity, Now you can create how you will show up with your first persona. We believe that all humans have multiple personas and share them in different contexts So we allow multiple personas so you can add more later.
Choose if you want a photo or not, you can take a picture or upload an existing one, or choose to not have one and we will just use your initials.
Enter your name, this is of your choosing should it be your legal name, or your anonymous handle. This is the only required field, everything else is optional including professional information should you choose to include it.
This is the persona you will share with others so make it useful to them, you will also be able to edit and add additional items to your persona in the edit screens.
When it comes time to share your persona, you will also have the option to include or not include each part of the information in your persona.

###
[](https://docs.gettrusted.app/getting-started/quickstart#congrats-youre-done)
Congrats, You're Done!
You have now successfully created your identity and your first persona. You are ready to start to share with your trusted contacts so you can verify them immediately. Invite your family, friends, and others to your trusted ciricle and lets stop impersonation.
[PreviousGetTrusted Overview](https://docs.gettrusted.app/)
[NextAdd Your First Contact](https://docs.gettrusted.app/getting-started/quickstart/add-your-first-contact)
Last updated 2 months ago
* [Welcome to GetTrusted!](https://docs.gettrusted.app/getting-started/quickstart#welcome-to-gettrusted)
* [Lets get Started!](https://docs.gettrusted.app/getting-started/quickstart#lets-get-started)
* [Creating your Identity.](https://docs.gettrusted.app/getting-started/quickstart#creating-your-identity)
* [Your Identity is Created! Lets ensure we can recover.](https://docs.gettrusted.app/getting-started/quickstart#your-identity-is-created-lets-ensure-we-can-recover)
* [Create your Persona and choose how you show up.](https://docs.gettrusted.app/getting-started/quickstart#create-your-persona-and-choose-how-you-show-up)
* [Congrats, You're Done!](https://docs.gettrusted.app/getting-started/quickstart#congrats-youre-done)
---
# Who and When? | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
**Who should I exchange trust with?**
You should exchange with anyone you might need to **trust for money, access, or sensitive actions.** That includes:
**People You Know Personally:**
* **Family Members:** These individuals are often used as the pretext for a scam or social engineering attack. They call and say either your son/daughter/spouse is in trouble or call pretending to be them in trouble. These are people you closely trust.
* **Friends:** If you're like most and will help your friends anytime you can, you should exchange trust with them. While its not as often that friends are used as a pretext for social engineering, targeted attacks will and can.
**People you work with:**
Even if your organization hasn’t rolled out GetTrusted, you can exchange trust with coworkers using your **personal personas.**
For small teams or businesses, no enterprise setup is required. Just create your personas, exchange trust, and weave it into everyday workflows like approving access, sharing files, or resetting credentials.
**When should I verify?**
Situation
Why Verify
Someone asks for money or credentials
Prevent scams and fraud
A call or message feels “off”
Stop deepfake or impersonation attempts
You’re resetting MFA or granting access
Ensure internal controls stay intact
Verification takes seconds and saves you from costly mistakes.
###
[](https://docs.gettrusted.app/getting-started/quickstart/who-and-when#reminder)
Reminder:
If the **risk of being wrong** is higher than the **effort to verify**, **verify**.
* Trust your instincts.
* If something feels urgent, that’s often the best time to slow down and check.
* Real people and real companies will appreciate it.
GetTrusted offers a work solution that integrates with existing security tooling and identity. You can find [out more](https://gettrusted.app/)
or get [a demo](https://gettrusted.app/request-demo)
.
[PreviousVerify your first Contact](https://docs.gettrusted.app/getting-started/quickstart/verify-your-first-contact)
[NextRecover Your GetTrusted Identity](https://docs.gettrusted.app/getting-started/quickstart/recover-your-gettrusted-identity)
Last updated 2 months ago
---
# Enable Backup and Restore | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
This requires premium features and a subscription to access. You can [read how the feature works here.](https://docs.gettrusted.app/core-workflows/user-data-backup)
If you want to maintain all your contacts and be able to recover like nothing happened, this is the solution for you. Backups are maintained end to end encrypted with a key bound to your core identity, meaning your identity is the only one that can restore it. This key is created when you create your identity or restore your identity and automatically availalble. You can enable this feature at any time.
To backup you have a few options. You can manually backup by going to Settings -> Backup & Restore and click "Backup Now". This will perform a point in time backup and data will be available from that point.
Your second option is enable automatic backups. This will monitor the local data respository and automatically trigger backups in the background. This will trigger when a contact or persona changes.
Using automatic backups is the recommended configuration as it will keep you up to date all the time.

If you need to restore contacts for any reason you can go into Settings -> Backup and Recovery and click Restore from Backup. This will restore your last backup.

[PreviousRecover Your GetTrusted Identity](https://docs.gettrusted.app/getting-started/quickstart/recover-your-gettrusted-identity)
[NextQuickstart for Enterprises](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises)
Last updated 2 months ago
---
# Verify your first Contact | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
Now that you have a trusted contact, you can always ensure you are communicating with them, and verify key details of that communication anytime you want. This is useful when someone is needing emergency help, as many scams and social engineering attacks use urgency and fear. This is a time crunch and is very successful in getting people to do things they normally wouldn't do.
Anytime you decide you need to challenge your contact, this is how you would do it, and [here is the details of how it works.](https://docs.gettrusted.app/core-workflows/trust-verification-challenge)
**Your View**
**Your Trusted Contacts View**

First you will start at your contacts page and select the contact you wish to verify and click "Verify"
You will be brought to a screen where you can select the type of communication you want to verify, as well as additional details. You can use this to confirm what they are asking about or needs, all is end to end encrypted and not visible by anyone other than you and the other party.

When you are satisifed just click Send Verification Challenge. You will now wait for a response.
Your contact has either just called you, texted, or messaged. You have decided that for some reason you want to verify the contact and at this point you have either told them, or are suspicious enough that you are challenging them silently.
**Your View**
**Your Trusted Contacts View**


If your contact has GetTrusted open it will automatically navigate to the challenge response page. Otherwise, a notification will prompt them to open the app and will send them to the notification page.
Here they get to see the context you provided, and who is challenging them. This should be a quick and simple decision for anyone. If they are on the phone with you they can enter a simple Yes, otherwise send a no or distress signal.

Now you have the answer to your question and you can act accordingly.
Once they select their answer, they head back to the contacts screen all done.
[PreviousAdd Your First Contact](https://docs.gettrusted.app/getting-started/quickstart/add-your-first-contact)
[NextWho and When?](https://docs.gettrusted.app/getting-started/quickstart/who-and-when)
Last updated 2 months ago
---
# Recover Your GetTrusted Identity | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
Having an identity that you can lose isn't much of an identity is it?
If you are out and about and break or lose your phone how would you recover? Well lets walk through how you would recover with GetTrusted and back to verifying yourself to trusted contacts.
When we created your identity we showed a QR code, and you set a pass phrase. We need that information to recover your identity, once you have it available lets get started.
To get started make sure you have the application installed
[GetTrusted App - App StoreApp Store](https://apple.co/3WqTzsC)
[GetTrusted - Apps on Google PlayGooglePlay](https://play.google.com/store/apps/details?id=co.lastid.GetTrusted)
You will be greeted with this screen. Lets click Recover Existing Identity.

We have a few options we can recover with. If you remember at identity creatiion we showed the recovery QR code and said we had a few options.
[**Print, Copy, or Do Nothing?**](https://docs.gettrusted.app/getting-started/quickstart#your-identity-is-created-lets-ensure-we-can-recover)
If you did nothing, you need your old device and you can go into settings, and then recovery data and print or copy your recovery data.
If you selected Print, select "Scan QR Code"
If you copied the data to a password manager or other safe storage. Select "Enter recovery data manually".

After you have Scanned the QR code or manually input the data you will arrive at this point. Here is where you need to remember your passphrase when you first setup your identity.
Enter your pass phrase and once again select if you want biometrics to protect access to your identity keys. Through recovery and creation is the only time we can set this property.
Click Recover My Identity and in the background your identity will be recreated with new device certificates and keys following the [recovery workflow](https://docs.gettrusted.app/core-workflows/identity-recovery-flow)
.

After you have successfully recovered your identity you will be asked to review the devices associated with your identity. The top identity will be the current device and you can not revoke it.

After you have selected the device you wish to revoke you can click revoke you can add an optional reason. Then click Revoke Certificate.
If your phone was lost or stolen, at this point your identity can not be used from that device. Revocation is immediate effect. Your trust contacts would not be affected.

Once you have revoked any necessary devices and are happy with the devices listed you can scroll to the bottom and continue.
You can always see what devices are associated with your identity and revoke them by heading to Settings -> Device Management.

Now you can create how you will show up with your first persona. We believe that all humans have multiple personas and share them in different contexts So we allow multiple personas so you can add more later.
Choose if you want a photo or not, you can take a picture or upload an existing one, or choose to not have one and we will just use your initials.
Enter your name, this is of your choosing should it be your legal name, or your anonymous handle. This is the only required field, everything else is optional including professional information should you choose to include it.
This is the persona you will share with others so make it useful to them, you will also be able to edit and add additional items to your persona in the edit screens.
If you have a premium GetTrusted subscription or a business subscriber this step will recover from a last backup if enabled and restore your personas and contacts.

You are back to recovered and can start adding your trusted contacts back.

[PreviousWho and When?](https://docs.gettrusted.app/getting-started/quickstart/who-and-when)
[NextEnable Backup and Restore](https://docs.gettrusted.app/getting-started/quickstart/enable-backup-and-restore)
Last updated 2 months ago
---
# Quickstart for Enterprises | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
This quick start will guide you through connecting your organization to GetTrusted, from initial setup to employee onboarding in about 30 minutes.
Before you begin, here’s what you’ll need:
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises#what-youll-need)
**What You’ll Need**
* **Access to create an OIDC Client in your Organization.** We support **Microsoft Entra**, **Okta**, and **Google Workspaces**. You’ll need access to create or view your client ID, client secret, and redirect URL settings for your IdP.
* **Directory Information for your Organization** for your directory provider. We support **Microsoft Entra**, **Okta**, and **Google Workspaces**. This allows GetTrusted to automatically recognize and verify users in your domain for onboarding. We only require read access. Nothing else.
[Here is an interactive demo of onboarding](https://app.howdygo.com/share/c2ef6ad4-8445-4553-806e-6c6e032fb9f8)
> ⚙️ _TL;DR: your OIDC config and your directory info._ This guide will walk you step-by-step through obtaining the information and getting them connected.
When you’re ready, start with [Create your Root Account](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-root-account)
[PreviousEnable Backup and Restore](https://docs.gettrusted.app/getting-started/quickstart/enable-backup-and-restore)
[NextCreate your Root Account](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-root-account)
Last updated 1 month ago
---
# Create your Root Account | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
Your first step is to create your root account, enter the email address you wish to signup with and click continue.

We prioritize using Single Sign-On, so after you enter your email we will discover if your organization is using GetTrusted. If setup has not been performed/completed, you will be provided with two options:
* **Sign in with Root Account** - This is to continue onboarding if you have not setup your Single Sign-On or directory access. This can also be used as a break-glass mechanism if your configuration is ever having issues.
* **Set up GetTrusted for My Company** - This is to create your account and start the onboarding process to create your organization.
Today, we are going to click **"Set Up GetTrusted for My Company"**

To setup your account. Start by entering your name and company name as well as your password.
Review and then accept Terms & Conditions and select Create Root Account.
Enter your Sign up code and validate it. This will be removed in December of 2025.
Your root account is used for recovery and break-glass access. You will not be using this once you have onboarded.

You will be asked to verify your email with a 6 digit code.

After you have verified your email, you will be redirected back to login so you can authenticate with the credentials you just set.

[PreviousQuickstart for Enterprises](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises)
[NextCreate your organization](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-organization)
Last updated 1 month ago
---
# Configure Single Sign-On | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
Connecting your identity provider allows GetTrusted to authenticate users using your existing login system.
We support **Microsoft Entra ID (Azure AD)**, **Okta**, and **Google Workspace** through the **OpenID Connect (OIDC)** standard.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on#what-youll-need)
**What You’ll Need**
* Access to your organization’s identity provider (admin or app-registration rights).
* The ability to retrieve or create:
* **Client ID**
* **Client Secret**
* **Issuer/Discovery URL**
* **And the ability to add our redirect URI:**
* `https://enterprise.gettrusted.app/auth/oidc/callback https://enterprise.gettrusted.app/auth/oidc/mobile/callback`
> ⚙️ _All values are encrypted at rest and scoped to your tenant._
[PreviousCreate your organization](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-organization)
[NextGoogle Workspaces](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/google-workspaces)
Last updated 1 month ago
---
# Validate your Domain with GetTrusted | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
When you signup with GetTrusted you enter the domain of your Company. Once you have verified your domain, no persona on the GetTrusted network can use that domain for sharing personas unless it is your managed personas. Once you verify your domain the GetTrusted network will self heal and existing profiles will be notified they can not share until they change the domain they are using, as well as anyone with the existing profiles shared will be notfiied that the contact is using an invalid domain and they should restablish if they need too.
To verify your domain you will need access to your DNS provider to enable a TXT record.

To get the verification instructions, click the Information Icon next to the verification token.

Enter this information into your DNS provider and click Verify domain. The system will continously verify the domain and ensure the record still exists. As long as the domain is verified the protections are running.
[PreviousCreate Contact Distribution Rules](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-contact-distribution-rules)
[NextHigh-Level Architecture](https://docs.gettrusted.app/architectural-foundations/high-level-architecture)
Last updated 1 month ago
---
# Create your organization | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
###
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-organization#create-your-organization)
**Create Your Organization**
To begin your enterprise configuration, you’ll first create your organization in GetTrusted. This step takes just a few minutes and requires only three pieces of information.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-organization#id-1.-company-name)
**1\. Company Name**
This will appear during onboarding and in all contacts distributed from your organization. Use the full, official company name to ensure employees and partners easily recognize it.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-organization#id-2.-contact-email)
**2\. Contact Email**
This address will only be used by GetTrusted for **support-related communication** about your enterprise account such as setup confirmation, system notices, or configuration assistance.
We recommend using a shared admin or IT inbox (e.g., `[[email protected]](https://docs.gettrusted.app/cdn-cgi/l/email-protection) `).
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-organization#id-3.-domain-name)
**3\. Domain Name**
Enter the **primary domain name** for your users (e.g., `yourcompany.com`). This domain is used for user discovery and validation inside GetTrusted.
> 💡 _If your organization uses multiple domains or your OIDC login domain differs from your primary domain, that’s fine — you’ll define those details during SSO configuration._
Once you’ve entered this information, click **Create Organization**. Your organization is now active.
Next, you’ll connect your **Single Sign-On (SSO)** provider to enable secure user authentication.
[PreviousCreate your Root Account](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-your-root-account)
[NextConfigure Single Sign-On](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on)
Last updated 1 month ago
---
# Google Workspaces | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
###
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/google-workspaces#overview)
**Overview**
You’ll create a new OIDC client in your Google Cloud Console and download its configuration JSON.
GetTrusted uses this to enable SSO for all accounts in your Workspace domain.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/google-workspaces#prerequisites)
**Prerequisites**
* Admin access to **Google Cloud Console**.
* An active **Google Workspace domain**.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/google-workspaces#steps)
**Steps**
**1\. Open Google Cloud Console**
Navigate to [**console.cloud.google.com/apis/credentials**](https://console.cloud.google.com/apis/credentials)
.
**2\. Create OAuth 2.0 Client ID**
* Click **Create Credentials → OAuth client ID**.
* Select **Web Application**.
* Enter an identifiable name like `GetTrusted OIDC`.
**3\. Add Authorized Redirect URI**
Add the following redirect URI.
Copy
https://enterprise.gettrusted.app/auth/oidc/callback
https://enterprise.gettrusted.app/auth/oidc/mobile/callback
**4\. Save and Download Client Configuration**
* Click **Create**.
* Download the JSON file (`client_secret_XXXXX.json`). This file contains your **Client ID**, **Client Secret**, and **Issuer URL**.
**5\. Upload to GetTrusted**
Upload this to GetTrusted, click Save Configuration. And you are done.

We will next start setting up [Directory Services](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services)
[PreviousConfigure Single Sign-On](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on)
[NextOkta Identity](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/okta-identity)
Last updated 1 month ago
---
# Okta Identity | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
###
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/okta-identity#overview)
**Overview**
You’ll register GetTrusted as an OIDC application inside your Okta Admin Console.
###
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/okta-identity#prerequisites)
**Prerequisites**
* Admin access to **Okta Admin Console**.
* Okta domain (e.g., `yourcompany.okta.com`).
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/okta-identity#steps)
**Steps**
**1\. Log into Okta Admin**
Go to **Applications › Applications** and click **Create App Integration**.
**2\. Choose Sign-In Method**
Select **OIDC – OpenID Connect**, and choose **Web Application** as the application type.
**3\. Configure Application Settings**
* Name: `GetTrusted Enterprise`
* Grant type: Authorization Code + Refresh Token
* Sign-in redirect URI:
Copy
https://enterprise.gettrusted.app/auth/oidc/callback
https://enterprise.gettrusted.app/auth/oidc/mobile/callback
* Assign the app to your default user group or appropriate roles.
**4\. Retrieve Credentials**
After saving, copy:
* **Client ID**
* **Client Secret**
**5\. Enter into GetTrusted**
Provide your Okta Domain, the Client ID and Secret.

