Ephemeral Castle Vault Runtime Architecture
The LushyCorp Vault runtime on Hetzner is a standalone secret-management track.
Unseal Strategy
TazLab uses a 2-of-3 Shamir threshold:
- TazPod: Holds the full set of 3 recovery shares.
- Hetzner Host: Holds exactly 2 shares for automated local unseal.
- Restoration: Managed by the Classification and Restore logic.
Connectivity
Access is strictly restricted to the Tailscale Mesh.
See Also
- Lifecycle: Bootstrap and Restore
- Security: Tailnet Security
- Secret Flow: TazLab Secret Flow
- Hub: Ephemeral Castle Entity