> For the complete documentation index, see [llms.txt](https://docs.zipper.trade/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.zipper.trade/what-is-tee.md).

# What Is TEE?

<figure><img src="/files/uRniPcHlKVI7BDgsy02Q" alt=""><figcaption></figcaption></figure>

## **Introduction to Trusted Execution Environments (TEE)**

A **Trusted Execution Environment (TEE)** is a **secure enclave within a processor** that allows sensitive operations - such as **private key storage and transaction signing -** to be executed **in complete isolation** from the rest of the system.

This means that even if the **host machine running the TEE is compromised**, the **private keys remain protected**, and no unauthorized entity can access or manipulate transactions.

***

## **Why is TEE the Gold Standard for Private Key Security?**

### **1. Private Keys Are Never Exposed**

TEE ensures that **private keys are never accessible outside the enclave -** not even to the operating system, the machine owner, or any external attackers.

**Key Takeaway:** Even in a full system compromise, the **private keys remain completely secure inside the TEE.**

### **2. Hardware-Enforced Isolation**

Unlike software-based security models, which rely on **application-level encryption**, TEE provides **hardware-backed isolation**, meaning:

✅ The **OS and other applications cannot read private keys** stored in TEE.\
✅ **Malware, remote exploits, and insider attacks** cannot extract sensitive cryptographic material.\
✅ Even the **infrastructure provider cannot override TEE protections**.

**Key Takeaway:** If the **host system is hacked**, the attacker still **cannot extract the private keys** inside the TEE.

### **3. Secure Transaction Authorization Without Leaking Keys**

TEE not only **stores private keys** but also **executes cryptographic signing operations** within its **isolated enclave**. This means:

✅ **Transactions are signed inside TEE** without the private key ever leaving the secure environment.\
✅ **Even the host machine running the TEE cannot retrieve private keys**—it only receives the signed transaction output.\
✅ **Zipper’s vault movements -** whether from **deposit addresses to main vaults, or vaults to user withdrawals -** are authorized in a completely **secure and verifiable manner**.

**Key Takeaway:** Even if external nodes are compromised, **TEE ensures that funds cannot be accessed without proper authorization**.

***

### **How TEE Secures Zipper’s Vaults and Deposits**

Zipper’s architecture **relies on TEE for securing both deposit addresses and main vaults.**

#### **1. Deposit Addresses Are Secured by TEE**

* Each **user’s deposit address is controlled by private keys stored inside TEE**, ensuring that **only authorized transactions can move funds**.
* Even though deposit addresses are assigned to individual users, **TEE ensures that no unauthorized transactions can be made**.

#### **2. Main Vaults Are Governed by TEE-Secured Transactions**

* When assets move from **deposit addresses to the main vault**, the **TEE signs and validates each movement**, ensuring **full security and transparency**.
* During an **unzip operation**, the TEE securely authorizes **funds to be released** from the vault and sent back to the user.

**Key Takeaway:** **TEE prevents unauthorized access to all Zipper-controlled assets -** whether in deposit addresses or main vaults.

### **Why TEE is the Best Choice for Blockchain Security**

| **Security Model**                 | **Key Exposure Risk?**                             | **Hardware-Enforced Protection?** | **Ideal for Blockchain Vault Security?**         |
| ---------------------------------- | -------------------------------------------------- | --------------------------------- | ------------------------------------------------ |
| 🔓 Software Wallets                | **High** (keys stored in memory)                   | ❌ No                              | ❌ Not secure                                     |
| 🔑 Multi-Sig Wallets               | **Moderate** (keys stored across multiple parties) | ❌ No                              | ⚠️ Secure but requires trust in multiple parties |
| 🔒 HSM (Hardware Security Modules) | **Low** (key stored in secure chip)                | ✅ Yes                             | ✅ Secure but requires external trust             |
| 🔐 **TEE-Based Key Storage**       | **Zero** (keys never leave enclave)                | ✅ **Yes**                         | ✅ **Best for blockchain security**               |

**Final Verdict:** **TEE eliminates all major attack vectors** while ensuring cryptographic operations remain **trustless, censorship-resistant, and completely verifiable.**


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.zipper.trade/what-is-tee.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.