Click **Save Connection**. We will next start setting up [Directory Services](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services)
[PreviousGoogle Workspaces](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/google-workspaces)
[NextMicrosoft Entra ID](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/microsoft-entra-id)
Last updated 1 month ago
* [Overview](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/okta-identity#overview)
* [Prerequisites](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/okta-identity#prerequisites)
---
# Configure Directory Services | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[Google Workspace](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/google-workspace)
[Okta Directory Provider](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/okta-directory-provider)
[Microsoft Entra Directory Provider](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/microsoft-entra-directory-provider)
[PreviousMicrosoft Entra ID](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/microsoft-entra-id)
[NextGoogle Workspace](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/google-workspace)
---
# Setup Onboarding Requirements | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
###
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#limited-or-full-rollout)
Limited or Full Rollout
We support too modes, limited and full rollout. You can select Everyone from your Rollout Mode, or select specific groups that can onboard. We support multiple groups and only require you to be in one of the listed groups. During rollout like this if you are not in the appropriate group the mobile app will let you know you do not meet the requirements.

####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#verification-visibility)
Verification Visibility
You can enable Verification Visibility as an organization. Everything on GetTrusted is E2EE encrypted. Key discovery for enterprise keys goes through a different discovery which allows us to include an audit agent for an enterprise that is backed by a ECDH key in KMS. When you enable this every key discovery for a challenge/response will include the audit agents key and encrypt to the audit agent. This will let you see the challenge answers and build workflows from them.
For example, if you want to route denied or distress signals to seperate work flows to gather information and collect it on the event either through slack, or other configurable workflows.

###
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#biometrics-for-enterprise-key-requirements)
Biometrics for Enterprise Key Requirements
We allow anyone when they create their base identity to set biometrics on their key or not. This is configurable for enterprises to enforce. When you select this then biometrics on the device will be required in the properties of the key and enforced by the operating system.

###
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#identity-verification-with-kyc)
Identity Verification with KYC
If you want to enable Know your Customer for onboarding enterprise employees you can do that. Today we have support for DidIT and are working on other providers. In order to enable this select your provider from the dropdown and provide the related configuration.
When you enable this every one onboarding to your instance will have to go through the KYC provider and get a pass response from both the KYC provider and that the identity information provides matches your directory information.
If your directory information matches you can automatically approve the request if it meets your requirements, else will go into a pending queue where you can review and accept or deny. The mobile app requires an approved to allow onboarding. During this time the employee will see a pending requirement of the KYC check and will not be able to continue.

####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#location-verification)
Location Verification
If you want to enable specific location onboarding requirements you can add your allowed countries to the list. When an employee authenticates to start onboarding the location information is sent from their device, if they are not in a required location they will see an unmet location requirement and will not be able to continue.

[PreviousSetting up Webhooks](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/microsoft-entra-directory-provider/setting-up-webhooks)
[NextCreate Contact Distribution Rules](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/create-contact-distribution-rules)
Last updated 1 month ago
* [Limited or Full Rollout](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#limited-or-full-rollout)
* [Biometrics for Enterprise Key Requirements](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#biometrics-for-enterprise-key-requirements)
* [Identity Verification with KYC](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements#identity-verification-with-kyc)
---
# Setting up Webhooks | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send

[PreviousMicrosoft Entra Directory Provider](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/microsoft-entra-directory-provider)
[NextSetup Onboarding Requirements](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements)
Last updated 1 month ago
---
# Create Contact Distribution Rules | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
You can select and test, how people experience contacts. By default we have including the persons manager, their direct reports if any, and peers (people who report to the same manager) this will get them close to their working set. You will be able to also find any contact that is not in your contacts by searching the directory

Next to your basic rules you have a contact test mechanism so you can see how the contacts will be deployed and to whom based on your rules.

Additionally we support Always Available Contacts, these would be someone you want to have on everyones device so they can verify them. This contact would by default be on everyones device.

We also support adding groups to everyones contacts, if you want to roll out everyone in helpdesk individually you can, or if you wanted to roll out and enable the Helpdesk to use workflows or on call routing of challenges we can roll out as a service account.

When you choose to roll out a group as a service identity, you will need to specify its contact information. This is useful if you have a security team that has 24/7 coverage on phone or email or on call so that people can immediately get in touch with who they need.

[PreviousSetup Onboarding Requirements](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements)
[NextValidate your Domain with GetTrusted](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/validate-your-domain-with-gettrusted)
Last updated 1 month ago
---
# Microsoft Entra ID | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good night
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/microsoft-entra-id#overview)
**Overview**
You’ll register a new enterprise application in Microsoft Entra ID (Azure AD) and grant access for GetTrusted SSO.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/microsoft-entra-id#prerequisites)
**Prerequisites**
* Admin access to the **Azure portal**.
* Permission to create app registrations.
As you go through this save the 4 pieces of information as you will need it again for the directory services setup as the same data is needed.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/microsoft-entra-id#steps)
**Steps**
**1\. Open Azure Portal**
Go to [**portal.azure.com › Microsoft Entra ID › App registrations**](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)
and click **New registration**.

**2\. Register the Application**
* Name: `GetTrusted Enterprise`
* Supported account types: “Accounts in this organization only.”
* Redirect URI (Web):

**3\. Save and Copy Application Details**
After saving, note:
* **Application (Client) ID**
* **Directory (Tenant) ID**

**4\. Add Client Secret**
Under **Certificates & Secrets**, select **New Client Secret** → choose an expiration period → **Add**. Copy the generated secret value immediately
**5\. Verify Redirect URIs**
Navigate to the Authentication (Preview) page for your Integration you just created. Navigate to settings and ensure Allow public client flows is disabled, and ensure Access tokens and ID tokens are enabled.

**6\. Enter Values into GetTrusted**
In GetTrusted › **Settings › Authentication**, fill:
* Client ID
* Client Secret
* Tenant ID
* Primary domain for your Microsoft tenant, this will generally be the email domain.

Click **Save Connection**. We will next start setting up.
[PreviousOkta Identity](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/okta-identity)
[NextConfigure Directory Services](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services)
Last updated 1 month ago
Copy
https://enterprise.gettrusted.app/auth/oidc/callback
https://enterprise.gettrusted.app/auth/oidc/mobile/callback
---
# Okta Directory Provider | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
Setting up Okta with GetTrusted is easy and simple, to get started access your Okta Admin Console
GetTrusted needs API acccess to your Okta instance, the best way to do this is create a service account user that has Read Only
Go to your Okta Admin page and follow these directions.
1\. Go to Directory → People → Add Person
2\. Create a service account: [\[email protected\]](https://docs.gettrusted.app/cdn-cgi/l/email-protection)
3\. Assign role: Read-Only Administrator
4\. Login with that user and then create an API Token as defined below.
5\. GetTrusted will use the rights of the Okta token, which is generally defined by who created it.
On the side menu select Security and then API and Add a New App Integration. Select API Services.
Select Create New Token, if you are using a read only user, this will popup a new window, ask for your code to confirm. You will be redirected to a page that displayes your token. Copy the value as this is the only time it will be displayed.
Add your domain and past the token into the token field.
Then click Test Configuration, once you have a successful test, you can save your configuration and move on to test your Single Sign-on and Directory Settings by completing a SSO login and continuing with [setting up onboarding requirements.](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements)
test
[PreviousGoogle Workspace](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/google-workspace)
[NextSetting up Webhooks](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/okta-directory-provider/setting-up-webhooks)
Last updated 1 month ago
---
# High-Level Architecture | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
###
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#i.-introduction-and-architectural-principles)
I. Introduction and Architectural Principles
The GetTrusted architecture is a zero-trust security framework designed to provide verifiable, hardware-rooted, and privacy-preserving identities for individuals and enterprises. The core principle is End-to-End Encryption (E2EE) and verifiable trust, moving all cryptographic operations to the device and relying on hardware security modules (HSMs) for key integrity.
####
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#core-principles)
Core Principles
Principle
Description
**End-to-End Encryption (E2EE)**
All communications and data storage are encrypted from source to destination. The API server acts only as an unintelligent proxy and public key exchange mechanism.
**Hardware Root of Trust**
Cryptographic identity is rooted in the device's HSM (Secure Enclave, StrongBox, TPM) to ensure private keys are never exposed and cannot be exfiltrated. Biometrics enabled on key access if required.
**Verifiable Trust Graph**
All trust events, including identity creation, mutual trust exchanges, and key recovery, are logged immutably to a attestation log for audit and verification, leveraging Certificate Transparency (CT) principles.
**Zero Credential Storage**
The API server never stores user passwords or private keys. Authentication is managed solely through hardware-attested, identity-signed JSON Web Tokens (JWTs).
###
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#ii.-system-components)
II. System Components
The architecture consists of three primary components working in concert to manage identity and data exchange.
####
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#id-1.-gettrusted-mobile-client-client)
1\. GetTrusted Mobile Client (Client)
The client application manages all key generation, cryptographic operations, and secure storage locally. It is responsible for:
* Generating the **Master Identity CA** (self-signed, temporal).
* Minting the primary **Device Key** and limited **Tertiary Device Keys**.
* Creating a derived **Backup Key** (using a hash of fingerprint + passphrase) for secure data recovery, stored in the platform Keystore.
* Generating authentication JWTs using the Device Key and attaching hardware attestation tokens.
* Performing E2E encryption and decryption of all communicated data.
####
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#id-2.-api-server-proxy-and-public-key-exchange)
2\. API Server (Proxy & Public Key Exchange)
This server acts as a non-trustworthy intermediary for all network traffic.
* **Role:** Public key discovery and WebSocket server.
* **Function:** Stores public keys and facilitates the exchange of public keys between users who have an established relationship.
* **Authentication:** Validates incoming JWTs, ensuring the token is properly signed by a registered, hardware-attested Device Key and contains valid identity information (Device ID, permissions, Master Identity ID).
* **Data Integrity:** Stores temporary end to end encrypted data for routing but stores no private user credentials or expose any PII unencrypted.
* **Enterprise Data**: All business get a unique key in KMS and unique Intermediary CA stored in KMS. Data is stored using business only keys, with support for bring your own KMS keys coming.
####
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#id-3.-attestation-server-verifiable-trust-log)
3\. Attestation Server (Verifiable Trust Log)
This specialized server provides an immutable, auditable log of trust events, functioning similarly to a Certificate Transparency log. This log functions only on hashes that are anonymous, unless you have a trusted contact which makes the log both policy and history.
* **Technology:** Uses Merkle trees and cryptographic hashing to ensure the log cannot be tampered with.
* **Recorded Events (Trust Events):**
* Identity Creation (Master CA minting).
* Device/Key Recovery.
* Mutual Trust Exchange.
* Verification Events.
* Business CA Creation
* Business and Employee Relationship
* Delegation Events
* Identity Additions like KYC (Real Human Attestation)
* **Purpose:** Allows the ability verify the history and validity of a user's trust chain and to observe changes over time, establishing the "Trust Graph."
###
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#iii.-identity-hierarchy-and-delegation-pki-model)
III. Identity Hierarchy and Delegation (PKI Model)
GetTrusted implements a dual-layered PKI model to manage human identity and business relationships, all rooted in X.509 certificates.
####
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#id-1.-personal-identity-chain-self-signed)
1\. Personal Identity Chain (Self-Signed)
Identity Component
Function
Status
Rooted To
**Master Identity CA**
Root of the personal identity. **Temporal** and destroyed after key delegation.
Self-Signed CA
\-
**Device Key**
Primary operational key. Used for signing, authentication, and encryption.
X.509 Certificate
Master Identity CA
**Tertiary Key**
Optional keys with limited, specific permissions (e.g., IoT device access).
X.509 Certificate
Device Key, Master Identity CA.
####
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#id-2.-enterprise-and-network-chain-global-root)
2\. Enterprise and Network Chain (Global Root)
CA Level
Function
Signed By
**GetTrusted Root CA**
Global trust anchor for the entire network.
Self-Signed (Offline)
**GetTrusted Business CA**
Intermediary CA for managing business entities.
GetTrusted Root CA
**Organization Intermediary CA**
Dedicated CA for each enterprise/organization.
GetTrustedBusiness CA
**Employee Device Keys**
Keys for organizational members.
Organization Intermediary CA
####
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#id-3.-dual-signature-binding)
3\. Dual-Signature Binding
A critical feature is the explicit binding of personal and organizational identity. Certificates issued to an employee for use within an enterprise are **dual-signed** by both the **Organization Intermediary CA** and the **Human's Device Key**. This process explicitly ties the human's self-sovereign identity to their enterprise identity for purposes like network authorization and identity recovery. This also allows us to expose trust graph activity for the human to the business in an anonymous way.
###
[](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#iv.-communication-and-authentication)
IV. Communication and Authentication
Authentication relies on cryptographic proof-of-possession rather than shared secrets.
* **Authentication Flow:** The Mobile Client generates a JWT containing identity claims (Device ID, permissions, Master Identity ID) and cryptographically signs the JWT using the **Device Private Key**.
* **Attestation:** The JWT includes **Hardware Attestation Tokens** and **Key Attestations** provided by the device's HSM, proving that the Device Key is genuinely hardware-backed and operating on a trusted device state.
* **Verification:** The API Server verifies the JWT signature against the registered **Device Public Key** and checks the validity of the attestation tokens, ensuring the request originates from a legitimate, registered, and hardware-verified entity.
[PreviousValidate your Domain with GetTrusted](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/validate-your-domain-with-gettrusted)
[NextSDK Implementation Overview](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview)
Last updated 2 months ago
* [I. Introduction and Architectural Principles](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#i.-introduction-and-architectural-principles)
* [II. System Components](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#ii.-system-components)
* [III. Identity Hierarchy and Delegation (PKI Model)](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#iii.-identity-hierarchy-and-delegation-pki-model)
* [IV. Communication and Authentication](https://docs.gettrusted.app/architectural-foundations/high-level-architecture#iv.-communication-and-authentication)
---
# Local Data Encryption | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/architectural-foundations/local-data-encryption#overview)
Overview
------------------------------------------------------------------------------------------------------
GetTrusted uses **AES-256-GCM encryption** with hardware-generated keys for all local databases. This ensures that even if a device is compromised, sensitive user data remains unreadable without the hardware-protected key.
[](https://docs.gettrusted.app/architectural-foundations/local-data-encryption#process-flow)
Process Flow
--------------------------------------------------------------------------------------------------------------
Copy
flowchart TD
A[First Run] --> B[Generate 32-byte AES Key
• Hardware RNG]
B --> C[Store in Secure Keychain / Keystore]
C --> D[Encrypt Data
• AES-256-GCM + Nonce 12 bytes]
D --> E[Store Encrypted Blob
• nonce + ciphertext + tag]
E --> F[Decrypt as Needed
• Reverse process using stored key]
[](https://docs.gettrusted.app/architectural-foundations/local-data-encryption#cryptographic-summary)
Cryptographic Summary
--------------------------------------------------------------------------------------------------------------------------------
Component
Algorithm
Key Size
Storage Location
Purpose
RNG
Hardware RNG
256 bit
N/A
Entropy source
Encryption
AES-GCM
256 bit
Keychain / Keystore
Data confidentiality + integrity
Nonce
Random 12 bytes
96 bit
Stored with ciphertext
Prevent reuse
Tag
AES-GCM Auth Tag
128 bit
Stored with ciphertext
Integrity verification
Security Guarantees
* Encryption keys are generated and stored **in hardware**; they never leave the secure element.
* Every record is encrypted with a **unique nonce**, ensuring semantic security.
* **Authenticated encryption (GCM)** ensures tampering detection.
* Decryption requires both the stored key and correct device context.
Strategic Implications
This design makes local compromise worthless — stolen databases are cryptographically inert. It demonstrates GetTrusted’s commitment to privacy-by-default, not as an afterthought.
[PreviousHardware Key Operations](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations)
[NextIdentity Creation](https://docs.gettrusted.app/core-workflows/identity-creation)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/architectural-foundations/local-data-encryption#overview)
* [Process Flow](https://docs.gettrusted.app/architectural-foundations/local-data-encryption#process-flow)
* [Cryptographic Summary](https://docs.gettrusted.app/architectural-foundations/local-data-encryption#cryptographic-summary)
---
# Microsoft Entra Directory Provider | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
We just setup our Single Sign-on and we are going to use the same 4 values from that to setup our Microsoft Entra directory integration.
You can use the same application information, or create a new application in your Microsoft Tenant following the same process as [Single Sign-On](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-single-sign-on/microsoft-entra-id)
.

