Zipper Documentation
  • Introduction
    • Zipper Overview
    • Fabric Labs Ecosystem
      • Fabric
      • Polyester
      • Zipper
  • Core Concepts
    • What are zAssets?
      • What To Do With zAssets?
    • What Is Zipping/Unzipping?
    • What Are On-Chain Vaults?
  • Getting Started
    • Navigating Zipper.Trade
    • Connecting Your Wallet
    • Zipping: Step-by-Step
    • Unzipping: Step-by-Step
    • Zip/Unzip Fees
  • Developer Information
    • Zipper Architecture
  • Security and Compliance
    • Compliance Mechanisms
  • Vault Architecture
  • What Is TEE?
  • Glossary and Resources
    • Key Terms
    • Supported Blockchains/Tokens
    • Useful Links
Powered by GitBook
On this page
  • Introduction to Trusted Execution Environments (TEE)
  • Why is TEE the Gold Standard for Private Key Security?
  • 1. Private Keys Are Never Exposed
  • 2. Hardware-Enforced Isolation
  • 3. Secure Transaction Authorization Without Leaking Keys
  • How TEE Secures Zipper’s Vaults and Deposits
  • Why TEE is the Best Choice for Blockchain Security

What Is TEE?

PreviousVault ArchitectureNextKey Terms

Last updated 1 month ago

Introduction to Trusted Execution Environments (TEE)

A Trusted Execution Environment (TEE) is a secure enclave within a processor that allows sensitive operations - such as private key storage and transaction signing - to be executed in complete isolation from the rest of the system.

This means that even if the host machine running the TEE is compromised, the private keys remain protected, and no unauthorized entity can access or manipulate transactions.

Why is TEE the Gold Standard for Private Key Security?

1. Private Keys Are Never Exposed

TEE ensures that private keys are never accessible outside the enclave - not even to the operating system, the machine owner, or any external attackers.

Key Takeaway: Even in a full system compromise, the private keys remain completely secure inside the TEE.

2. Hardware-Enforced Isolation

Unlike software-based security models, which rely on application-level encryption, TEE provides hardware-backed isolation, meaning:

✅ The OS and other applications cannot read private keys stored in TEE. ✅ Malware, remote exploits, and insider attacks cannot extract sensitive cryptographic material. ✅ Even the infrastructure provider cannot override TEE protections.

Key Takeaway: If the host system is hacked, the attacker still cannot extract the private keys inside the TEE.

3. Secure Transaction Authorization Without Leaking Keys

TEE not only stores private keys but also executes cryptographic signing operations within its isolated enclave. This means:

✅ Transactions are signed inside TEE without the private key ever leaving the secure environment. ✅ Even the host machine running the TEE cannot retrieve private keys—it only receives the signed transaction output. ✅ Zipper’s vault movements - whether from deposit addresses to main vaults, or vaults to user withdrawals - are authorized in a completely secure and verifiable manner.

Key Takeaway: Even if external nodes are compromised, TEE ensures that funds cannot be accessed without proper authorization.

How TEE Secures Zipper’s Vaults and Deposits

Zipper’s architecture relies on TEE for securing both deposit addresses and main vaults.

1. Deposit Addresses Are Secured by TEE

  • Each user’s deposit address is controlled by private keys stored inside TEE, ensuring that only authorized transactions can move funds.

  • Even though deposit addresses are assigned to individual users, TEE ensures that no unauthorized transactions can be made.

2. Main Vaults Are Governed by TEE-Secured Transactions

  • When assets move from deposit addresses to the main vault, the TEE signs and validates each movement, ensuring full security and transparency.

  • During an unzip operation, the TEE securely authorizes funds to be released from the vault and sent back to the user.

Key Takeaway: TEE prevents unauthorized access to all Zipper-controlled assets - whether in deposit addresses or main vaults.

Why TEE is the Best Choice for Blockchain Security

Security Model

Key Exposure Risk?

Hardware-Enforced Protection?

Ideal for Blockchain Vault Security?

🔓 Software Wallets

High (keys stored in memory)

❌ No

❌ Not secure

🔑 Multi-Sig Wallets

Moderate (keys stored across multiple parties)

❌ No

⚠️ Secure but requires trust in multiple parties

🔒 HSM (Hardware Security Modules)

Low (key stored in secure chip)

✅ Yes

✅ Secure but requires external trust

🔐 TEE-Based Key Storage

Zero (keys never leave enclave)

✅ Yes

✅ Best for blockchain security

Final Verdict: TEE eliminates all major attack vectors while ensuring cryptographic operations remain trustless, censorship-resistant, and completely verifiable.