# Perpetua Cryptograph > Perpetua Cryptograph is the first wearable cryptocurrency wallet, built for Apple Watch. Private keys are generated and stored on the watch, secured by Apple's Secure Enclave. The watch is the signing authority. The iPhone acts as an untrusted display and network proxy. Keys never leave your wrist. No account, no email, no name, no tracking. Zero-knowledge architecture. Cryptograph is the first wearable wallet — built for Apple Watch. The watch generates and stores all private keys in its Secure Enclave. The iPhone companion app displays your portfolio and initiates transactions, but every signature must be approved on the watch. The phone never sees private spending keys or mnemonics. Security features include Time Lock (configurable 1–7 day delays and rolling spend limits), Location Lock (geographic spend restrictions), hold-to-approve transaction signing, full on-watch transaction decoding, and a verified contract registry. Recovery is via an encrypted printed Recovery Sheet or steganographic Photo Backup. No cloud, no servers. Supported chains: Bitcoin (BTC), Ethereum (ETH), Base (L2), Solana (SOL), and Zcash (ZEC) including shielded transactions via Orchard. ## Trust Model - Users trust Apple's Secure Enclave hardware and watchOS security protections. - Users trust Perpetua's wallet implementation. Security-critical code is open source (https://perpetua.watch/opensource.html). - No backend custody, no server trust, no accounts, no cloud dependency. - The app is distributed exclusively through the Apple App Store. ## Supply Chain Security **Updatable wallets require trust.** A compromised update can misuse legitimate key-access paths. True for any wallet with updatable software or firmware. **The update mechanism is the security boundary.** A hardware wallet is only as trustworthy as its latest firmware update. The device is not the boundary; the update path is. **Complexity expands the attack surface.** Firmware, companion apps, update channels, dependencies: every layer increases the trusted computing base. **Perpetua keeps the critical path narrow.** Keys on the watch, signing on the watch, no backend custody, no large host application. **Independent distribution adds friction.** App Store review is an independent gate, not a guarantee, but an attacker must compromise both the developer and pass external review. **Small, inspectable code surface.** Native code, small dependency surface, security-critical components open source. The goal is not to eliminate trust, but to make it visible. ## Limits - Compromised updates: Any updatable wallet must trust its update mechanism. If an attacker compromises the developer's build pipeline, a tampered version of the app can misuse legitimate key-access paths and exfiltrate secrets. Secure Enclave protects keys at rest, not against a compromised version of the app at runtime. Mitigated by narrow key use, App Store distribution, and publicly inspectable security-critical code. - Apple platform compromise (Secure Enclave breach) is out of scope. Cryptograph trusts Apple hardware. - User mishandling of recovery material (weak PIN, exposed Recovery Sheet) is not preventable. - Physical coercion is mitigated by Time Lock delays but not fully solved against sustained attackers. ## FAQ **Where are private keys stored?** On the Apple Watch only. Encrypted by a Secure Enclave key. Never in iCloud or iTunes backups. **Does the phone ever see my private keys?** No. Private keys never reach the phone in plaintext. The watch signs; the phone relays. **What does the watch do vs. the phone?** The watch is the signing authority: generates keys, stores them, decodes transactions, signs. The phone is transport: displays portfolio, handles networking, relays unsigned transactions. The phone cannot sign. **What happens if the watch passcode is removed?** watchOS permanently destroys all Keychain-stored keys, including your wallet. Restore from Recovery Sheet or Photo Backup. **Are backups encrypted?** Yes. Encrypted on-watch before any data reaches the phone. PBKDF2 (1M iterations) + ChaCha20-Poly1305. **Can iCloud restore my wallet?** No. Keys stored with kSecAttrAccessibleWhenUnlockedThisDeviceOnly, excluded from all backups. **What happens if I lose my watch?** Keys are gone with the watch. Restore from Recovery Sheet or Photo Backup. **What happens if I lose my recovery material?** If you lose both watch and all recovery material, funds are permanently inaccessible. No backdoor, no server recovery, no override. **Can Perpetua access my funds?** No. Non-custodial. We never see, store, or have access to private keys. **Can Apple access my funds?** No. Secure Enclave key is hardware-bound and not exportable. Apple has no mechanism to access your funds. **Can app updates compromise my wallet?** Any updatable wallet must trust its update mechanism. If an attacker compromises the developer's build pipeline, a tampered version of the app can misuse legitimate key-access paths and exfiltrate secrets. Secure Enclave protects keys at rest, not against a compromised version of the app at runtime. Mitigated by narrow key use, App Store distribution, and publicly inspectable security-critical code. **What do I have to trust?** Apple Secure Enclave + watchOS. Perpetua's implementation. App Store distribution. No server, cloud, or custodian trust required. **What does this not protect against?** Compromised updates (mitigated, not eliminated). Apple platform compromise. Loss of all recovery material. Sustained physical coercion beyond Time Lock delay. ## Product - [Homepage](https://perpetua.watch/) - [How It Works](https://perpetua.watch/how-it-works.html) - [FAQ](https://perpetua.watch/faq.html) - [Operation Guide](https://perpetua.watch/docs.html) ## Security - [Technical Security Overview](https://perpetua.watch/security.html) - [Time Lock & Anti-Coercion](https://perpetua.watch/docs.html#time-lock) - [Location Lock](https://perpetua.watch/docs.html#location-lock) - [Transaction Verification](https://perpetua.watch/security.html#transaction-verification) - [Signing Authorization](https://perpetua.watch/security.html#signing-authorization) ## Privacy - [Privacy Policy](https://perpetua.watch/privacy.html) - [Zero-Knowledge Architecture](https://perpetua.watch/#privacy) ## Recovery - [Recovery Sheet & Photo Backup](https://perpetua.watch/docs.html#recovery-sheet) - [Recovery Encryption Details](https://perpetua.watch/security.html#recovery-encryption) ## Support - [Support & Troubleshooting](https://perpetua.watch/support.html) - [Contact: support@perpetua.watch](mailto:support@perpetua.watch) ## Legal - [Terms of Service](https://perpetua.watch/terms.html) - [Privacy Policy](https://perpetua.watch/privacy.html) ## Open Source - [Open Source Philosophy & Repositories](https://perpetua.watch/opensource.html) - [GitHub: perpetua-engineering](https://github.com/perpetua-engineering) - [Third-Party Licenses](https://perpetua.watch/LICENSES.txt)