Okay provides a unique, «extra-paranoid» secure storage:
- Private keys are generated during the enrolment process and cached code blocks are stored encrypted on the device
- Encryption keys for the storage is not kept on the client; new encryption keys are required to unlock the storage on every access
- Storage is re-encrypted for each access
- Provides a very small attack surface, even for malware with root access
The secured storage is also included in the integrity test verification: If the device changes too much the secure storage can’t be decoded.