Skip to main content

Passphrase-Protected Bots: How Strict Mode Encrypts Your Strategy Code

· 6 min read
VolatiCloud Team
VolatiCloud

Every cloud trading platform faces the same architectural problem: to run your bot, the server must read your strategy code and exchange credentials. VolatiCloud already encrypted API keys at rest with AES-256-GCM, but the encryption key was still platform-controlled. Strict mode changes that — your strategy code, bot configs, and exchange secrets are now protected by a passphrase the platform never holds.

VolatiCloud console dashboard showing active bots, strategies list, Fear and Greed index, and quick-action cards for backtests, exchanges, and alerts

The Trust Gap Nobody Talks About

Exchange API key security gets a lot of attention — withdrawal-disabled keys, egress IP allowlists, per-key permission scoping. These are important (see Exchange API Key Security), but they address one half of the exposure surface.

The less-discussed half: strategy code. The logic you've built — entry and exit conditions, indicator parameters, position-sizing callbacks — lives on a third-party server in plaintext. So does your bot configuration: stake amounts, leverage settings, advanced callbacks. Any operator with database access can read them.

VolatiCloud has always been upfront about this gap. The Encryption docs list exactly what was and wasn't encrypted at rest. Strict mode is the first major architectural step to close the remaining gap.

What Strict Mode Does

Strict mode adds a customer-supplied passphrase to the encryption stack. The derivation uses Argon2id — a memory-hard, GPU-resistant key derivation function recommended by OWASP for password hashing and key stretching. The Argon2id-derived key is combined with the platform's master key via envelope encryption.

The result: two parties each hold half the material needed to decrypt.

The platform cannot read your strategy code without your passphrase. You cannot decrypt without the platform's half of the key.

This is the cryptographic model behind enterprise customer-managed key systems. Strict mode applies the same pattern to trading bot secrets.

What Gets Protected

With strict mode enabled, the following resources are encrypted with your passphrase:

ResourceProtected fields
StrategiesFull source code
BotsSecure config paths (stake amount, callbacks, advanced settings)
ExchangesAPI key, API secret, passphrase, private key
RunnersDocker TLS certificates, kubeconfig payloads, S3 backup credentials

VolatiCloud Strategies list showing two strategies with version badges, trading modes, timeframes, and stake currency in a clean data grid

Non-sensitive fields — pair whitelists, timeframes, strategy names, runner namespaces — remain plaintext. The platform still needs to query and display these for the UI to function, so encrypting them would add friction with no meaningful security benefit.

The Workflow: Locked → Unlock → Edit → Save

When you open a strict-mode resource, you'll see a locked overlay — a visual indicator that the resource is passphrase-protected. Clicking "Unlock" opens the unlock modal. Enter your passphrase, the platform derives the decryption key, and the editable view loads.

When you save, updated fields are re-encrypted before transmission. The backend receives ciphertext. It stores ciphertext. It never processes your strategy source code in plaintext in a write context.

Per-action vs per-session strictness

Strict mode supports two unlock modes. Per-session unlocks once when you log in — convenient for active development. Per-action re-prompts on every save — appropriate for production bots you rarely touch. Start with per-session; tighten to per-action when a strategy goes live.

Passkeys: Hardware-Bound Recovery

A passphrase is only as recoverable as your memory. Forget it, and your encrypted resources are permanently inaccessible — no recovery path, by design. That's the security guarantee, and also the failure mode worth thinking about.

To mitigate this, VolatiCloud now supports passkey-bound recovery. When you enroll a FIDO2/WebAuthn authenticator — a hardware security key, your phone's biometrics, or a platform authenticator like Windows Hello — the platform binds a recovery artifact to the passkey credential. Lose your passphrase, authenticate with the registered hardware device, and you recover access.

The recovery key derivation runs in your browser's secure context. The recovery artifact never leaves the device's secure enclave in cleartext. This is as close to zero-knowledge recovery as is achievable without full BYOK.

To enroll: Organization → Security → Trust Policy → Passkeys. The enrollment flow walks you through registering your device and confirming the binding.

When to Enable Strict Mode

Enable it if:

  • Your strategy contains proprietary logic worth protecting — custom indicators, novel signal construction, hard-won parameter tuning
  • Your team includes members with view-secrets scope who can deploy bots but shouldn't have access to your full strategy source
  • You operate in an environment where trading IP confidentiality matters
  • You've ever been concerned about cloud platform exposure affecting your competitive edge

Consider waiting if:

  • You're in active strategy development — re-entering a passphrase on every save adds friction during iteration
  • You're running public or community strategies with no proprietary code
  • Your organization has a single admin managing everything anyway

The natural transition point is when a strategy graduates from development to production. During development, convenience matters. When a bot is running real capital and the strategy is stable, protection matters more.

How It Interacts with Team Permissions

Strict mode and team access control are independent layers that complement each other. A user with view-secrets scope can see your bot's API key metadata and runner config — but with strict mode enabled, the encrypted fields in your strategy code are inaccessible to them without the passphrase.

This means you can give a team member the ability to start and stop bots without exposing the underlying strategy logic. The Team Management guide covers how view-secrets scoping works; strict mode adds a layer on top.

The Trust Roadmap

Strict mode is Trust Tier 1 on VolatiCloud's published encryption roadmap:

TierStatusWhat it means
Tier 1ShippedPassphrase-derived key + platform key; neither is sufficient alone
Tier 2ShippedPasskey-bound recovery; hardware-anchored, browser-side decryption
Tier 3RoadmapBYOK — federate your own KMS (AWS KMS, GCP KMS, Azure Key Vault)

At Tier 3, you can revoke VolatiCloud's decrypt access by revoking the KMS grant. No key, no data. The full roadmap is documented in the Threat Model.

Get Started

Navigate to Organization → Security in the VolatiCloud console to set your organization passphrase and enroll a recovery passkey.

The Encryption docs cover the AES-256-GCM implementation, Argon2id key derivation parameters, and audit log behavior in detail. Every sensitive-field access is logged to your organization's audit trail — Organization → Audit Log — regardless of whether strict mode is enabled.

Strict mode protects your strategy code and configs from platform-side exposure. Exchange API Key Security covers the exchange-side picture — withdrawal-disabled keys, IP allowlists, runtime key hygiene. Together, they close the two main exposure surfaces for a running trading bot.