If you navigate back to your application you can select API Permissions. You need to add the following permissions to your application.
You will more than likely already have email, offline\_access, openid, and profile, set from configuring SSO.
We need to add
Copy
Directory.Read.All
Organization.Read.All
User.Read
User.Read.All
**Once we have added these, you can select Grant Admin consent for your organization and return to GetTrusted.**
In GetTrusted you can enter:
* Client ID
* Client Secret
* Tenant ID
* Primary domain for your Microsoft tenant, this will generally be the email domain.

Then click Test Configuration, once you have a successful test, you can save your configuration and move on to test your Single Sign-on and Directory Settings by completing a SSO login and continuing with [setting up onboarding requirements.](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements)
[PreviousSetting up Webhooks](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/okta-directory-provider/setting-up-webhooks)
[NextSetting up Webhooks](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/microsoft-entra-directory-provider/setting-up-webhooks)
Last updated 1 month ago
---
# Setting up Webhooks | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send

[PreviousOkta Directory Provider](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/okta-directory-provider)
[NextMicrosoft Entra Directory Provider](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/microsoft-entra-directory-provider)
Last updated 1 month ago
---
# Hardware Key Operations | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#overview)
Overview
--------------------------------------------------------------------------------------------------------
GetTrusted leverages **Secure Enclave (Apple)** and **StrongBox (Android)** to generate and store non-exportable private keys. All cryptographic operations (signing, decryption) happen _inside hardware_, ensuring the private key is never exposed.
[](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#process-flow)
Process Flow
----------------------------------------------------------------------------------------------------------------
Copy
flowchart LR
subgraph iOS / macOS [Secure Enclave]
A1[Biometric Auth - Face ID or Touch ID] --> B1[Create Key kSecAttrToken=SecureEnclave]
B1 --> C1[Non-exportable P-256 Keypair]
C1 --> D1[Store Identity - Private Key + Certificate]
D1 --> E1[Sign / Decrypt Operation - Private Key stays in enclave]
end
subgraph Android [StrongBox]
A2[Biometric Auth• Fingerprint or Face] --> B2[Create Key in StrongBox]
B2 --> C2[Non-exportable P-256 Keypair]
C2 --> D2[Store Identity - Android Keystore]
D2 --> E2[Sign / Decrypt Operation - Private Key stays in hardware]
end
[](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#cryptographic-summary)
Cryptographic Summary
----------------------------------------------------------------------------------------------------------------------------------
Component
Platform
Algorithm
Key Size
Exportable
Notes
Secure Enclave
iOS/macOS
ECDSA P-256
256 bit
❌
Biometric-protected
StrongBox
Android
ECDSA P-256
256 bit
❌
Biometric-protected
Signing
SHA256withECDSA
256 bit
N/A
In-hardware execution
Encryption
AES-GCM
256 bit
N/A
Session encryption
###
[](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#security-guarantees)
Security Guarantees
* Private keys are **generated and remain inside** secure hardware.
* **Biometric gates** prevent unauthorized use.
* **Hardware attestation** ensures key provenance.
* Keys persist securely across app reinstalls but cannot be extracted.
###
[](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#strategic-implications)
Strategic Implications
GetTrusted’s hardware integration makes cryptographic identity **human-verifiable and hardware-rooted**. Even physical compromise typically cannot reveal secrets security extends from silicon to software.
[PreviousSDK Implementation Overview](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview)
[NextLocal Data Encryption](https://docs.gettrusted.app/architectural-foundations/local-data-encryption)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#overview)
* [Process Flow](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#process-flow)
* [Cryptographic Summary](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations#cryptographic-summary)
---
# SDK Implementation Overview | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
###
[](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview#i.-sdk-philosophy-and-implementation)
I. SDK Philosophy and Implementation
The GetTrusted Mobile Identity System is built around a core Software Development Kit (SDK) implemented in **Rust**. This design choice ensures that all critical security and networking logic is handled in a single, highly performant, and memory-safe codebase, minimizing the attack surface within the higher-level mobile application framework. Additionally this brings cross complication beneifts where we can leverage the same code across, iOS, MacOS, Android, Linux, and Windows.
####
[](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview#key-implementation-details)
Key Implementation Details
* **Core Language:** **Rust**
* **Benefit:** Provides robust memory safety (eliminating null pointers, buffer overflows) and high performance, which is crucial for cryptographic operations.
* **Benefit:** Facilitates **cross-compilation**, allowing the core logic to be easily compiled into libraries for iOS, Android, and other platforms, ensuring consistency across the ecosystem.
* **Platform Integration:**
* Platform-specific components (Layers 1 and 2, e.g., accessing the Secure Enclave) are implemented in Rust where available or when necessary in native code (e.g., Swift/Kotlin wrappers) which call into the Rust SDK via **Foreign Function Interfaces (FFI)**.
* This is achieved through **factory patterns** to dynamically select the correct native implementation at runtime.
* **Mobile Client/UI Layer:**
* The user interface is implemented using frameworks **Ionic and Capacitor**. This enables cross platform capabilities on iOS and Android and simplifies mobile development to React based development.
* The mobile application is intentionally designed to be **"dumb,"** relying on the SDK for all business logic, key management, and communication.
* The SDK communicates with the mobile application layer exclusively through **events**, ensuring clear separation between the presentation layer and the secure identity core.
###
[](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview#ii.-sdk-responsibilities)
II. SDK Responsibilities
The SDK acts as the exclusive gatekeeper for all external communications and security operations, eliminating the need for the mobile application to handle sensitive data or complex protocols.
Responsibility
Description
**Cryptographic Operations**
Executes all identity creation (BIP39, PBKDF2), key derivation, data encryption (AES-GCM), and X.509 certificate generation/validation.
**Communication Layer**
Manages all network traffic, including direct API calls and persistent **WebSockets** to the API Server and Attestation Server.
**Authentication & Validation**
Generates, signs, and validates the authentication **JWTs** containing Device ID, permissions, and Hardware/Key Attestation Tokens. Answers Challanges and Provides Responses.
**Key & Storage Abstraction**
Manages the secure storage of Device Keys and Certificates within platform-specific HSMs and Keystores (Layer 3).
**Trust Event Logging**
Coordinates the submission of all critical trust events (creation, recovery, trust exchange) to the Attestation Server's public, verifiable log.
###
[](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview#iii.-layered-sdk-architecture)
III. Layered SDK Architecture
The SDK is organized into a five-layer architecture, with clear separation of concerns, ensuring hardware isolation is enforced at the lowest levels and business logic is handled at the highest.
[PreviousHigh-Level Architecture](https://docs.gettrusted.app/architectural-foundations/high-level-architecture)
[NextHardware Key Operations](https://docs.gettrusted.app/architectural-foundations/hardware-key-operations)
Last updated 2 months ago
* [I. SDK Philosophy and Implementation](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview#i.-sdk-philosophy-and-implementation)
* [II. SDK Responsibilities](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview#ii.-sdk-responsibilities)
* [III. Layered SDK Architecture](https://docs.gettrusted.app/architectural-foundations/sdk-implementation-overview#iii.-layered-sdk-architecture)
---
# Identity Recovery Flow | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
_Recover a GetTrusted identity on a new device using encrypted recovery QR codes._
[](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#overview)
Overview
--------------------------------------------------------------------------------------------
GetTrusted’s recovery flow encrypts the 24-word mnemonic using AES-256-GCM and a user-supplied password, producing a **self-contained recovery QR code**. This recovery code is created during identity creation and stored encrypted on device unless deleted. Scanning the QR and providing the same password reconstructs the master identity deterministically.
1
###
[](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#original-device-create-recovery-qr)
Original Device — Create Recovery QR
* Start with the 24-word mnemonic.
* User provides a password.
* Derive an AES key from the password using PBKDF2-SHA512 (100k iterations) and a generated salt.
* Encrypt the mnemonic with AES-256-GCM.
* Compress the encrypted payload with LZMA to reduce QR size.
* Base64-encode the compressed ciphertext and generate/display the QR code.
* Optionally store the Base64/QR in a password manager or save the QR image.
2
###
[](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#new-device-recover-from-qr)
New Device — Recover from QR
* Scan the recovery QR.
* Base64-decode the scanned payload.
* LZMA-decompress to obtain the encrypted mnemonic, salt, and nonce.
* User provides the same password.
* Derive the decryption key via PBKDF2-SHA512 using the extracted salt (same parameters).
* Decrypt the mnemonic with AES-256-GCM.
* Recreate the identity deterministically (via Workflow 1), producing an identical master identity; device private keys will differ.
[](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#process-flow-diagram)
Process Flow (diagram)
----------------------------------------------------------------------------------------------------------------------
Copy
flowchart TD
subgraph Original_Device [Original Device]
A1[Create Recovery QR] --> A2[Mnemonic 24 words]
A2 --> A3[User Passphrase]
A3 --> A4[PBKDF2 Key Derivation - 100k iterations]
A4 --> A5[Generate Salt]
A5 --> A6[AES-256-GCM Encrypt Mnemonic]
A6 --> A7[LZMA Compression - reduce QR size]
A7 --> A8[Base64 Encode and Display QR Code]
A8 --> A9[Store in Password Manager or Save QR]
end
subgraph New_Device [New Device]
B1[Scan Recovery QR] --> B2[Base64 Decode]
B2 --> B3[LZMA Decompress]
B3 --> B4[Extract Encrypted Mnemonic, Salt, Nonce]
B4 --> B5[User Password]
B5 --> B6[PBKDF2 same salt - Derive Decryption Key]
B6 --> B7[AES-256-GCM Decrypt Mnemonic]
B7 --> B8[Recreate Identity via Workflow 1]
B8 --> B9[Result - Identical Master Identity with New Device Key]
end
A9 -.-> B1
[](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#cryptographic-summary)
Cryptographic Summary
----------------------------------------------------------------------------------------------------------------------
Component
Algorithm
Key Size
Purpose
Password Derivation
PBKDF2-SHA512
256 bit
Derive AES key
Encryption
AES-256-GCM
256 bit
Protect mnemonic
Compression
LZMA
–
Reduce QR size
Encoding
Base64
–
QR-safe transport
* * *
Security Guarantees
* Recovery material is **AES-256 encrypted** before encoding — safe to store in password managers.
* Decryption requires both **password and QR data**.
* Recovered mnemonic regenerates **identical master identity**; private keys differ per device.
* Recovery cannot decrypt historical messages — only re-establish identity.
* * *
Strategic Implications
By separating recovery from decryption, GetTrusted achieves **recoverability without risk**. Users can lose devices but never lose identity integrity.
[PreviousIdentity Creation](https://docs.gettrusted.app/core-workflows/identity-creation)
[NextTrust Exchange](https://docs.gettrusted.app/core-workflows/trust-exchange)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#overview)
* [Original Device — Create Recovery QR](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#original-device-create-recovery-qr)
* [New Device — Recover from QR](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#new-device-recover-from-qr)
* [Process Flow (diagram)](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#process-flow-diagram)
* [Cryptographic Summary](https://docs.gettrusted.app/core-workflows/identity-recovery-flow#cryptographic-summary)
---
# Google Workspace | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
To configure your Google Workspaces as your Directory Provider we will need you to provide a valid service account with domain delegation, your administrative email, customer id, and domain. With this we will be able to distribute contacts based on your directory structure.
To get your Google Service Account for GetTrusted you can follow this guide.
1. Go to [Google Cloud Console](https://console.cloud.google.com/)
and select IAM & Admin -> Service Accounts

1. Select Create Service Account from the top of the list of service accounts.

Continue to create your account, with no permissions or principals with access. After you create your service account you will download its credentials as json, we will need this to configure your directory services. Also copy the client ID as we will need that in the next steps.
We need domain [delegation permissions](https://developers.google.com/workspace/cloud-search/docs/guides/delegation)
for this service account, and
To delegate domain-wide authority to a service account in Google.
1. From your domain’s [Admin console](http://admin.google.com/)
, go to **Main menu** menu > **Security** > **Access and data control** > **API controls**.
2. In the **Domain wide delegation** pane, select **Manage Domain Wide Delegation**.
3. Click **Add new**.
4. In the **Client ID** field, enter the client ID obtained from the service account creation steps above.
5. In the **OAuth Scopes** field, enter a comma-delimited list of the scopes for GetTrusted.
`https://www.googleapis.com/auth/admin.directory.user.readonly`
`https://www.googleapis.com/auth/admin.directory.group.readonly`
`https://www.googleapis.com/auth/admin.directory.orgunit.readonly`
6. Click **Authorize**.
####
[](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/google-workspace#continue-in-gettrusted-enterprise)
Continue in GetTrusted Enterprise
Upload your service account json in the provided field, which will validate the json. After that you need to enter the administrator email of your Google Workspaces as well as your [customer ID](https://support.google.com/a/answer/10070793?hl=en)
and your primary domain. Then click Test Configuration, once you have a successful test, you can save your configuration and move on to test your Single Sign-on and Directory Settings by completing a SSO login and continuing with [setting up onboarding requirements.](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/setup-onboarding-requirements)

