Encryption that gives attackers nothing to find.
Patent
US 12,455,973 B1
Granted
Oct 28, 2025
Conventional encryption leaves a trail. Attackers know exactly where to look.
Keys persist on disk
When encryption keys are stored on the same machine doing the work, a single endpoint compromise hands attackers the keys to everything that machine has ever touched.
Plaintext lingers in cache
Decrypted files routinely get written to swap files, page files, temp directories, and backup snapshots. Recovery tools find them long after the user thinks the session ended.
No tamper detection
Most systems have no way to tell that something has gone wrong mid-operation. Decryption keeps running until it finishes, even when the device has already been compromised.
Two devices. Volatile memory only. A heartbeat that wipes everything when it stops.
Sensitive material lives where it can disappear
The keys and the unencrypted data only exist in temporary memory while the work is happening. Temporary memory wipes itself the instant the program closes or the power drops. There is no lingering copy on the hard drive for someone to recover later.
The master key lives on a separate device
The master key is held on a separate piece of hardware, like a USB device. The working computer has to be physically or securely connected to it to decrypt anything. No connection means no decryption, ever.
A constant check confirms nothing has been tampered with
The two devices send a continuous "heartbeat" to verify the right hardware is still connected, with the right serial number. If the heartbeat fails, even for a moment, the keys are immediately erased and the operation halts.
When the work ends, every trace is gone
The moment a session ends, the temporary memory is wiped. The key is gone. The decrypted data is gone. There is no audit trail of plaintext sitting around for an attacker, an insider, or a forensic recovery tool to find.
Hybrid asymmetric plus symmetric in volatile memory
Decryption requires both an asymmetric key pair and a symmetric key, applied in sequence inside the first device's stack or volatile memory. The non-volatile memory of the working device never holds the symmetric key or the resulting plaintext.
Symmetric key sourced from a hardware-isolated second device
The symmetric key is retrieved on demand from the non-volatile storage of a removable second device, USB, PCIe, or one-time-programmable memory. The key transits to volatile memory and is never persisted on the host.
Heartbeat-bound key lifecycle with serial verification
A heartbeat monitor on the first device continuously validates the second device's presence and serial identifier. Loss of signal or identifier mismatch triggers immediate key removal from volatile memory and halts the cryptographic operation in real time.
Deterministic memory deallocation post-operation
After decryption returns plaintext to the requesting context, the volatile region is explicitly deallocated. Symmetric key material and unencrypted data are removed in the same operation, eliminating residue in heap, stack, swap, or cache.
The flow, end to end.
Six steps that describe what happens when a TripleKey customer decrypts sensitive data, and what happens the instant something is tampered with.
01
A request to decrypt arrives at the working device.
An authenticated user requests sensitive data. The encrypted payload is loaded into the working device's volatile memory only. It is never staged or cached on the host's hard drive.
02
The user's private key is loaded into volatile memory.
The asymmetric key, half of a public/private pair, is retrieved into the same volatile memory region. Like everything else in this process, it lives there only for the length of the operation.
03
The symmetric master key is pulled from a separate hardware device.
The second key, the symmetric one, is held on a physically separate device: a USB token, PCIe drive, or one-time programmable memory. It transits to the working device's volatile memory on demand and is never written to the host's disk.
04
A heartbeat verifies the second device throughout the operation.
While decryption runs, the working device continuously checks that the correct second device is still connected, by serial number. If the heartbeat drops or the serial mismatches, the keys are wiped from memory and the operation halts in real time.
05
Both keys combine to produce plaintext, in memory only.
The asymmetric and symmetric keys are applied in sequence to produce the unencrypted result. The plaintext exists only in volatile memory while the user is actively viewing or working with it.
06
When the session ends, every trace is destroyed.
The volatile memory region is explicitly deallocated. The symmetric key, the asymmetric key, and the plaintext are removed in the same operation. Nothing is left behind in cache, swap, page files, or the host's non-volatile storage.
Where the difference shows up.
A side-by-side look at how the two architectures behave at the moments that matter most: when a device is compromised, when a session ends, and when something has been tampered with.
| Behavior | Conventional Encryption |
 TripleKey (US 12,455,973 B1)
|
|---|---|---|
| Where the key lives during decryption | On the same machine that holds the encrypted data, often persisted to disk. | In volatile memory only, sourced on demand from a separate hardware device. |
| Where decrypted data lives | Cached, swapped, or written to temp files on the host disk. | Volatile memory only. Never persisted to non-volatile storage. |
| If the laptop is stolen, lost, or imaged | Forensic recovery can surface keys, plaintext fragments, and session artifacts. | Nothing of value is on the disk. The drive is forensically empty of secrets. |
| Tamper detection during the operation | Typically none. The operation completes regardless of state changes. | Continuous heartbeat with serial verification. Failure halts and wipes immediately. |
| After the session ends | Residue in cache, swap, page files, and crash dumps is common. | Memory deallocated explicitly. Keys and plaintext removed in the same step. |
| Multi-tenant key isolation | Often shared infrastructure with logical separation only. | Each entity's symmetric key bound to its own physical device. No cross-decryption. |
Three outcomes that show up in audits, breach reports, and customer questionnaires.
Smaller blast radius per endpoint
A compromised laptop or workstation no longer means compromised data. With nothing sensitive on the disk and no key recoverable from memory after the session, a single endpoint compromise stops at the endpoint.
Architectural answer to questionnaires
HIPAA, HITRUST, and enterprise security questionnaires increasingly ask how data is protected at rest and in use, not just whether it's encrypted. TripleKey can point to a patented, auditable architecture rather than a checkbox.
Defensible differentiation
Because the architecture is now patented in the United States, this isn't a feature competitors can copy overnight. For health systems evaluating long-term vendor risk, that's a meaningful signal of durability.
The patent is live inside TripleKey. We're building the path to bring it to you.
Active Pilots
Combined Org Scale
General Availability
