Security through layers, air gaps, and wallet segregation.

There is no silver bullet to a secure system. Secure systems are built in layers of security one upon the next.

Piston Vault is no different. We designed our security model to include physical, electronic, and software countermeasures.

Air gapped and segregated wallets, inaccessible electronic safes, and independent secure channels and software systems.

Electronic Countermeasures

Built-in electronic security

Spark wallets store private keys inside secure enclave microchips equipped with physical tamper-proof countermeasures.

Firmware upgrades of electronic systems, including Sparks and Piston Valves, are signed with Piston Vault certificates.

All electronic systems use secure boot and encrypted protocol channels.

Electrical systems within Piston Cylinders are fully redundant and fail-secure, preventing access during power outages.

Encryption Countermeasures

Certificates, signatures, and TLS

Within each Spark, communication between its MCU and the secure enclave is encrypted. Sparks also implement secure boot and secure firmware updates.

Each user’s unique signature is imprinted into the Spark upon assigning the device and used to authenticate all requests.

Spark wallets are imprinted with authenticity certificates when fabricated, and are only accepted within the system if they successfully authenticate when plugged in.

Piston Valve systems connect externally through encrypted VPN channels and validate all incoming requests.

Firmware updates require authentication and are signed with Piston Vault unique keys.

Users authenticate using MFA, which may include voice signature, geo-location, and white-listed IP addresses.

Software Countermeasures

VPC, VPN, MFA, and more acronyms

Access to all Piston Vault systems is through authentication procedures requiring multi-factor authentication (MFA), that may also include geo-location, white-listed IP addresses, and voice authentication.


Piston Vault Platform systems are hosted within virtual private clouds (VPC) and are designed to remain secure even if compromised.


Communications between Piston Vault Platform systems and Piston Cylinders is through virtual private networks (VPN).


All Piston Vault software is reviewed by an independent security firm and all systems undergo penetration testing

Physical Countermeasures

Steel, locks, bullet-proof glass, and more

Spark wallets are encased within a solid shell of liquid crystal polymers (Kevlar) that makes it practically impossible to reveal the electronics inside it.


Power channels and communication channels on the Piston Valve platform are electronically separated and function independently.


Piston Cylinders are industrial-grade electronic safes made of hardened steel. Disassembly can only be carried out from the inside.


Cylinders weigh up to 500 kg and are bolted to the data center floor.


Access is provided only through 4 doors around the perimeter. Doors use bullet-proof glass and fail-secure bolt locks that remain locked in case of power outages.


Piston Cylinders are normally located within private and caged areas of data centers, with private biometric access.


Piston Vault only uses tier-1 data centers that offer the highest security access.

Backup & Seed Recovery Measures

Spark wallet - a unique clone

When the master seed of each Spark is created, it is first stored in the Spark secure element, and then it is enveloped into multiple layers of encryption and sent to another location, geographically separated from where the Spark wallet is maintained, where it is stored securely.


This protects the master seed from catastrophic failures, including data center destruction.


Should the Spark wallet be destroyed, a new Spark wallet can be initialized with the encrypted master seed, which, upon the user’s authentication, is decrypted and stored inside the new Spark, thereby creating a clone.


The master seed never leaves a Spark in a decrypted (readable) state. Piston Vault is never able to see or access users’ private keys stored in Sparks devices. Moreover, the system has been designed in a way that even if components of it are compromised, users’ private keys are always secure

Protocol Security

Procedures & Regulations

Deployment and operation of Piston Vault is carried out through secure protocols and procedures.


Piston Vault’s Chief Information Security Officer (CISO), together with our Compliance Officer, guarantees that the highest standards of security are maintained at all levels of the system.


This includes operation and maintenance of our physical vaults, design and deployment of our software, screening and monitoring of our staff, selection and vetting of our suppliers.