# Insights

> Practitioner-level pieces on key-management architecture, zero-custody cryptography, and the alternatives to keeping secrets at rest.

- [The Shift No One Saw Coming](https://www.lokblok.co/insights/the-shift-no-one-saw-coming) — State level attacks play different
- [Access Control Failures Drive $1.6B in Losses](https://www.lokblok.co/insights/access-control-failures-drive-16b-in-losses) — The weakest link in blockchain security isn't the blockchain at all. It's key management.
- [GENIUS & The Custody Paradox](https://www.lokblok.co/insights/genius-the-custody-parado) — More Custody Doesn't Mean More Security
- [The Bybit Lesson](https://www.lokblok.co/insights/the-bybit-lesson) — Lessons learned from the Bybit hack
- [The Crypto-Agility Test](https://www.lokblok.co/insights/the-crypto-agility-test) — If You Can't Rotate Keys Today, You Won't Survive Algorithm Migration Tomorrow
- [The Human Attack Surface: How Lokblok Would Have Stopped the Drift Protocol Breach](https://www.lokblok.co/insights/the-human-attack-surface-how-lokblok-would-have-stopped-the-drift-protocol-breach) — Yesterday's assumptions about key security no longer hold water
- [Alternatives to MPC custody: when threshold key shares are still keys](https://www.lokblok.co/insights/alternatives-to-mpc-custody) — Multi-party computation custody distributes key shares across operators, but the shares still exist at rest. Map the failure modes of MPC and the case for on-demand reconstruction without persistent shares.
- [Delegate signing without giving up keys: hierarchical signatures explained](https://www.lokblok.co/insights/delegation-without-custody) — Conventional delegation hands over the key. Hierarchical signatures grant the right to sign, under specific conditions, for a bounded time, without ever transferring the key material.
- [HSM vs MPC vs zero-persistence: a decision framework](https://www.lokblok.co/insights/hsm-vs-mpc-vs-zero-persistence) — Three models for protecting cryptographic keys, each with honest tradeoffs. Where each one fits, where each one breaks, and how zero-persistence reconstruction sits alongside the established two.
- [How to eliminate stored private keys: a practitioner's guide](https://www.lokblok.co/insights/eliminate-stored-private-keys) — Walk the four storage models, HSM, MPC shares, encrypted backups, seed phrases, and the fifth model that removes the storage problem altogether: ephemeral reconstruction inside hardware.
- [Insider threat and cryptographic keys: why human-process controls run out of road](https://www.lokblok.co/insights/insider-threat-cryptographic-keys) — Rotation policies, dual control, and access reviews mitigate insider risk. They cannot eliminate it as long as a privileged operator can read, copy, or assemble the key. Cryptographic non-possession can.
- [MiCA-compliant custody architecture: a technical reading](https://www.lokblok.co/insights/mica-compliant-custody-architecture) — MiCA Article 67 and 70 require segregation of client crypto-assets and demonstrable key control. A zero-custody architecture maps cleanly onto both requirements without operator-level controls.
- [Payment system key architecture: removing keys-at-rest from the chain](https://www.lokblok.co/insights/payment-system-key-architecture) — Payment cryptography concentrates risk in a long-lived ZMK/ZPK hierarchy. A zero-persistence runtime adds per-operation reconstruction without disturbing the certified HSM substrate underneath.
- [Post-quantum key management: why algorithms aren't enough](https://www.lokblok.co/insights/post-quantum-key-management) — Migrating to post-quantum algorithms is necessary but not sufficient. Stored keys remain a harvest-now-decrypt-later target until you remove the storage assumption itself.
- [Wallet recovery without seed phrases: quorum-based threshold reconstruction](https://www.lokblok.co/insights/recovery-without-seed-phrases) — Seed phrases trade one failure mode for another: the wallet can survive without the device, but only if the user can survive without losing a piece of paper. Quorum-based reconstruction removes both failure modes.
- [Zero-trust key management: extending Never Trust, Always Verify into the cryptographic layer](https://www.lokblok.co/insights/zero-trust-key-management) — Zero-trust networking removes the assumption of a trusted perimeter. Zero-trust key management removes the assumption of a trusted key store. Both rely on the same principle: nothing is safe by virtue of where it sits.