# What Is TEE?
## **Introduction to Trusted Execution Environments (TEE)** A **Trusted Execution Environment (TEE)** is a **secure enclave within a processor** that allows sensitive operations - such as **private key storage and transaction signing -** to be executed **in complete isolation** from the rest of the system. This means that even if the **host machine running the TEE is compromised**, the **private keys remain protected**, and no unauthorized entity can access or manipulate transactions. *** ## **Why is TEE the Gold Standard for Private Key Security?** ### **1. Private Keys Are Never Exposed** TEE ensures that **private keys are never accessible outside the enclave -** not even to the operating system, the machine owner, or any external attackers. **Key Takeaway:** Even in a full system compromise, the **private keys remain completely secure inside the TEE.** ### **2. Hardware-Enforced Isolation** Unlike software-based security models, which rely on **application-level encryption**, TEE provides **hardware-backed isolation**, meaning: ✅ The **OS and other applications cannot read private keys** stored in TEE.\ ✅ **Malware, remote exploits, and insider attacks** cannot extract sensitive cryptographic material.\ ✅ Even the **infrastructure provider cannot override TEE protections**. **Key Takeaway:** If the **host system is hacked**, the attacker still **cannot extract the private keys** inside the TEE. ### **3. Secure Transaction Authorization Without Leaking Keys** TEE not only **stores private keys** but also **executes cryptographic signing operations** within its **isolated enclave**. This means: ✅ **Transactions are signed inside TEE** without the private key ever leaving the secure environment.\ ✅ **Even the host machine running the TEE cannot retrieve private keys**—it only receives the signed transaction output.\ ✅ **Zipper’s vault movements -** whether from **deposit addresses to main vaults, or vaults to user withdrawals -** are authorized in a completely **secure and verifiable manner**. **Key Takeaway:** Even if external nodes are compromised, **TEE ensures that funds cannot be accessed without proper authorization**. *** ### **How TEE Secures Zipper’s Vaults and Deposits** Zipper’s architecture **relies on TEE for securing both deposit addresses and main vaults.** #### **1. Deposit Addresses Are Secured by TEE** * Each **user’s deposit address is controlled by private keys stored inside TEE**, ensuring that **only authorized transactions can move funds**. * Even though deposit addresses are assigned to individual users, **TEE ensures that no unauthorized transactions can be made**. #### **2. Main Vaults Are Governed by TEE-Secured Transactions** * When assets move from **deposit addresses to the main vault**, the **TEE signs and validates each movement**, ensuring **full security and transparency**. * During an **unzip operation**, the TEE securely authorizes **funds to be released** from the vault and sent back to the user. **Key Takeaway:** **TEE prevents unauthorized access to all Zipper-controlled assets -** whether in deposit addresses or main vaults. ### **Why TEE is the Best Choice for Blockchain Security** | **Security Model** | **Key Exposure Risk?** | **Hardware-Enforced Protection?** | **Ideal for Blockchain Vault Security?** | | ---------------------------------- | -------------------------------------------------- | --------------------------------- | ------------------------------------------------ | | 🔓 Software Wallets | **High** (keys stored in memory) | ❌ No | ❌ Not secure | | 🔑 Multi-Sig Wallets | **Moderate** (keys stored across multiple parties) | ❌ No | ⚠️ Secure but requires trust in multiple parties | | 🔒 HSM (Hardware Security Modules) | **Low** (key stored in secure chip) | ✅ Yes | ✅ Secure but requires external trust | | 🔐 **TEE-Based Key Storage** | **Zero** (keys never leave enclave) | ✅ **Yes** | ✅ **Best for blockchain security** | **Final Verdict:** **TEE eliminates all major attack vectors** while ensuring cryptographic operations remain **trustless, censorship-resistant, and completely verifiable.**