[PreviousConfigure Directory Services](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services)
[NextOkta Directory Provider](https://docs.gettrusted.app/getting-started/quickstart-for-enterprises/configure-directory-services/okta-directory-provider)
Last updated 1 month ago
---
# Trust Exchange | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
GetTrusted uses a **certificate-backed ECDH key exchange** to establish direct trust between devices. Each interaction results in a new, ephemeral session key ensuring forward secrecy and mutual verification.
[](https://docs.gettrusted.app/core-workflows/trust-exchange#overview)
Overview
------------------------------------------------------------------------------------
This process describes how two users, Alice (the initiator) and Bob (the recipient), securely establish a mutual trust relationship and exchange their verified identity personas, rooted in their hardware keys.
####
[](https://docs.gettrusted.app/core-workflows/trust-exchange#phase-1-initiation-and-token-exchange)
Phase 1: Initiation and Token Exchange
The process begins with Alice setting up a secure, temporary rendezvous point for the exchange.
1. Alice Selects Persona: Alice decides which specific digital persona (e.g., "Professional Identity," "Personal Friend") she wants to share with Bob.
2. Session Creation: Alice's device uses the SessionManager server component to create and join a unique, temporary trust session and stores her selected persona there (encrypted).
3. Token Generation: Alice generates a Trust Exchange Token, typically a QR code or a link sent via SMS.
4. Token Delivery: Alice displays or sends this token to Bob, completing the out-of-band invitation.
####
[](https://docs.gettrusted.app/core-workflows/trust-exchange#phase-2-mutual-persona-exchange)
Phase 2: Mutual Persona Exchange
Bob uses the token to join the session, and both parties prepare their identity data for the cryptographic handshake.
1. Bob Joins: Bob scans the QR code or clicks the link, joining the trust session via the SessionManager.
2. Data Provision: The SessionManager provides Bob with Alice’s initial persona data and trust details. This allows Bob the abillity to consent to the share with knowlege.
3. Bob Accepts & Selects Persona: Bob accepts the trust request and selects his own persona to share back with Alice.
4. Certificate Verification: Bob's device retrieves Alice’s public certificate (signed by her Master Identity CA) and verifies its authenticity and validity.
####
[](https://docs.gettrusted.app/core-workflows/trust-exchange#phase-3-cryptographic-handshake-and-verification)
Phase 3: Cryptographic Handshake and Verification
This is the critical security phase where the devices generate a shared session key and verify the exchange integrity using a secure, human-verified challenge.
1. Shared Secret Generation (ECDH): Both devices independently compute a shared secret. Alice uses her Device Private Key and Bob's Public Certificate; Bob uses his Device Private Key and Alice's Public Certificate. Since they use key pairs generated from the same underlying identity systems, they arrive at the same shared secret.
2. Session Key Derivation (HKDF): Both devices use the HKDF-SHA256 standard to derive a strong, symmetric Session Key from the shared secret. All further communication within this session is encrypted with this key.
3. Secure Nonce Challenge:Both Bob and Alice generate a unique six-digit secure nonce (PIN) using the shared secret of the exchange.
4. Out-of-Band Verification: Alice and Bob must verbally or visually verify this six-digit PIN _out-of-band_ (e.g., reading the number aloud). This prevents Man-in-the-Middle (MITM) attacks.
5. Challenge Completion: Alice enters the final digit of the PIN back into her device to complete the challenge, confirming the human-verified match.
####
[](https://docs.gettrusted.app/core-workflows/trust-exchange#phase-4-finalization-and-attestation)
Phase 4: Finalization and Attestation
Once the cryptographic session is verified and the human challenge is complete, the trust is formalized and recorded.
1. Session Finalization: Alice and Bob both send a verification success message to the SessionManager. The SessionManager notifies both devices that the trust exchange is complete.
2. Data Retrieval: Both Alice and Bob retrieve the now fully encrypted, reciprocal persona data from the session store.
3. Trust Attestation (Logging): Both Alice and Bob's devices separately send an event to the AttestationManager server to log the new mutual trust relationship on the verifiable, immutable Trust Graph. This enables future key discovery reguardless of device recovery as trust is created at the master identity level.
4. Session Closeout: The session is closed by the SessionManager, concluding the secure exchange.
[](https://docs.gettrusted.app/core-workflows/trust-exchange#process-flow)
Process Flow
--------------------------------------------------------------------------------------------
* * *
[](https://docs.gettrusted.app/core-workflows/trust-exchange#cryptographic-summary)
Cryptographic Summary
--------------------------------------------------------------------------------------------------------------
Component
Algorithm
Key Size
Purpose
Key Exchange
ECDH P-256
256 bit
Shared session secret
Key Derivation
HKDF-SHA256
256 bit
Derive AES session key
Encryption
AES-256-GCM
256 bit
Authenticated session encryption
Certificate
X.509
–
Validates device authenticity
* * *
Security Guarantees
* Each session uses **ephemeral keys**; past sessions cannot be decrypted (forward secrecy).
* Mutual certificate verification ensures **no impersonation**.
* Encrypted persona exchange binds identity cryptographically, not by assumption.
* All data in transit is encrypted and integrity-protected.
* * *
Strategic Implications
GetTrusted replaces “trust me” phone calls with **cryptographically verifiable calls**.
The result: human-to-human trust that scales as securely as machine-to-machine authentication.
[PreviousIdentity Recovery Flow](https://docs.gettrusted.app/core-workflows/identity-recovery-flow)
[NextTrust Verification Challenge](https://docs.gettrusted.app/core-workflows/trust-verification-challenge)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/core-workflows/trust-exchange#overview)
* [Process Flow](https://docs.gettrusted.app/core-workflows/trust-exchange#process-flow)
* [Cryptographic Summary](https://docs.gettrusted.app/core-workflows/trust-exchange#cryptographic-summary)
Copy
sequenceDiagram
participant Alice
participant Bob
participant SessionManager
participant AttestationManager
Alice->>Alice: Selects persona to share with recipient
Alice->>SessionManager: Creates and joins trust session
Alice->>SessionManager: Stores selected persona in session
Alice->>Alice: Generate QR or SMS trust exchange token
Alice->>Bob: Displays or sends trust exchange token
Bob->>Bob: Scan QR or click link from SMS
Bob->>SessionManager: Joins trust session
SessionManager->>Bob: Provides Alice persona and trust data
Bob->>Bob: Decides to accept the trust request
Bob->>Bob: Selects persona to share back to Alice
Bob->>Bob: Gets Alice ID and public certificate then verifies validity
Alice->>Alice: Compute shared secret ECDH device private with Bob public certificate
Bob->>Bob: Compute shared secret ECDH device private with Alice public certificate
Alice->>Bob: Derive session key using HKDF SHA256
Bob->>Alice: Derive same session key
Bob->>Bob: Generate six digit secure nonce
Alice->>Alice: Generate six digit secure nonce
Bob->>Alice: Verify six digit pin out of band
Alice->>Bob: Enter last digit of pin to complete challenge
Bob->>SessionManager: Send selected persona to store in session.
Alice->>SessionManager: Send verification success
Bob->>SessionManager: Send verification success
SessionManager->>Bob: Trust exchange complete
SessionManager->>Alice: Trust exchange complete
Bob->>SessionManager: Get encrypted persona from session store
Alice->>SessionManager: Get encrypted persona from session store
Bob->>AttestationManager: Attest Bob trusts Alice on the graph
Alice->>AttestationManager: Attest Alice trusts Bob on the graph
Alice->>Bob: Bye
Bob->>Alice: Bye
SessionManager->>Alice: Bye
SessionManager->>Bob: Bye
---
# Identity Creation | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
_Create a hardware-backed master identity that anchors all trust relationships in GetTrusted._
[](https://docs.gettrusted.app/core-workflows/identity-creation#overview)
Overview
---------------------------------------------------------------------------------------
The identity-creation process establishes a **unique, cryptographically verifiable identity** on a user’s device. It uses hardware-backed key generation, mnemonic recovery, and one-time master key delegation and master based backup encryption key to ensure that no long-term secrets exist outside secure enclaves.
[](https://docs.gettrusted.app/core-workflows/identity-creation#process-flow)
Process Flow
-----------------------------------------------------------------------------------------------
Copy
flowchart TD
A[1. User Input
• Pass phrase user provided - 2 words 3 letters or more for 7 characters] --> B[2. BIP39 Mnemonic Generation
• 24 words = 256-bit entropy
• Hardware randomness]
B --> C[3. Master Key Derivation PBKDF2-SHA512
• 100,000 iterations
• Input: mnemonic + password]
C --> D[HKDF-SHA256 key expansion
• Output: 32-byte key]
D --> E[4. Master Identity Components
• Master Private Key P-256 ECDSA
• Master Public Key
• Fingerprint SHA-256 of pubkey
• Backend ID is fingerpint of certificate]
E --> F[5. Device Key Generation in Hardware
• Secure Enclave / StrongBox / TPM
• Generate P-256 keypair
• Private key: hardware-only
• Public key: extractable]
F --> G[6. Certificate Creation
• X.509 Device Certificate
• Signed by Master Private Key
• Subject: Device ID
• Contains: Device Public Key]
G --> H[7. Master Key Destruction
• CRITICAL: Master private key DESTROYED
• Only device key remains
• Certificate proves authority]
H --> I[8. Hardware Storage
• Platform Keychain / Keystore
• Store: Device key + Certificate
• Type: kSecClassIdentity]
I --> R((Result:
Complete hardware-backed identity
with certificate delegation))
1
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#user-input)
User Input
* Pass phrase provided by the user.
* 2 words 3 letters or more.
* 7 letters or more with space of additional entropy.
2
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#bip39-mnemonic-generation)
BIP39 Mnemonic Generation
* Generate a 24-word mnemonic (256-bit entropy).
* Source entropy from hardware randomness.
3
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#master-key-derivation)
Master Key Derivation
* Derive master key using PBKDF2-SHA512 with 100,000 iterations.
* Inputs: mnemonic + password.
4
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#key-expansion)
Key Expansion
* Apply HKDF-SHA256 to expand derived material.
* Output: 32-byte key.
5
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#master-identity-components)
Master Identity Components
* Master Private Key: ECDSA P-256.
* Master Public Key.
* Fingerprint: SHA-256 of public key.
* Backend ID: fingerprint of certificate.
6
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#device-key-generation-in-hardware)
Device Key Generation in Hardware
* Generate P-256 keypair inside secure hardware (Secure Enclave / StrongBox / TPM).
* Private key is hardware-only (non-exportable).
* Public key is extractable for certificate inclusion.
7
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#certificate-creation)
Certificate Creation
* Create an X.509 device certificate containing the device public key and device ID as the subject.
* Sign the certificate with the master private key.
8
###
[](https://docs.gettrusted.app/core-workflows/identity-creation#master-key-destruction-and-hardware-storage)
Master Key Destruction & Hardware Storage
* CRITICAL: Destroy the master private key after use (exists only once).
* Store device key and certificate in platform key storage (e.g., Keychain/Keystore) as a kSecClassIdentity-like entry.
* Result: complete hardware-backed identity with certificate delegation.
[](https://docs.gettrusted.app/core-workflows/identity-creation#cryptographic-summary)
Cryptographic Summary
-----------------------------------------------------------------------------------------------------------------
Component
Algorithm
Key Size
Storage Location
Purpose
Mnemonic
BIP39 (Entropy 256-bit)
–
User memory / optional QR
Recovery seed
Master Key
ECDSA P-256
256 bit
Temporary memory
Signs device certificates once
Device Key
ECDSA P-256
256 bit
Secure Enclave / StrongBox
Ongoing identity operations
Encryption
AES-256-GCM
256 bit
Runtime
Protect private data at rest/in transit
[](https://docs.gettrusted.app/core-workflows/identity-creation#security-guarantees)
Security Guarantees
-------------------------------------------------------------------------------------------------------------
* Master private key exists **only once**, then is destroyed.
* Device private keys are **hardware-bound and non-exportable**.
* Recovery is **mnemonic-based**, not key-based — the master key is _reconstructed_, never stored.
* Certificates cryptographically prove device authority without exposing master secrets.
[](https://docs.gettrusted.app/core-workflows/identity-creation#strategic-implications)
Strategic Implications
-------------------------------------------------------------------------------------------------------------------
GetTrusted identities are born **secure-by-design**: there are no static credentials to steal. Hardware-backed key generation eliminates centralized trust, enabling verifiable, user-owned identity for every interaction.
[PreviousLocal Data Encryption](https://docs.gettrusted.app/architectural-foundations/local-data-encryption)
[NextIdentity Recovery Flow](https://docs.gettrusted.app/core-workflows/identity-recovery-flow)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/core-workflows/identity-creation#overview)
* [Process Flow](https://docs.gettrusted.app/core-workflows/identity-creation#process-flow)
* [User Input](https://docs.gettrusted.app/core-workflows/identity-creation#user-input)
* [BIP39 Mnemonic Generation](https://docs.gettrusted.app/core-workflows/identity-creation#bip39-mnemonic-generation)
* [Master Key Derivation](https://docs.gettrusted.app/core-workflows/identity-creation#master-key-derivation)
* [Key Expansion](https://docs.gettrusted.app/core-workflows/identity-creation#key-expansion)
* [Master Identity Components](https://docs.gettrusted.app/core-workflows/identity-creation#master-identity-components)
* [Device Key Generation in Hardware](https://docs.gettrusted.app/core-workflows/identity-creation#device-key-generation-in-hardware)
* [Certificate Creation](https://docs.gettrusted.app/core-workflows/identity-creation#certificate-creation)
* [Master Key Destruction & Hardware Storage](https://docs.gettrusted.app/core-workflows/identity-creation#master-key-destruction-and-hardware-storage)
* [Cryptographic Summary](https://docs.gettrusted.app/core-workflows/identity-creation#cryptographic-summary)
* [Security Guarantees](https://docs.gettrusted.app/core-workflows/identity-creation#security-guarantees)
* [Strategic Implications](https://docs.gettrusted.app/core-workflows/identity-creation#strategic-implications)
---
# Trust Verification Challenge | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#overview)
Overview
--------------------------------------------------------------------------------------------------
GetTrusted's Challenge and Response Verification is a real-time identity verification system that enables secure authentication during live conversations or interactions. The system uses device-to-device cryptographic challenges with hardware-backed signatures, ensuring that the person you're communicating with is truly who they claim to be. We do require trusted contacts as only those that you trust already can be exploited to get you to act.
Key Security Features:
* Zero-Knowledge Server: Backend never sees plaintext challenge data
* Hardware-Backed Signatures: All signatures verified from Secure Enclave/StrongBox/TPM
* End-to-End Encryption: ECIES encryption ensures only recipient device can decrypt
* Real-time Delivery: WebSocket (foreground) or FCM push (background) delivery
* Bilateral Trust: Both parties maintain local verification history
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#process-overview)
Process Overview
------------------------------------------------------------------------------------------------------------------
Alice (the Challenger) wants to verify Bob's identity during a phone call or video chat. She initiates a verification challenge that Bob must approve in real-time from his device.
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#alices-perspective-challenger)
Alice's Perspective (Challenger)
1
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#initiate-verification)
Initiate verification
Alice initiates verification during an active conversation with Bob.
2
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#discover-bobs-device-identities)
Discover Bob's device identities
App discovers Bob's device identities registered under his master identity.
3
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#encrypt-the-challenge)
Encrypt the challenge
Challenge is encrypted with Bob's device public key (ECIES encryption).
4
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#sign-the-challenge)
Sign the challenge
Signed with Alice's device key (hardware-backed ECDSA signature).
5
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#deliver-the-challenge)
Deliver the challenge
Delivered via WebSocket (if Bob is in foreground) or FCM push (background).
6
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#wait-for-response)
Wait for response
Alice waits for response with UI showing "Waiting for verification..."
7
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#receive-response)
Receive response
Bob's response arrives encrypted and signed.
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#bobs-perspective-responder)
Bob's Perspective (Responder)
1
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#receive-notification)
Receive notification
Bob receives push notification or WebSocket message with encrypted challenge.
2
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#decrypt-challenge)
Decrypt challenge
App decrypts challenge using Bob's device private key (hardware-only operation).
3
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#validate-signature)
Validate signature
Validates Alice's signature using her public certificate.
4
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#display-challenge-ui)
Display challenge UI
Displays challenge UI showing Alice's name, trust level, and verification request.
5
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#approve-or-deny)
Approve or deny
Bob approves/denies the verification request.
6
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#encrypt-response)
Encrypt response
Response is encrypted with Alice's device public key.
7
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#sign-and-send-response)
Sign and send response
Signed with Bob's device key and sent back to Alice.
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#process-flow-diagram)
Process Flow Diagram
--------------------------------------------------------------------------------------------------------------------------
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#cryptographic-security)
Cryptographic Security
------------------------------------------------------------------------------------------------------------------------------
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#ecies-encryption-end-to-end)
ECIES Encryption (End-to-End)
Challenge Encryption (Alice → Bob):
Challenge Decryption (Bob's Device):
###
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#ecdsa-signatures-hardware-backed)
ECDSA Signatures (Hardware-Backed)
Alice's Device Signature:
Bob's Signature Verification:
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#security-guarantees)
Security Guarantees
------------------------------------------------------------------------------------------------------------------------
1. End-to-End Encryption
* Server never sees plaintext challenge or response data
* Only Alice's and Bob's devices can decrypt messages
* ECIES provides perfect forward secrecy per session
