Ephemeral Castle Vault Runtime Architecture

The LushyCorp Vault runtime on Hetzner is a standalone secret-management track.

Unseal Strategy

TazLab uses a 2-of-3 Shamir threshold:

  • TazPod: Holds the full set of 3 recovery shares.
  • Hetzner Host: Holds exactly 2 shares for automated local unseal.
  • Restoration: Managed by the Classification and Restore logic.

Connectivity

Access is strictly restricted to the Tailscale Mesh.

See Also