The Air Gapped Signing Environment (AGSE) is a custom device that Cyph uses to code sign application releases and to issue PKI certificates for new user accounts, both ensuring the integrity of Cyph against tampering and protecting all users’ end-to-end encrypted communication against man-in-the-middle attacks.
The AGSE functions as essentially an HSM combined with a data diode and a simple UI to review data from a secure environment before signing it. It uses quantum-resistant signing keys that are protected from exfiltration with air gapped and encrypted cold storage, with signatures issued through temporary local unidirectional networks.
The two authorized AGSEs are possessed only by the Cyph founders. Any new release or new user account must be personally signed off on by one of them; without Josh or Ryan’s manual decryption and invocation of his AGSE, no new version of Cyph or new user will be treated as valid. This limits necessary trust to an absolute minimum, and for as long as Cyph exists the AGSEs will only ever be held by the founders or a small group of trusted successors.