1. Hardware-Backed Authentication
* All signatures from Secure Enclave/StrongBox/TPM
* Private keys never leave hardware security modules
* Device attestation tokens verify hardware security level
1. Replay Attack Protection
* Cryptographic nonce in each challenge (unique)
* Challenge expiration (10-minute TTL in Redis)
* Timestamp validation prevents old challenges
1. Man-in-the-Middle Protection
* Mutual certificate verification required
* PKI trust chain: Device → Master → Root CA
* Signature validation before showing challenge UI
1. Bilateral Trust History
* Alice stores: "I challenged Bob at timestamp X, he approved"
* Bob stores: "Alice challenged me at timestamp X, I approved"
* Verification history immutable and hardware-signed
[](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#strategic-implications)
Strategic Implications
------------------------------------------------------------------------------------------------------------------------------
Replacing "Trust Me" Phone Calls
Traditional Problem:
GetTrusted Solution:
Document Version: 1.0 Last Updated: 2025-10-10 SDK Version: gettrusted-sdk-dual v2.0 API Version: gettrusted-api v1.0
[PreviousTrust Exchange](https://docs.gettrusted.app/core-workflows/trust-exchange)
[NextUser Data Backup](https://docs.gettrusted.app/core-workflows/user-data-backup)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#overview)
* [Process Overview](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#process-overview)
* [Alice's Perspective (Challenger)](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#alices-perspective-challenger)
* [Initiate verification](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#initiate-verification)
* [Discover Bob's device identities](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#discover-bobs-device-identities)
* [Encrypt the challenge](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#encrypt-the-challenge)
* [Sign the challenge](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#sign-the-challenge)
* [Deliver the challenge](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#deliver-the-challenge)
* [Wait for response](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#wait-for-response)
* [Receive response](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#receive-response)
* [Bob's Perspective (Responder)](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#bobs-perspective-responder)
* [Receive notification](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#receive-notification)
* [Decrypt challenge](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#decrypt-challenge)
* [Validate signature](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#validate-signature)
* [Display challenge UI](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#display-challenge-ui)
* [Approve or deny](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#approve-or-deny)
* [Encrypt response](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#encrypt-response)
* [Sign and send response](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#sign-and-send-response)
* [Process Flow Diagram](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#process-flow-diagram)
* [Cryptographic Security](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#cryptographic-security)
* [ECIES Encryption (End-to-End)](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#ecies-encryption-end-to-end)
* [ECDSA Signatures (Hardware-Backed)](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#ecdsa-signatures-hardware-backed)
* [Security Guarantees](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#security-guarantees)
* [Strategic Implications](https://docs.gettrusted.app/core-workflows/trust-verification-challenge#strategic-implications)
Copy
sequenceDiagram
participant Alice Device
participant Alice Secure Enclave
participant GetTrusted Backend
participant Bob Device
participant Bob Secure Enclave
Note over Alice Device,Bob Secure Enclave: Phase 1: Challenge Initiation
Alice Device->>Alice Secure Enclave: Sign verification challenge
Alice Secure Enclave-->>Alice Device: Hardware signature
Alice Device->>GetTrusted Backend: POST /verification/challenge
Note right of Alice Device: ECIES encrypted with Bob's public key
Signed with Alice's device key
Note over Alice Device,Bob Secure Enclave: Phase 2: Device Discovery & Delivery
GetTrusted Backend->>GetTrusted Backend: Discover Bob's devices
(master_identity → device_identities)
GetTrusted Backend->>GetTrusted Backend: Store challenge in Redis (10min TTL)
alt Bob App in Foreground
GetTrusted Backend->>Bob Device: WebSocket: verification_challenge
else Bob App in Background or WebSocket Failed
GetTrusted Backend->>Bob Device: FCM Push: verification_challenge
end
Note over Alice Device,Bob Secure Enclave: Phase 3: Challenge Decryption & Display
Bob Device->>Bob Secure Enclave: Decrypt challenge
Bob Secure Enclave-->>Bob Device: Decrypted challenge data
Bob Device->>Bob Device: Verify Alice's signature
Display challenge UI
Note over Alice Device,Bob Secure Enclave: Phase 4: User Response
Bob Device->>Bob Secure Enclave: Sign approval response
Bob Secure Enclave-->>Bob Device: Hardware signature
Bob Device->>GetTrusted Backend: POST /verification/response
Note right of Bob Device: ECIES encrypted with Alice's public key
Signed with Bob's device key
Note over Alice Device,Bob Secure Enclave: Phase 5: Response Delivery
GetTrusted Backend->>GetTrusted Backend: Validate responder
Calculate latency
Update Redis
alt Alice App in Foreground
GetTrusted Backend->>Alice Device: WebSocket: verification_response
else Alice App in Background or WebSocket Failed
GetTrusted Backend->>Alice Device: FCM Push: verification_response
end
Alice Device->>Alice Secure Enclave: Decrypt response
Alice Secure Enclave-->>Alice Device: Decrypted response data
Alice Device->>Alice Device: Verify Bob's signature
Update verification history
Show result
Copy
1. Get Bob's device public key (P-256 ECDSA)
2. Generate ephemeral key pair
3. Derive shared secret using ECDH
4. Derive encryption key using HKDF-SHA256
5. Encrypt challenge data using AES-256-GCM
6. Base64 encode for transmission
Copy
1. Base64 decode encrypted blob
2. Extract ephemeral public key
3. Derive shared secret using Bob's device private key (hardware-only)
4. Derive decryption key using HKDF-SHA256
5. Decrypt using AES-256-GCM
6. Verify message integrity
Copy
1. Hash challenge data using Blake3
2. Sign hash with device private key (Secure Enclave operation)
3. Include signature in encrypted payload
4. Signature proves Alice's device authorized this challenge
Copy
1. Extract Alice's device certificate from challenge
2. Get Alice's public key from certificate
3. Verify signature using P-256 ECDSA
4. Validates challenge is from Alice's hardware-backed device
Copy
Alice: "Hey Bob, can you confirm you're on this call?"
Bob: "Yeah, it's me."
Alice: "Can you say something only you would know?"
Bob: "Remember that meeting last week?"
Alice: (Still unsure if voice could be AI/deepfake)
Copy
Alice: [Taps "Verify Identity" in app during call]
Bob: [Receives push: "Alice is verifying your identity" - taps Approve]
Alice: ✓ Bob verified via hardware attestation - Secure Enclave signature validated
---
# User Data Backup | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/core-workflows/user-data-backup#overview)
Overview
--------------------------------------------------------------------------------------
We do not backup or restore enterprise data, we filter it out as managed personas and managed contacts can be recovered and should only be recovered through enterprise onboarding/recovery.
GetTrusted's Backup Flow creates encrypted, compressed backups of user data (contacts, personas, trust attestations) with deterministic key derivation for automatic backup recovery. The system uses HKDF-SHA256 for Backup Encryption Key (BEK) derivation, AES-256-GCM for encryption, and stores encrypted blobs in AWS S3 with zero-knowledge security.
Key Security Features:
* Deterministic BEK Derivation: HKDF-SHA256(Master ID, passphrase) — always same BEK for recovery
* Hardware-Backed BEK Storage: BEK stored in iOS Keychain / Android KeyStore after derivation
* Zero-Knowledge Server: Backend stores encrypted blobs in S3, never sees plaintext
* GZIP Compression: ~60% size reduction before encryption
* AES-256-GCM Encryption: Authenticated encryption with nonce-based security
* Automatic Backup Triggering: Data changes trigger automatic background uploads
[](https://docs.gettrusted.app/core-workflows/user-data-backup#process-overview)
Process Overview
------------------------------------------------------------------------------------------------------
Alice (an existing user) makes changes to her contacts or personas. The app automatically creates an encrypted backup and uploads it to AWS S3 via the GetTrusted backend.
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#alices-perspective-user-with-automatic-backups)
Alice's Perspective (User with Automatic Backups)
1
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#identity-and-bek-state)
Identity & BEK state
* Alice's identity already created with Master ID and passphrase.
* BEK already derived during identity creation and stored in hardware keychain.
2
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#data-change-detected)
Data change detected
* Alice adds a new contact or updates a persona.
* App detects the data change and triggers automatic backup.
3
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#data-export-and-field-stripping)
Data export & field stripping
* SDK queries local storage (contacts, personas, attestations).
* Encrypted rows are decrypted with the database encryption key.
* Device-specific fields are stripped:
* Remove device\_id
* Remove created\_at
* Remove updated\_at
* Create BackupData structure: { master\_id, contacts\[\], personas\[\], attestations\[\] }
4
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#compression)
Compression
* Serialize BackupData to JSON.
* Compress with GZIP (Compression::default).
* Typical reduction: ~60% size reduction.
5
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#bek-retrieval)
BEK retrieval
* SDK retrieves BEK (32 bytes) from secure hardware-backed keychain (stored during identity creation).
* Retrieval requires no user interaction on typical automatic backup flow.
6
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#encryption)
Encryption
* Generate random nonce (12 bytes).
* Encrypt compressed data using AES-256-GCM with BEK and nonce.
* Build encrypted blob: \[version:1\]\[nonce:12\]\[ciphertext+tag\]
7
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#upload-to-backend)
Upload to backend
* POST /api/v1/backup/cloud/export with { user\_id, encrypted\_backup\_blob, metadata }.
* JWT token used for authentication.
8
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#backend-stores-blob-and-metadata)
Backend stores blob & metadata
* Backend uploads blob to S3 and stores metadata in Firestore.
* SDK receives success response and updates local backup status.
* App continues normally — backup happened invisibly in background.
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#backend-perspective-gettrusted-api--aws-services)
Backend Perspective (GetTrusted API + AWS Services)
1
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#receive-upload)
Receive upload
* Backup upload request arrives with encrypted blob.
* Request includes JWT token for authentication.
2
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#validate-and-extract)
Validate & extract
* Validate JWT token (device signature verification).
* Extract user fingerprint from Master ID (strip any prefix such as 'gtm').
3
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#store-encrypted-blob-in-s3)
Store encrypted blob in S3
* Upload encrypted blob to S3 (zero-knowledge storage).
* Example key: backups/{fingerprint}/backup.bin
4
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#store-metadata-in-firestore)
Store metadata in Firestore
* Store metadata at /backups/{user\_id} with { fingerprint, s3Key, size, exportedAt, status }.
5
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#return-success)
Return success
* Return success response { success: true, backend\_backup\_id } to mobile device.
[](https://docs.gettrusted.app/core-workflows/user-data-backup#process-flow-diagram)
Process Flow Diagram
--------------------------------------------------------------------------------------------------------------
[](https://docs.gettrusted.app/core-workflows/user-data-backup#cryptographic-security)
Cryptographic Security
------------------------------------------------------------------------------------------------------------------
BEK Derivation (HKDF-SHA256)[](https://docs.gettrusted.app/core-workflows/user-data-backup#bek-derivation-hkdf-sha256)
Deterministic Key Derivation:
* HKDF-SHA256(Master ID, passphrase) → BEK
Security Properties:
* Deterministic: Same Master ID + passphrase → same BEK (required for recovery)
* Hardware-Protected Master ID: Master ID stored in Secure Enclave/StrongBox
* User Knowledge Factor: Passphrase required (multi-factor security)
* Standard KDF: HKDF-SHA256 is NIST-approved (RFC 5869)
* One-Way: Cannot derive Master ID or passphrase from BEK
AES-256-GCM Encryption[](https://docs.gettrusted.app/core-workflows/user-data-backup#aes-256-gcm-encryption)
Encrypted Blob Structure:
Security Properties:
* Authenticated Encryption: Integrity and confidentiality guaranteed
* Unique Nonce: Fresh random nonce per backup (no nonce reuse)
* 256-bit Key: BEK provides 256-bit security strength
* Authentication Tag: 128-bit tag prevents tampering
* AEAD: Encrypt-then-MAC integrated (NIST-approved)
[](https://docs.gettrusted.app/core-workflows/user-data-backup#security-guarantees)
Security Guarantees
------------------------------------------------------------------------------------------------------------
1. Deterministic BEK for Recovery
* Same Master ID + passphrase → same BEK
* No random components in derivation (fully reproducible)
* Required for automatic backup restoration on new device
* HKDF-SHA256 ensures uniform distribution
1. Multi-Factor BEK Security
* Hardware Factor: Master ID in Secure Enclave (cannot extract)
* Knowledge Factor: User passphrase required
* Attacker needs BOTH factors to decrypt backup
* Breaking one factor insufficient for backup access
1. Zero-Knowledge Backend
* Backend never sees BEK or plaintext data
* S3 stores only encrypted blobs (opaque ciphertext)
* Firestore stores only metadata (sizes, timestamps)
* Backend compromise does NOT expose user data
1. Hardware-Protected BEK Storage
* BEK stored in iOS Keychain / Android KeyStore
* Hardware-level encryption automatically applied
* Protected by device biometrics / passcode
* Non-exportable from device hardware
* Cleared on logout or backup disable
1. Field Stripping for Portability
* Device-specific fields removed before backup
* New device injects its own device\_id on restore
* Timestamps regenerated for new device
* Clean migration across devices
1. Authenticated Encryption
* AES-256-GCM provides integrity + confidentiality
* Authentication tag prevents tampering
* Modified ciphertext fails to decrypt
* Nonce uniqueness prevents replay attacks
1. Compression Before Encryption
* GZIP reduces plaintext size (~60% typical)
* Compressed before encryption (standard practice)
* Reduces S3 storage costs
* Faster network transfer
[](https://docs.gettrusted.app/core-workflows/user-data-backup#strategic-implications)
Strategic Implications
------------------------------------------------------------------------------------------------------------------
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#automatic-cross-device-sync)
Automatic Cross-Device Sync
Traditional problem:
* User sets up new phone:
* Manually re-add all contacts
* Manually re-create personas
* Lose trust attestation history
* Hours of manual data entry
GetTrusted solution:
* User recovers identity on new phone:
* Enter passphrase (derives same BEK)
* Automatic backup download from S3
* Automatic restoration with BEK
* All contacts, personas, attestations restored
* Zero manual data entry
###
[](https://docs.gettrusted.app/core-workflows/user-data-backup#zero-knowledge-cloud-storage)
Zero-Knowledge Cloud Storage
Backend cannot:
* Decrypt any backup data
* Read contacts or personas
* Access trust attestations
* Derive BEK from encrypted blobs
Backend can:
* Store encrypted blobs reliably (S3 durability)
* Track backup metadata (sizes, timestamps)
* Enable cross-device recovery (blob retrieval)
* Audit access patterns (Firestore logs)
[PreviousTrust Verification Challenge](https://docs.gettrusted.app/core-workflows/trust-verification-challenge)
[NextUser Data Restoration](https://docs.gettrusted.app/core-workflows/user-data-restoration)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/core-workflows/user-data-backup#overview)
* [Process Overview](https://docs.gettrusted.app/core-workflows/user-data-backup#process-overview)
* [Alice's Perspective (User with Automatic Backups)](https://docs.gettrusted.app/core-workflows/user-data-backup#alices-perspective-user-with-automatic-backups)
* [Identity & BEK state](https://docs.gettrusted.app/core-workflows/user-data-backup#identity-and-bek-state)
* [Data change detected](https://docs.gettrusted.app/core-workflows/user-data-backup#data-change-detected)
* [Data export & field stripping](https://docs.gettrusted.app/core-workflows/user-data-backup#data-export-and-field-stripping)
* [Compression](https://docs.gettrusted.app/core-workflows/user-data-backup#compression)
* [BEK retrieval](https://docs.gettrusted.app/core-workflows/user-data-backup#bek-retrieval)
* [Encryption](https://docs.gettrusted.app/core-workflows/user-data-backup#encryption)
* [Upload to backend](https://docs.gettrusted.app/core-workflows/user-data-backup#upload-to-backend)
* [Backend stores blob & metadata](https://docs.gettrusted.app/core-workflows/user-data-backup#backend-stores-blob-and-metadata)
* [Backend Perspective (GetTrusted API + AWS Services)](https://docs.gettrusted.app/core-workflows/user-data-backup#backend-perspective-gettrusted-api--aws-services)
* [Receive upload](https://docs.gettrusted.app/core-workflows/user-data-backup#receive-upload)
* [Validate & extract](https://docs.gettrusted.app/core-workflows/user-data-backup#validate-and-extract)
* [Store encrypted blob in S3](https://docs.gettrusted.app/core-workflows/user-data-backup#store-encrypted-blob-in-s3)
* [Store metadata in Firestore](https://docs.gettrusted.app/core-workflows/user-data-backup#store-metadata-in-firestore)
* [Return success](https://docs.gettrusted.app/core-workflows/user-data-backup#return-success)
* [Process Flow Diagram](https://docs.gettrusted.app/core-workflows/user-data-backup#process-flow-diagram)
* [Cryptographic Security](https://docs.gettrusted.app/core-workflows/user-data-backup#cryptographic-security)
* [Security Guarantees](https://docs.gettrusted.app/core-workflows/user-data-backup#security-guarantees)
* [Strategic Implications](https://docs.gettrusted.app/core-workflows/user-data-backup#strategic-implications)
* [Automatic Cross-Device Sync](https://docs.gettrusted.app/core-workflows/user-data-backup#automatic-cross-device-sync)
* [Zero-Knowledge Cloud Storage](https://docs.gettrusted.app/core-workflows/user-data-backup#zero-knowledge-cloud-storage)
Copy
sequenceDiagram
participant Alice Device
participant Alice Secure Enclave
participant SQLite Database
participant GetTrusted Backend
participant AWS S3
participant Firestore
Note over Alice Device,Firestore: Phase 1: Automatic Backup Trigger
Alice Device->>Alice Device: User adds/updates contact or persona
Alice Device->>Alice Device: Data change detected
Alice Device->>SQLite Database: Query contacts, personas, attestations
Note over Alice Device,Firestore: Phase 2: Data Export with Field Stripping
SQLite Database-->>Alice Device: Encrypted rows (database_encryption_key)
Alice Device->>Alice Device: Decrypt rows with database_encryption_key
Alice Device->>Alice Device: Strip device-specific fields:
- Remove device_id
- Remove created_at
- Remove updated_at
Alice Device->>Alice Device: Create BackupData structure:
{master_id, contacts[], personas[], attestations[]}
Note over Alice Device,Firestore: Phase 3: Compression
Alice Device->>Alice Device: Serialize to JSON
Alice Device->>Alice Device: Compress with GZIP (Compression::default)
Note right of Alice Device: ~60% size reduction typical
