FAQ
Common questions about Perpetua Cryptograph
- Keys are generated and stored on Apple Watch
- The watch is the signing authority. The phone is transport
- Private keys never reach the phone in plaintext
- Backups are encrypted on-watch before export
- Removing the watch passcode destroys access to stored keys
- No accounts, no cloud, no custody
Keys & Storage
Where are private keys stored?
On the Apple Watch only. Keys are generated on the watch and stored in its Keychain, encrypted by a key in the Secure Enclave. Keys are never included in iCloud backups, iTunes backups, or any cloud sync.
What happens if the watch passcode is removed?
watchOS permanently destroys all Keychain-stored keys, including your wallet. This is Apple operating system behavior. Restore from your Recovery Sheet or Photo Backup.
Phone vs. Watch
What does the watch do vs. the phone?
The watch is the signing authority: it generates keys, stores them, decodes transactions, and signs. The phone is transport: it displays your portfolio, handles networking, and relays unsigned transactions to the watch. The phone cannot sign.
Does the phone ever see my private keys?
No. Private keys never reach the phone in plaintext. The watch signs; the phone relays.
Recovery
Are backups encrypted?
Yes. Backups are encrypted on-watch before any data reaches the phone. The phone never sees plaintext recovery data. Encryption uses PBKDF2 (1,000,000 iterations) + ChaCha20-Poly1305, secured with a PIN or passphrase you choose on the watch.
Can iCloud restore my wallet?
No. Keys are stored with kSecAttrAccessibleWhenUnlockedThisDeviceOnly, which excludes them from all backups. Use your Recovery Sheet or Photo Backup.
What happens if I lose my watch?
Your keys are gone with the watch. Restore from your Recovery Sheet or Photo Backup on a new Apple Watch.
What happens if I lose my recovery material?
If you lose both the watch and all recovery material (Recovery Sheet and Photo Backup), your funds are permanently inaccessible. There is no backdoor, no server recovery, no override.
Trust & Security
Can Perpetua access my funds?
No. Perpetua is non-custodial. We never see, store, or have access to private keys. We cannot freeze, access, reverse, or recover your funds.
Can Apple access my funds?
No. The Secure Enclave key is hardware-bound and not exportable. Apple cannot extract it. Keys are excluded from all backups. Apple has no mechanism to access, freeze, or transfer your funds.
Can app updates compromise my wallet?
Any updatable wallet must trust its update mechanism. If an attacker compromises the developer's build pipeline, a tampered version of the app can misuse legitimate key-access paths and exfiltrate secrets. Secure Enclave protects keys at rest, not against a compromised version of the app at runtime. Cryptograph reduces this risk by keeping key use narrow and visible, distributing through Apple's App Store (independent friction), and making security-critical code publicly inspectable.
What do I have to trust?
Apple's Secure Enclave and watchOS security model. Perpetua's wallet implementation. App Store distribution. You do not need to trust any server, cloud service, or custodian. Full breakdown on How It Works.
What does this not protect against?
Compromised updates (mitigated, not eliminated). A fundamental Apple platform compromise. Loss of all recovery material. Sustained physical coercion beyond your configured Time Lock delay.