Note over Alice Device,Firestore: Phase 4: BEK Retrieval from Keychain
Alice Device->>Alice Secure Enclave: Retrieve BEK from keychain
(stored during identity creation)
Alice Secure Enclave-->>Alice Device: BEK (32 bytes)
Note right of Alice Secure Enclave: Hardware-protected keychain storage
No user interaction needed
Note over Alice Device,Firestore: Phase 5: Encryption with AES-256-GCM
Alice Device->>Alice Device: Generate random nonce (12 bytes)
Alice Device->>Alice Device: Encrypt compressed data:
AES-256-GCM(compressed_data, BEK, nonce)
Alice Device->>Alice Device: Build encrypted blob:
[version:1][nonce:12][ciphertext+tag]
Note over Alice Device,Firestore: Phase 6: Upload to Backend
Alice Device->>GetTrusted Backend: POST /api/v1/backup/cloud/export
{user_id, encrypted_backup_blob, metadata}
Note right of Alice Device: JWT token for authentication
GetTrusted Backend->>GetTrusted Backend: Validate JWT signature
GetTrusted Backend->>GetTrusted Backend: Extract fingerprint from user_id
(strip 'gtm' prefix)
Note over Alice Device,Firestore: Phase 7: S3 Storage (Zero-Knowledge)
GetTrusted Backend->>AWS S3: PUT object
Key: backups/{fingerprint}/backup.bin
Body: encrypted_backup_blob
AWS S3-->>GetTrusted Backend: S3 upload complete
{s3Key, size, bucketName}
Note over Alice Device,Firestore: Phase 8: Metadata Storage
GetTrusted Backend->>Firestore: SET /backups/{user_id}
{fingerprint, s3Key, size, exportedAt, status}
Firestore-->>GetTrusted Backend: Document created
GetTrusted Backend-->>Alice Device: {success: true, backend_backup_id}
Alice Device->>Alice Device: Update local backup status
Continue normal operation
Copy
┌─────────┬──────────────┬────────────────────────────────┐
│ Version │ Nonce │ Ciphertext + Authentication Tag │
│ 1 byte │ 12 bytes │ Variable (compressed data + 16) │
│ (0x01) │ (random) │ (AES-256-GCM output) │
└─────────┴──────────────┴────────────────────────────────┘
---
# Enterprise Self Service Signup | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#overview)
Overview
----------------------------------------------------------------------------------------------------------
GetTrusted's Organization Signup Flow enables enterprise administrators to create their organization account through the GetTrusted Enterprise web portal using AWS Cognito authentication. This flow establishes the organizational infrastructure including AWS KMS encryption keys, an organization-specific Certificate Authority (CA), and OIDC integration capabilities for employee onboarding.
Key Security Features:
* AWS Cognito Authentication: Authentication with email verification, this becomes the root account after SSO.
* Automatic CA Generation: Organization intermediate CA created invisibly during signup
* AWS KMS Encryption: Organization data encrypted at rest with dedicated KMS keys
* FIPS-Compliant Cryptography: ECC P-256 signing keys with ECDSA-SHA256
* Certificate Authority Hierarchy: Organization CA signed by GetTrusted Business CA
* Transparency Logging: Business identity attestations submitted to public transparency log
* Zero-Knowledge Architecture: Sensitive data encrypted before storage in Firestore
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#process-overview)
Process Overview
--------------------------------------------------------------------------------------------------------------------------
Diana (a new enterprise administrator) wants to set up GetTrusted for her organization, Acme Corp. She will create an account in the gettrusted-enterprise web portal and establish her organization's cryptographic infrastructure.
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#dianas-perspective-enterprise-administrator)
Diana's Perspective (Enterprise Administrator)
1
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#visit-signup-portal)
Visit signup portal
Diana visits the Enterprise portal and clicks "Create Account".
2
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#fill-signup-form)
Fill signup form
Fields: First Name, Last Name, Work Email, Company Name, Password.
3
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#accept-terms)
Accept terms
Accept Terms of Service and Privacy Policy.
4
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#email-verification)
Email verification
Cognito sends verification code to her work email via SES.
5
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#enter-confirmation-code)
Enter confirmation code
Diana enters the confirmation code from email.
6
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#auto-login)
Auto-login
Auto-login after confirmation and redirect to dashboard.
7
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-organization)
Create organization
Dashboard prompts organization creation with pre-filled data.
8
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#submit-organization-details)
Submit organization details
Diana submits: Company Name, Company Domain, Contact Email.
9
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#backend-creates-organization)
Backend creates organization
Backend creates organization with encrypted data and CA certificate.
10
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#organization-active)
Organization active
Organization active: Diana can now configure OIDC and onboard employees.
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#backend-perspective-gettrusted-api--aws-services)
Backend Perspective (GetTrusted API + AWS Services)
1
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#cognito-signup)
Cognito signup
Cognito signup request arrives with user credentials. Cognito creates user in user pool with email verification required. Verification code sent via AWS SES.
2
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#confirmation-and-authentication)
Confirmation & authentication
Confirmation received with verification code from user. User authenticated and JWT tokens issued.
3
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#organization-creation-request)
Organization creation request
Organization creation request arrives with organization details.
4
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#generate-organizationid)
Generate organizationId
Generate organizationId (UUID v4) and check domain uniqueness.
5
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-kms-encryption-key)
Create KMS encryption key
Create KMS encryption key for organization data (SYMMETRIC\_DEFAULT) and enable key rotation.
6
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#encrypt-sensitive-data)
Encrypt sensitive data
Encrypt sensitive data (organization name, contact email) with KMS.
7
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#store-initial-organization-document)
Store initial organization document
Store initial organization document in Firestore.
8
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-organization-ca-signing-key)
Create organization CA signing key
Create organization CA signing key in KMS (ECC\_NIST\_P256, SIGN\_VERIFY).
9
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-csr-and-sign)
Create CSR and sign
Create X.509 CSR for organization intermediate CA, sign CSR with Business CA using KMS signature.
10
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#build-certificate-chain)
Build certificate chain
Build certificate chain: \[Org CA, Business CA, Root CA\].
11
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#attestation-and-transparency-log)
Attestation & transparency log
Create business identity attestation signed by Business CA and submit to transparency log for public verification.
12
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-master-identity)
Create master identity
Create master identity for organization CA (gtm prefix + SHA256) and sign for proof of possession.
13
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#update-organization-and-subscription)
Update organization & subscription
Update organization document with CA key ARN and serial number. Create subscription record (30-day trial).
14
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#return-success)
Return success
Return success to web portal.
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#process-flow-diagram)
Process Flow Diagram
----------------------------------------------------------------------------------------------------------------------------------
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#cryptographic-security)
Cryptographic Security
--------------------------------------------------------------------------------------------------------------------------------------
Full PKI Hierarchy:
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#business-identity-attestation)
Business Identity Attestation
Attestation Structure:
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#security-guarantees)
Security Guarantees
--------------------------------------------------------------------------------------------------------------------------------
1. **Cognito Authentication**
* Industry-standard OAuth 2.0 / OpenID Connect
* Email verification required before account activation
* RS256 JWT tokens with Cognito public key validation
* MFA support available
* Password policies: minimum 8 characters
1. **AWS KMS Key Protection**
* Organization encryption keys created per-organization
* CA signing keys stored in Hardware Security Modules (HSMs)
* Keys never leave KMS (all operations via API)
* Automatic key rotation for symmetric keys (365 days)
* Fine-grained IAM policies control key access
* CloudTrail logging for all key usage
1. **Data Encryption at Rest**
* Organization name and contact email encrypted with KMS
* Encrypted data stored as base64 in Firestore
* Decryption requires both KMS key ARN and ciphertext
* No plaintext sensitive data in database
1. **Certificate Authority Security**
* FIPS-compliant ECC P-256 cryptography
* Business CA private key in KMS (never exported)
* Organization CA private key in KMS (never exported)
* Certificate chain validation from root to leaf
* 5-year validity for organization CAs
* Rotation eligible 6 months before expiry
1. **Transparency and Auditability**
* Business identity attestations logged publicly
* Merkle tree inclusion proofs
* Public verification of organization CA delegation
* Immutable audit trail in transparency log
* Master identity with cryptographic proof of possession
1. **Zero-Knowledge Architecture**
* GetTrusted backend never sees private keys
* Encrypted blobs stored in Firestore
* KMS handles all encryption/decryption operations
* Minimal metadata for indexing/querying
1. **Certificate Lifecycle Management**
* Automatic rotation support (6 months before expiry)
* CRL distribution points configured
* OCSP endpoints for real-time revocation checking
* Certificate serial numbers tracked in Firestore
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#strategic-implications)
Strategic Implications
--------------------------------------------------------------------------------------------------------------------------------------
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#enterprise-onboarding-simplification)
Enterprise Onboarding Simplification
Before GetTrusted:
With GetTrusted:
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#cryptographic-trust-hierarchy)
Cryptographic Trust Hierarchy
Trust Establishment:
* Organization CA signed by GetTrusted Business CA
* Business CA signed by GetTrusted Root CA (offline, air-gapped)
* Root CA trusted by GetTrusted mobile apps
* Employee device certificates signed by Organization CA
* End-to-end cryptographic verification
Assurance Levels:
###
[](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#undefined)
[PreviousUser Data Restoration](https://docs.gettrusted.app/core-workflows/user-data-restoration)
[NextEmployee Onboarding Flow](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#overview)
* [Process Overview](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#process-overview)
* [Diana's Perspective (Enterprise Administrator)](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#dianas-perspective-enterprise-administrator)
* [Visit signup portal](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#visit-signup-portal)
* [Fill signup form](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#fill-signup-form)
* [Accept terms](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#accept-terms)
* [Email verification](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#email-verification)
* [Enter confirmation code](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#enter-confirmation-code)
* [Auto-login](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#auto-login)
* [Create organization](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-organization)
* [Submit organization details](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#submit-organization-details)
* [Backend creates organization](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#backend-creates-organization)
* [Organization active](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#organization-active)
* [Backend Perspective (GetTrusted API + AWS Services)](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#backend-perspective-gettrusted-api--aws-services)
* [Cognito signup](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#cognito-signup)
* [Confirmation & authentication](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#confirmation-and-authentication)
* [Organization creation request](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#organization-creation-request)
* [Generate organizationId](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#generate-organizationid)
* [Create KMS encryption key](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-kms-encryption-key)
* [Encrypt sensitive data](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#encrypt-sensitive-data)
* [Store initial organization document](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#store-initial-organization-document)
* [Create organization CA signing key](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-organization-ca-signing-key)
* [Create CSR and sign](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-csr-and-sign)
* [Build certificate chain](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#build-certificate-chain)
* [Attestation & transparency log](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#attestation-and-transparency-log)
* [Create master identity](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#create-master-identity)
* [Update organization & subscription](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#update-organization-and-subscription)
* [Return success](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#return-success)
* [Process Flow Diagram](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#process-flow-diagram)
* [Cryptographic Security](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#cryptographic-security)
* [Business Identity Attestation](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#business-identity-attestation)
* [Security Guarantees](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#security-guarantees)
* [Strategic Implications](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#strategic-implications)
* [Enterprise Onboarding Simplification](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#enterprise-onboarding-simplification)
* [Cryptographic Trust Hierarchy](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#cryptographic-trust-hierarchy)
* [](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup#undefined)
Copy
sequenceDiagram
participant Diana Browser
participant Enterprise Portal
participant AWS Cognito
participant GetTrusted Backend
participant AWS KMS
participant Business CA (KMS)
participant Firestore
participant Transparency Log
Note over Diana Browser,Transparency Log: Phase 1: Cognito Authentication
Diana Browser->>Enterprise Portal: Navigate to /signup
Diana Browser->>Enterprise Portal: Submit signup form
{firstName, lastName, email, password, companyName}
Enterprise Portal->>AWS Cognito: SignUp({email, password, attributes})
AWS Cognito-->>Enterprise Portal: {userSub, requiresConfirmation: true}
AWS Cognito->>Diana Browser: Send email verification code via SES
Diana Browser->>Enterprise Portal: Enter verification code
Enterprise Portal->>AWS Cognito: ConfirmSignUp({email, code})
AWS Cognito-->>Enterprise Portal: {success: true}
Enterprise Portal->>AWS Cognito: SignIn({email, password})
AWS Cognito-->>Enterprise Portal: {accessToken, idToken, refreshToken}
Enterprise Portal->>Diana Browser: Store tokens, redirect to /dashboard
Note over Diana Browser,Transparency Log: Phase 2: Organization Creation
Diana Browser->>Enterprise Portal: View dashboard with "Create Organization" prompt
Diana Browser->>Enterprise Portal: Submit organization form
{company_name, company_domain, contact_email}
Enterprise Portal->>GetTrusted Backend: POST /enterprise/portal/organizations
{JWT, organization_data}
GetTrusted Backend->>GetTrusted Backend: Validate JWT (Cognito token)
GetTrusted Backend->>GetTrusted Backend: Generate organizationId (UUID)
GetTrusted Backend->>GetTrusted Backend: Check domain uniqueness
Note over Diana Browser,Transparency Log: Phase 3: KMS Key Creation
GetTrusted Backend->>AWS KMS: CreateKey(SYMMETRIC_DEFAULT)
For organization data encryption
AWS KMS-->>GetTrusted Backend: {keyArn_encryption}
GetTrusted Backend->>AWS KMS: EnableKeyRotation({keyArn_encryption})
AWS KMS-->>GetTrusted Backend: Rotation enabled
GetTrusted Backend->>AWS KMS: Encrypt({keyArn, company_name})
AWS KMS-->>GetTrusted Backend: encrypted_company_name (base64)
GetTrusted Backend->>AWS KMS: Encrypt({keyArn, contact_email})
AWS KMS-->>GetTrusted Backend: encrypted_contact_email (base64)
GetTrusted Backend->>Firestore: Create /enterprise_organizations/{org_id}
{encrypted_name, encrypted_email, domain, kms_key_arn}
Firestore-->>GetTrusted Backend: Document created
Note over Diana Browser,Transparency Log: Phase 4: Organization CA Creation
GetTrusted Backend->>AWS KMS: CreateKey(ECC_NIST_P256, SIGN_VERIFY)
For organization CA signing
AWS KMS-->>GetTrusted Backend: {keyArn_ca_signing}
GetTrusted Backend->>AWS KMS: GetPublicKey({keyArn_ca_signing})
AWS KMS-->>GetTrusted Backend: org_ca_public_key (DER)
GetTrusted Backend->>GetTrusted Backend: Build X.509 TBS Certificate:
Subject: CN=Acme Intermediate CA, O=Acme, C=US
Issuer: CN=GetTrusted Business CA
Extensions: BasicConstraints(CA:TRUE, pathlen:0)
GetTrusted Backend->>GetTrusted Backend: Serialize TBS to DER
GetTrusted Backend->>Business CA (KMS): Sign({TBS_DER, ECDSA_SHA_256})
Business CA (KMS)-->>GetTrusted Backend: business_ca_signature (DER)
GetTrusted Backend->>GetTrusted Backend: Construct X.509 Certificate:
{TBS, business_ca_signature}
GetTrusted Backend->>GetTrusted Backend: Build certificate chain:
[Org CA Cert, Business CA Cert, Root CA Cert]
GetTrusted Backend->>Firestore: Update /enterprise_organizations/{org_id}
{ca_key_arn, certificate_der_base64, certificate_chain}
Firestore-->>GetTrusted Backend: Updated
Note over Diana Browser,Transparency Log: Phase 5: Attestation & Master Identity
GetTrusted Backend->>GetTrusted Backend: Create business identity attestation:
subject_fingerprint: SHA256(org_ca_pubkey)
issuer_fingerprint: SHA256(business_ca_pubkey)
GetTrusted Backend->>Business CA (KMS): Sign(attestation_canonical_json)
Business CA (KMS)-->>GetTrusted Backend: attestation_signature
GetTrusted Backend->>Transparency Log: POST /attestation/v1/add-attestation
{attestation, business_ca_pubkey, signature}
Transparency Log-->>GetTrusted Backend: {index, leaf_hash, inclusion_proof}
GetTrusted Backend->>GetTrusted Backend: Create master identity:
master_id = gtm{SHA256(org_ca_pubkey)}
GetTrusted Backend->>AWS KMS: Sign({master_id}, keyArn_ca_signing)
AWS KMS-->>GetTrusted Backend: proof_of_possession
GetTrusted Backend->>Firestore: Create /master_identities/{master_id}
{pubkey, proof_of_possession, enterprise_id, ca_metadata}
Firestore-->>GetTrusted Backend: Master identity created
GetTrusted Backend->>Firestore: Create /enterprise_subscriptions/{org_id}
{status: trial, trial_expires_at: +30 days}
Firestore-->>GetTrusted Backend: Subscription created
Note over Diana Browser,Transparency Log: Phase 6: Complete
GetTrusted Backend-->>Enterprise Portal: {success: true, organization_id, master_identity}
Enterprise Portal-->>Diana Browser: Redirect to organization dashboard
Show OIDC configuration wizard
Copy
1. GetTrusted Root CA (Self-Signed, Offline)
├─ Subject: O=GetTrusted, CN=GetTrusted Root CA
├─ Key Usage: Certificate Signing, CRL Signing
├─ Basic Constraints: CA:TRUE
├─ Validity: 20 years
2. GetTrusted Business Intermediate CA (Signed by Root CA, KMS)
├─ Subject: C=US, L=GetTrusted, CN=GetTrusted Business Intermediate CA
├─ Issuer: GetTrusted Root CA
├─ Key Usage: Certificate Signing, CRL Signing
├─ Basic Constraints: CA:TRUE, pathlen:1
├─ KMS Key ARN: arn:aws:kms:us-east-2:760715349462:key/b76016f1-c832-4bc7-b05d-157fad7a0fbf
├─ Validity: 10 years
3. Acme Corporation Intermediate CA (Signed by Business CA, KMS)
├─ Subject: CN=Acme Corporation Intermediate CA, O=Acme Corporation, C=US
├─ Issuer: GetTrusted Business Intermediate CA
├─ Key Usage: Certificate Signing, CRL Signing
├─ Basic Constraints: CA:TRUE, pathlen:0
├─ KMS Key ARN: {organization_ca_signing_key_arn}
├─ Validity: 5 years
4. Employee Device Certificates (Signed by Org CA + Device Key)
├─ Subject: O=Acme Corporation, OU=Employee, CN=diana.prince
├─ Issuer: Acme Corporation Intermediate CA
├─ Key Usage: digitalSignature
├─ Dual Signatures: [Device Key, Org CA]
├─ Validity: 365 days (1 year)
Copy
{
"version": 1,
"subject_fingerprint": "sha256_hash_of_org_ca_public_key",
"issuer_fingerprint": "sha256_hash_of_business_ca_public_key",
"claim_type": "business_ca_delegation",
"claim_data": {
"claim_hash": "sha256_hash_of_private_claim_data_with_salt",
"public_metadata": {
"category": "business_ca_delegation",
"assurance_level": 4,
"region": null,
"sector": null,
"geohash": null,
"proximity": null
},
"proof_requirements": {
"requires_claim_details": false,
"requires_salt": false,
"requires_context": false
}
},
"issued_at": "2025-01-10T00:00:00Z",
"expires_at": "2026-01-10T00:00:00Z",
"nonce": "random_16_byte_hex",
"signature": "ecdsa_signature_from_business_ca"
}
Copy
- Manual CA setup with HSM procurement
- Complex PKI infrastructure deployment
- IT staff training on certificate management
- Weeks/months of setup time
- High upfront costs ($50k-$500k+)
Copy
- 5-minute signup via web portal
- Automatic CA generation with AWS KMS
- No infrastructure to deploy or maintain
- Instant employee onboarding capability
- Pay-as-you-grow pricing (trial included)
Copy
1. Root CA (Maximum Trust): Offline signing, physical security
2. Business CA (High Trust): AWS KMS HSM, audited operations
3. Organization CA (Organizational Trust): Per-org KMS keys, business attestation
4. Employee Certificates (Delegated Trust): Dual-signed by org CA + device key
---
# Employee Onboarding Flow | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#overview)
Overview
----------------------------------------------------------------------------------------------------
GetTrusted's Employee Onboarding Flow creates hardware-backed enterprise device keys with dual-signed X.509 certificates for employees joining an organization. This flow combines personal identity management with organizational credentialing, resulting in a cryptographically verifiable chain of trust from the employee's hardware device through the organization's Certificate Authority.
Key Security Features:
* Dual-Signature X.509 Certificates: Co-signed by employee's device key AND organization CA
* Hardware-Backed Enterprise Keys: Generated in Secure Enclave/StrongBox/TPM (never exported)
* OIDC Directory Integration: Employee identity validated via company SSO (Okta, Azure AD, etc.)
* AWS KMS Protected CA: Organization CA private keys encrypted at rest in hardware security modules
* Managed Data Sync: Automatic synchronization of employee persona and organizational contacts
* Certificate Lifecycle: 365-day validity with automatic renewal support
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#process-overview)
Process Overview
--------------------------------------------------------------------------------------------------------------------
Diana (a new employee at Acme Corp) has already authenticated via OIDC (Organization Signup Flow). Now she needs to create an enterprise device key that will be used for all organizational communications and access.
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#dianas-perspective-new-employee)
Diana's Perspective (New Employee)
1
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#complete-oidc-authentication)
Complete OIDC authentication
Diana completes OIDC authentication (Organization Signup Flow).
2
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#app-prompts-to-create-enterprise-key)
App prompts to create enterprise key
App prompts: "Create enterprise device key for Acme Corp".
3
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#hardware-generates-key-pair)
Hardware generates key pair
Hardware generates new enterprise key pair in Secure Enclave/StrongBox.
4
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#create-x.509-csr)
Create X.509 CSR
App creates X.509 CSR (Certificate Signing Request) with employee info.
5
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#device-signs-csr)
Device signs CSR
Device signs CSR with device key (first signature).
6
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#send-csr-to-backend)
Send CSR to backend
CSR sent to backend with OIDC token for validation.
7
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#organization-ca-signs-certificate)
Organization CA signs certificate
Organization CA signs enterprise certificate (second signature).
8
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#install-certificate-in-hardware)
Install certificate in hardware
Certificate installed in hardware with full chain.
9
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#managed-data-syncs)
Managed data syncs
Managed data syncs: Employee persona + organizational contacts auto-sync.
10
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#enterprise-key-active)
Enterprise key active
Enterprise key active: Diana can now use organizational identity.
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#backend-perspective-gettrusted-api--organization-ca)
Backend Perspective (GetTrusted API + Organization CA)
1
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#receive-enterprise-key-request)
Receive enterprise key request
Enterprise key request arrives with OIDC token and device CSR.
2
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#validate-oidc-token)
Validate OIDC token
Validate OIDC token (JWT signature + claims: `sub`, `email`, `email_verified`).
3
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#load-organization-ca-key)
Load organization CA key
Load organization CA private key from AWS KMS (encrypted at rest).
4
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#extract-directory-id)
Extract directory ID
Extract directory ID from OIDC `sub` claim (e.g., "diana.prince").
5
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#create-x.509-certificate)
Create X.509 certificate
Create X.509 certificate with employee subject and public key.
6
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#sign-certificate-with-org-ca)
Sign certificate with Org CA
Sign certificate with organization CA (second signature).
7
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#assemble-certificate-chain)
Assemble certificate chain
Assemble certificate chain: \[Enterprise Cert, Org CA Cert, Business CA Cert, Root CA\].
8
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#store-certificate-metadata)
Store certificate metadata
Store in Firestore `/enterprise_device_keys/{key_id}`.
9
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#return-signed-certificate-to-device)
Return signed certificate to device
Return signed certificate to mobile device.
10
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#trigger-managed-data-sync)
Trigger managed data sync
Trigger managed data sync: Fetch employee persona from directory.
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#process-flow-diagram)
Process Flow Diagram
----------------------------------------------------------------------------------------------------------------------------
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#cryptographic-security)
Cryptographic Security
--------------------------------------------------------------------------------------------------------------------------------
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#dual-signature-x.509-certificate)
Dual-Signature X.509 Certificate
TBS Certificate Structure:
Dual Signature Structure:
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#certificate-chain-validation)
Certificate Chain Validation
Full PKI Hierarchy:
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#security-guarantees)
Security Guarantees
--------------------------------------------------------------------------------------------------------------------------
1. Hardware-Backed Enterprise Keys
* Enterprise private keys never leave Secure Enclave/StrongBox/TPM
* Key generation happens entirely in hardware security module
* Private keys cannot be extracted or exported
1. Dual-Signature Verification
* TWO independent signatures on same TBS certificate
* Device signature proves delegation from personal identity
* Organization CA signature proves organizational authorization
* Both must be valid for certificate to be trusted
1. OIDC Directory Integration
* Employee identity validated via company SSO
* Directory ID from OIDC `sub` claim (unique, immutable)
* Email verification required (`email_verified: true`)
* JWT signature verification prevents token tampering
1. AWS KMS Key Protection
* Organization CA private keys encrypted at rest
* Decryption requires IAM authentication
* Audit logging for all key usage
* Automatic key rotation supported
1. Certificate Chain Trust
* Full PKI validation from device through organization to root
* Each link in chain cryptographically verified
* Expired certificates automatically rejected
* Certificate revocation supported (future enhancement)
1. Managed Data Security
* Employee persona data read-only (cannot be tampered)
* Organizational contacts auto-synced from directory
* Data freshness guaranteed via periodic sync
* Access controlled via enterprise key
1. Production Resilience
* Automatic retry with exponential backoff (1s, 2s, 4s)
* 30-second timeout for enterprise key creation
* Smart error classification (never retry implementation failures)
* Immediate managed data sync after key creation
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#strategic-implications)
Strategic Implications
--------------------------------------------------------------------------------------------------------------------------------
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#enterprise-identity-lifecycle)
Enterprise Identity Lifecycle
Before GetTrusted:
With GetTrusted:
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#certificate-based-access-control)
Certificate-Based Access Control
Dual-Signature Benefits:
* Delegation Proof: Device signature proves employee authorized this enterprise key
* Authorization Proof: Org CA signature proves organization authorized this employee
* Non-Repudiation: Both parties cryptographically committed to relationship
* Automatic Revocation: Organization can revoke CA signature without affecting device
###
[](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#organizational-trust-hierarchy)
Organizational Trust Hierarchy
Trust Levels:
Organizational Trust Grants:
* Access to organizational shared resources
* Managed persona and contacts (auto-synced)
* Enterprise messaging and verification
* Organizational compliance features
[PreviousEnterprise Self Service Signup](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#overview)
* [Process Overview](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#process-overview)
* [Diana's Perspective (New Employee)](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#dianas-perspective-new-employee)
* [Complete OIDC authentication](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#complete-oidc-authentication)
* [App prompts to create enterprise key](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#app-prompts-to-create-enterprise-key)
* [Hardware generates key pair](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#hardware-generates-key-pair)
* [Create X.509 CSR](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#create-x.509-csr)
* [Device signs CSR](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#device-signs-csr)
* [Send CSR to backend](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#send-csr-to-backend)
* [Organization CA signs certificate](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#organization-ca-signs-certificate)
* [Install certificate in hardware](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#install-certificate-in-hardware)
* [Managed data syncs](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#managed-data-syncs)
* [Enterprise key active](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#enterprise-key-active)
* [Backend Perspective (GetTrusted API + Organization CA)](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#backend-perspective-gettrusted-api--organization-ca)
* [Receive enterprise key request](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#receive-enterprise-key-request)
* [Validate OIDC token](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#validate-oidc-token)
* [Load organization CA key](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#load-organization-ca-key)
* [Extract directory ID](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#extract-directory-id)
* [Create X.509 certificate](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#create-x.509-certificate)
* [Sign certificate with Org CA](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#sign-certificate-with-org-ca)
* [Assemble certificate chain](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#assemble-certificate-chain)
* [Store certificate metadata](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#store-certificate-metadata)
* [Return signed certificate to device](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#return-signed-certificate-to-device)
* [Trigger managed data sync](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#trigger-managed-data-sync)
* [Process Flow Diagram](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#process-flow-diagram)
* [Cryptographic Security](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#cryptographic-security)
* [Dual-Signature X.509 Certificate](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#dual-signature-x.509-certificate)
* [Certificate Chain Validation](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#certificate-chain-validation)
* [Security Guarantees](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#security-guarantees)
* [Strategic Implications](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#strategic-implications)
* [Enterprise Identity Lifecycle](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#enterprise-identity-lifecycle)
* [Certificate-Based Access Control](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#certificate-based-access-control)
* [Organizational Trust Hierarchy](https://docs.gettrusted.app/enterprise-workflows/employee-onboarding-flow#organizational-trust-hierarchy)
Copy
sequenceDiagram
participant Diana Device
participant Diana Secure Enclave
participant GetTrusted Backend
participant AWS KMS
participant Organization CA
participant OIDC Directory
Note over Diana Device,OIDC Directory: Phase 1: Prerequisites (OIDC Complete)
Diana Device->>Diana Device: Has OIDC completion:
{id_token, directory_id, organization_id}
Diana Device->>Diana Device: Check enterprise key capability
Note over Diana Device,OIDC Directory: Phase 2: Enterprise Key Generation
Diana Device->>Diana Secure Enclave: Generate enterprise key pair (P-256)
Diana Secure Enclave-->>Diana Device: {public_key, private_key_ref}
Note right of Diana Secure Enclave: Private key NEVER leaves hardware
Diana Device->>Diana Device: Create X.509 TBS certificate
Subject: O=Acme, CN=diana.prince
Diana Device->>Diana Secure Enclave: Sign TBS with device key (1st signature)
Diana Secure Enclave-->>Diana Device: Device signature
Diana Device->>GetTrusted Backend: POST /enterprise-keys/create
{public_key, TBS, device_signature, id_token}
Note over Diana Device,OIDC Directory: Phase 3: Backend Certificate Signing
GetTrusted Backend->>GetTrusted Backend: Verify OIDC ID token (JWT)
Validate claims (sub, email, exp)
GetTrusted Backend->>GetTrusted Backend: Verify device signature on TBS
GetTrusted Backend->>GetTrusted Backend: Get organization CA from Firestore
GetTrusted Backend->>AWS KMS: Decrypt organization CA private key
AWS KMS-->>GetTrusted Backend: CA private key (plaintext)
GetTrusted Backend->>Organization CA: Sign TBS with CA key (2nd signature)
Organization CA-->>GetTrusted Backend: CA signature
GetTrusted Backend->>GetTrusted Backend: Assemble X.509 certificate:
{TBS, device_sig, ca_sig}
GetTrusted Backend->>GetTrusted Backend: Build certificate chain:
[Enterprise, Org CA, Business CA, Root CA]
GetTrusted Backend->>GetTrusted Backend: Store in Firestore:
/enterprise_device_keys/{key_id}
GetTrusted Backend-->>Diana Device: {certificate, certificate_chain, key_id, expires_at}
Note over Diana Device,OIDC Directory: Phase 4: Certificate Installation
Diana Device->>Diana Secure Enclave: Install certificate with private key ref
Diana Secure Enclave-->>Diana Device: Certificate installed
Diana Device->>Diana Device: Validate certificate chain
Verify both signatures
Diana Device->>Diana Device: Store metadata in SQLite
Note over Diana Device,OIDC Directory: Phase 5: Managed Data Sync
Diana Device->>GetTrusted Backend: GET /enterprise/personas/managed
GetTrusted Backend->>OIDC Directory: Fetch employee data (via OIDC)
OIDC Directory-->>GetTrusted Backend: {name, email, job_title, department}
GetTrusted Backend-->>Diana Device: Managed persona (read-only)
Diana Device->>Diana Device: Store managed persona locally
Diana Device->>GetTrusted Backend: GET /enterprise/contacts/managed
GetTrusted Backend->>OIDC Directory: Fetch org colleagues
OIDC Directory-->>GetTrusted Backend: List of organizational contacts
GetTrusted Backend-->>Diana Device: Managed contacts
Diana Device->>Diana Device: Store managed contacts
Set up 24hr auto-sync
Copy
Version: 3 (X.509v3)
Serial Number: {unique_serial}
Signature Algorithm: ECDSA-with-SHA256
Issuer: O=Acme Corporation, CN=Acme GetTrusted CA
Validity:
Not Before: 2025-01-10 00:00:00 UTC
Not After: 2026-01-10 00:00:00 UTC
Subject: O=Acme Corporation, OU=Employee, CN=diana.prince, [email protected]
Subject Public Key Info:
Algorithm: id-ecPublicKey (P-256)
Public Key: {p256_ecdsa_public_key}
Extensions:
basicConstraints: CA:FALSE
keyUsage: digitalSignature
extendedKeyUsage: clientAuth, emailProtection
subjectAltName: email:[email protected]
Copy
signatureAlgorithm: ECDSA-with-SHA256
signatureValue:
device_signature: {ecdsa_signature_from_device_key} # First signature
ca_signature: {ecdsa_signature_from_org_ca} # Second signature
Copy
1. GetTrusted Root CA (Self-Signed)
├─ Subject: O=GetTrusted, CN=GetTrusted Root CA
├─ Key Usage: Certificate Signing, CRL Signing
├─ Validity: 20 years
2. GetTrusted Business CA (Signed by Root CA)
├─ Subject: O=GetTrusted, CN=GetTrusted Business CA
├─ Issuer: GetTrusted Root CA
├─ Key Usage: Certificate Signing, CRL Signing
├─ Validity: 10 years
3. Acme Corporation CA (Signed by Business CA)
├─ Subject: O=Acme Corporation, CN=Acme GetTrusted CA
├─ Issuer: GetTrusted Business CA
├─ Key Usage: Certificate Signing, CRL Signing
├─ Basic Constraints: CA:TRUE, pathlen:0
├─ Validity: 10 years
4. Diana's Enterprise Device Certificate (Signed by Acme CA + Device Key)
├─ Subject: O=Acme Corporation, OU=Employee, CN=diana.prince
├─ Issuer: Acme Corporation CA
├─ Key Usage: digitalSignature
├─ Dual Signatures: [Device Key, Org CA]
├─ Validity: 365 days (1 year)
Copy
- Manual employee onboarding with IT support
- Physical hardware tokens or smart cards required
- No cryptographic binding to personal identity
- Separate credentials for each enterprise app
Copy
- Automatic onboarding via OIDC SSO
- Hardware-backed enterprise keys (no physical tokens)
- Cryptographically bound to employee's personal device identity
- Single enterprise credential for all GetTrusted organizational features
Copy
1. Maximum Trust: P2P trust establishment + hardware attestation
2. High Trust: Phone number ownership + remote attestation
3. Organizational Trust: Enterprise OIDC + dual-signed certificate ← Employee Onboarding
4. Business Trust: Business certificate + entity verification
5. Unverified: Contact information only
---
# User Data Restoration | LastID Docs
GitBook Assistant
GitBook Assistant
Working...Thinking...
GitBook Assistant
##### Good morning
I'm here to help you with the docs.
What is this page about?What should I read next?Can you give an example?
Ctrli
AI Based on your context
Send
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#overview)
Overview
-------------------------------------------------------------------------------------------
We do not backup or restore enterprise data, we filter it out as managed personas and managed contacts can be recovered and should only be recovered through enterprise onboarding/recovery.
GetTrusted's Restore Flow enables automatic recovery of encrypted backups when a user recovers their identity on a new device. The system uses the same Backup Encryption Key (BEK) that was deterministically derived during identity recovery to decrypt and restore all user data (contacts, personas, trust attestations) with zero server-side decryption.
Key Security Features:
* Automatic BEK Availability: BEK already derived and stored during identity recovery
* Hardware-Backed BEK Storage: BEK retrieved from iOS Keychain/Android KeyStore
* Zero-Knowledge Server: Backend retrieves encrypted blobs from S3, never sees plaintext
* Master ID Verification: Backup Master ID must match recovered identity
* Nuclear Table Clearing: Complete database wipe before restoration (clean slate)
* Device ID Injection: New device's device\_id injected into restored records
* GZIP Decompression: Automatic decompression of compressed backup data
* AES-256-GCM Decryption: Authenticated decryption with nonce-based security
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#process-overview)
Process Overview
-----------------------------------------------------------------------------------------------------------
Alice recovers her identity on a new phone using her passphrase and QR recovery data. The SDK automatically downloads and restores her encrypted backup from AWS S3, giving her immediate access to all contacts, personas, and trust attestations.
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#alices-perspective-user-recovering-on-new-device)
Alice's Perspective (User Recovering on New Device)
1
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#identity-recovery--bek-derivation)
Identity recovery + BEK derivation
Alice recovers identity using passphrase + QR recovery data. The SDK derives the same BEK during identity recovery using HKDF-SHA256(master\_id, SHA256(passphrase), "personal\_bek\_v1") and stores the BEK in the hardware keychain (gettrusted\_bek\_personal).
2
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#check-for-backup-and-download)
Check for backup and download
SDK checks for backup via backend API. SDK downloads the encrypted blob from S3 (zero-knowledge retrieval).
3
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#bek-retrieval-and-decryption)
BEK retrieval and decryption
SDK retrieves BEK from secure storage (no user interaction). SDK decrypts and decompresses backup data (AES-256-GCM decryption + GZIP decompression).
4
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#master-id-verification)
Master ID verification
SDK verifies the Backup Master ID matches the recovered identity. If mismatch, abort with MasterIdMismatch error.
5
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#nuclear-table-clearing)
Nuclear table clearing
SDK clears existing tables (DELETE FROM contacts, personas, trust\_attestations) to provide a clean slate for restoration.
6
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#device-id-injection-and-restore)
Device ID injection & restore
SDK injects the new device\_id into all restored records and regenerates created\_at/updated\_at timestamps. Restored records are inserted into the local database.
7
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#restoration-summary-and-completion)
Restoration summary & completion
App shows restoration summary (contacts, personas, attestations). Alice sees all data restored and ready to use immediately.
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#backend-perspective-gettrusted-api--aws-services)
Backend Perspective (GetTrusted API + AWS Services)
1
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#receive-and-authenticate-restore-request)
Receive and authenticate restore request
Restore request arrives with user\_id. Backend validates the JWT token (device signature verification) and extracts the user fingerprint from the Master ID.
2
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#query-backup-metadata)
Query backup metadata
Backend queries Firestore metadata for backup existence and metadata (fingerprint, s3Key, size, exportedAt).
3
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#download-blob-from-s3)
Download blob from S3
Backend downloads the encrypted blob from S3 (GET object Key: backups/{fingerprint}/backup.bin). The backend never decrypts the blob (zero-knowledge).
4
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#return-encrypted-blob-to-device)
Return encrypted blob to device
Backend returns the encrypted blob and metadata to the mobile device. Mobile SDK handles decryption; backend never sees plaintext.
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#process-flow-diagram)
Process Flow Diagram
-------------------------------------------------------------------------------------------------------------------
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#cryptographic-security)
Cryptographic Security
-----------------------------------------------------------------------------------------------------------------------
Why BEK is Available:
* During identity recovery, SDK calls derive\_bek\_personal(master\_id, passphrase)
* Derived BEK is immediately stored in hardware keychain
* Same BEK used for backup creation is now available for restoration
* Deterministic derivation ensures BEK is identical on any device with same Master ID + passphrase
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#aes-256-gcm-decryption)
AES-256-GCM Decryption
Encrypted Blob Structure:
┌─────────┬──────────────┬────────────────────────────────┐ │ Version │ Nonce │ Ciphertext + Authentication Tag │ │ 1 byte │ 12 bytes │ Variable (compressed data + 16) │ │ (0x01) │ (from backup)│ (AES-256-GCM output) │ └─────────┴──────────────┴────────────────────────────────┘
Security Properties:
* Authentication Verification: 128-bit tag ensures data integrity and authenticity
* Tamper Detection: Modified ciphertext fails to decrypt (authentication error)
* Nonce Uniqueness: Each backup has unique nonce (extracted from blob)
* 256-bit Key: BEK provides 256-bit security strength
* AEAD: Decrypt-then-verify integrated (NIST-approved)
Field Injection:
* device\_id: New device's unique ID (different from backup device)
* created\_at: Current timestamp (not from backup)
* updated\_at: Current timestamp (not from backup)
Why Field Injection:
* Each device has unique device\_id tracked for security auditing
* Timestamps reflect when record was created ON THIS DEVICE
* Backup data (contacts, personas, trust attestations) remains intact
* Device-specific metadata updated for new device context
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#security-guarantees)
Security Guarantees
-----------------------------------------------------------------------------------------------------------------
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-1.-bek-availability-through-deterministic-derivation)
1\. BEK Availability Through Deterministic Derivation
* Same Master ID + passphrase → same BEK (reproducible)
* BEK derived during identity recovery, stored in hardware keychain
* Retrieve BEK from secure storage for restoration (no re-derivation needed)
* Hardware-protected storage ensures BEK security
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-2.-master-id-verification-before-restoration)
2\. Master ID Verification Before Restoration
* Backup Master ID must match recovered identity's Master ID
* Prevents accidental restoration of wrong user's backup
* Cryptographic proof of identity ownership
* Fails fast if wrong backup attempted
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-3.-zero-knowledge-backend)
3\. Zero-Knowledge Backend
* Backend retrieves encrypted blob from S3 (opaque ciphertext)
* Backend never sees BEK or plaintext data
* Decryption happens entirely on device
* Backend compromise does NOT expose user data
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-4.-hardware-protected-bek-storage)
4\. Hardware-Protected BEK Storage
* BEK stored in iOS Keychain / Android KeyStore
* Hardware-level encryption automatically applied
* Protected by device biometrics/passcode
* Non-exportable from device hardware
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-5.-authenticated-decryption)
5\. Authenticated Decryption
* AES-256-GCM verifies data integrity and authenticity
* Authentication tag prevents tampering
* Modified ciphertext fails to decrypt
* Wrong BEK produces authentication failure (not garbage data)
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-6.-nuclear-table-clearing-for-clean-slate)
6\. Nuclear Table Clearing for Clean Slate
* Complete database wipe before restoration
* No orphaned records or ID conflicts
* Backup represents complete truth
* Predictable and simple (no merge logic bugs)
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-7.-device-id-injection-for-portability)
7\. Device ID Injection for Portability
* New device\_id injected into all restored records
* Timestamps regenerated for new device context
* Backup data (contacts, personas) remains intact
* Clean migration across devices
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#strategic-implications)
Strategic Implications
-----------------------------------------------------------------------------------------------------------------------
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#seamless-cross-device-recovery)
Seamless Cross-Device Recovery
Traditional Problem:
* User sets up new phone:
* Manually re-add all contacts
* Manually re-create personas
* Lose trust attestation history
* Hours of manual data entry
* Risk of forgetting contacts
GetTrusted Solution:
* User recovers identity on new phone:
* Enter passphrase (derives same BEK)
* SDK automatically downloads backup from S3
* SDK automatically decrypts and restores
* All contacts, personas, attestations appear
* Zero manual data entry
* Complete history preserved
* Ready to use in seconds
###
[](https://docs.gettrusted.app/core-workflows/user-data-restoration#zero-knowledge-cloud-storage)
Zero-Knowledge Cloud Storage
Backend Cannot:
* Decrypt any backup data
* Read contacts or personas
* Access trust attestations
* Derive BEK from encrypted blobs
* Correlate backups across users (fingerprint-based S3 keys)
* Restore user data without user's BEK
Backend Can:
* Store encrypted blobs reliably (S3 durability: 99.999999999%)
* Track backup metadata (sizes, timestamps)
* Enable cross-device recovery (blob retrieval)
* Audit access patterns (Firestore logs)
* Scale storage elastically (S3 auto-scaling)
[PreviousUser Data Backup](https://docs.gettrusted.app/core-workflows/user-data-backup)
[NextEnterprise Self Service Signup](https://docs.gettrusted.app/enterprise-workflows/enterprise-self-service-signup)
Last updated 2 months ago
* [Overview](https://docs.gettrusted.app/core-workflows/user-data-restoration#overview)
* [Process Overview](https://docs.gettrusted.app/core-workflows/user-data-restoration#process-overview)
* [Alice's Perspective (User Recovering on New Device)](https://docs.gettrusted.app/core-workflows/user-data-restoration#alices-perspective-user-recovering-on-new-device)
* [Identity recovery + BEK derivation](https://docs.gettrusted.app/core-workflows/user-data-restoration#identity-recovery--bek-derivation)
* [Check for backup and download](https://docs.gettrusted.app/core-workflows/user-data-restoration#check-for-backup-and-download)
* [BEK retrieval and decryption](https://docs.gettrusted.app/core-workflows/user-data-restoration#bek-retrieval-and-decryption)
* [Master ID verification](https://docs.gettrusted.app/core-workflows/user-data-restoration#master-id-verification)
* [Nuclear table clearing](https://docs.gettrusted.app/core-workflows/user-data-restoration#nuclear-table-clearing)
* [Device ID injection & restore](https://docs.gettrusted.app/core-workflows/user-data-restoration#device-id-injection-and-restore)
* [Restoration summary & completion](https://docs.gettrusted.app/core-workflows/user-data-restoration#restoration-summary-and-completion)
* [Backend Perspective (GetTrusted API + AWS Services)](https://docs.gettrusted.app/core-workflows/user-data-restoration#backend-perspective-gettrusted-api--aws-services)
* [Receive and authenticate restore request](https://docs.gettrusted.app/core-workflows/user-data-restoration#receive-and-authenticate-restore-request)
* [Query backup metadata](https://docs.gettrusted.app/core-workflows/user-data-restoration#query-backup-metadata)
* [Download blob from S3](https://docs.gettrusted.app/core-workflows/user-data-restoration#download-blob-from-s3)
* [Return encrypted blob to device](https://docs.gettrusted.app/core-workflows/user-data-restoration#return-encrypted-blob-to-device)
* [Process Flow Diagram](https://docs.gettrusted.app/core-workflows/user-data-restoration#process-flow-diagram)
* [Cryptographic Security](https://docs.gettrusted.app/core-workflows/user-data-restoration#cryptographic-security)
* [AES-256-GCM Decryption](https://docs.gettrusted.app/core-workflows/user-data-restoration#aes-256-gcm-decryption)
* [Security Guarantees](https://docs.gettrusted.app/core-workflows/user-data-restoration#security-guarantees)
* [1\. BEK Availability Through Deterministic Derivation](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-1.-bek-availability-through-deterministic-derivation)
* [2\. Master ID Verification Before Restoration](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-2.-master-id-verification-before-restoration)
* [3\. Zero-Knowledge Backend](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-3.-zero-knowledge-backend)
* [4\. Hardware-Protected BEK Storage](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-4.-hardware-protected-bek-storage)
* [5\. Authenticated Decryption](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-5.-authenticated-decryption)
* [6\. Nuclear Table Clearing for Clean Slate](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-6.-nuclear-table-clearing-for-clean-slate)
* [7\. Device ID Injection for Portability](https://docs.gettrusted.app/core-workflows/user-data-restoration#id-7.-device-id-injection-for-portability)
* [Strategic Implications](https://docs.gettrusted.app/core-workflows/user-data-restoration#strategic-implications)
* [Seamless Cross-Device Recovery](https://docs.gettrusted.app/core-workflows/user-data-restoration#seamless-cross-device-recovery)
* [Zero-Knowledge Cloud Storage](https://docs.gettrusted.app/core-workflows/user-data-restoration#zero-knowledge-cloud-storage)
Copy
sequenceDiagram
participant New Device
participant Secure Enclave
participant GetTrusted Backend
participant AWS S3
participant Firestore
participant SQLite Database
Note over New Device,SQLite Database: Phase 1: Identity Recovery (Prerequisite)
New Device->>New Device: User enters passphrase + QR recovery data
New Device->>Secure Enclave: Derive Master ID from recovery data
Secure Enclave-->>New Device: Master ID (32 bytes)
New Device->>New Device: Derive BEK from Master ID + passphrase
HKDF-SHA256(master_id, SHA256(passphrase), "personal_bek_v1")
New Device->>Secure Enclave: Store BEK in keychain
(gettrusted_bek_personal)
Secure Enclave-->>New Device: BEK stored successfully
Note right of New Device: Identity recovery complete
BEK now available for backup restore
Note over New Device,SQLite Database: Phase 2: Check for Backup Existence
New Device->>GetTrusted Backend: POST /api/v1/backup/cloud/restore
{user_id}
JWT token for authentication
GetTrusted Backend->>GetTrusted Backend: Validate JWT signature
GetTrusted Backend->>GetTrusted Backend: Extract fingerprint from user_id
(strip 'gtm' prefix)
Note over New Device,SQLite Database: Phase 3: Retrieve Backup Metadata
GetTrusted Backend->>Firestore: GET /backups/{user_id}
Firestore-->>GetTrusted Backend: {fingerprint, s3Key, size, exportedAt}
Note over New Device,SQLite Database: Phase 4: Download Encrypted Blob from S3
GetTrusted Backend->>AWS S3: GET object
Key: backups/{fingerprint}/backup.bin
AWS S3-->>GetTrusted Backend: Encrypted backup blob
[version:1][nonce:12][ciphertext+tag]
GetTrusted Backend-->>New Device: {success: true, encrypted_backup_blob, metadata}
Note right of GetTrusted Backend: Zero-knowledge: backend never sees plaintext
Note over New Device,SQLite Database: Phase 5: BEK Retrieval from Keychain
New Device->>Secure Enclave: Retrieve BEK from keychain
(stored during identity recovery)
Secure Enclave-->>New Device: BEK (32 bytes)
Note right of Secure Enclave: Hardware-protected keychain storage
No user interaction needed
Note over New Device,SQLite Database: Phase 6: Decryption with AES-256-GCM
New Device->>New Device: Parse encrypted blob:
[version:1][nonce:12][ciphertext+tag]
New Device->>New Device: Extract nonce (12 bytes)
New Device->>New Device: Decrypt compressed data:
AES-256-GCM(ciphertext, BEK, nonce)
New Device->>New Device: Verify authentication tag
(prevents tampering)
Note over New Device,SQLite Database: Phase 7: Decompression
New Device->>New Device: Decompress with GZIP
Note right of New Device: Restore original size from ~60% compression
Note over New Device,SQLite Database: Phase 8: Master ID Verification
New Device->>New Device: Deserialize JSON to BackupData structure
New Device->>New Device: Extract backup.master_identity_id
New Device->>New Device: Compare with recovered Master ID
alt Master ID Mismatch
New Device->>New Device: Abort restore with error:
MasterIdMismatch
end
Note right of New Device: Security: Prevents restoring wrong user's backup
Note over New Device,SQLite Database: Phase 9: Nuclear Table Clearing
New Device->>SQLite Database: DELETE FROM contacts
New Device->>SQLite Database: DELETE FROM personas
New Device->>SQLite Database: DELETE FROM trust_attestations
Note right of SQLite Database: Clean slate approach
Removes any pre-existing data
Note over New Device,SQLite Database: Phase 10: Device ID Injection & Restoration
loop For each contact
New Device->>New Device: Inject new device_id (new device)
New Device->>New Device: Generate new created_at timestamp
New Device->>New Device: Generate new updated_at timestamp
New Device->>SQLite Database: INSERT contact with new device_id
end
loop For each persona
New Device->>New Device: Inject new device_id
New Device->>New Device: Generate new timestamps
New Device->>SQLite Database: INSERT persona with new device_id
end
loop For each trust attestation
New Device->>New Device: Inject new device_id
New Device->>New Device: Generate new timestamps
New Device->>SQLite Database: INSERT trust_attestation with new device_id
end
Note over New Device,SQLite Database: Phase 11: Restore Complete
New Device->>New Device: Generate RestoreReport:
{contacts_restored, personas_restored, attestations_restored}
New Device->>New Device: Display success message to user
Note right of New Device: User sees all data restored
Ready to use immediately
---
# Email Protection | Cloudflare
Please enable cookies.
Email Protection
================
You are unable to access this email address docs.gettrusted.app
---------------------------------------------------------------
The website from which you got to this page is protected by Cloudflare. Email addresses on that page have been hidden in order to keep them from being accessed by malicious bots. **You must enable Javascript in your browser in order to decode the e-mail address**.
If you have a website and are interested in protecting it in a similar way, you can [sign up for Cloudflare](https://www.cloudflare.com/sign-up?utm_source=email_protection)
.
* [How does Cloudflare protect email addresses on website from spammers?](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/)
* [Can I sign up for Cloudflare?](https://developers.cloudflare.com/fundamentals/setup/account/create-account/)
Cloudflare Ray ID: **9b504a09cd250806** • Your IP: Click to reveal 54.237.218.47 • Performance & security by [Cloudflare](https://www.cloudflare.com/5xx-error-landing)
---