> If nsec is generated inside an enclave and bunker url is returned then no human has seen it.
That's true, but if the electricity fails and the ram clears then when? Of course you can have the code do two things at once, generate the nsec and then encrypt it to the key of another enclave and send it there as a backup, but then you need that other enclave to exist at the time you push the image. (If you allow informing an enclave of new backup enclaves after the fact via vsock then now the power has leaked outside anyway, that vector is now open.)
>If some "policy" was provided when nsec was generated, like "require m-of-n multisig to change perms, rotate the bunker url, change this policy, etc", then a board of directors can control the nsec without seeing it, and if one of humans leaves they can change the policy and the bunker url.
Yup, but still what if the ram clears? Or AWS decides to stop your machine for some arcane reason? Meaning you'd still need a way to get the nsec out of there. And if you have to get it out eventually then feels to me like you may as well just start with it outside in the first place, shard it and upload the shards to multiple enclaves, etc. (very expensive). End of the day it does feel like kicking the can to be honest.
For an individual user it's fine, no problem with them knowing their own nsec and keeping it locally while signing from a nitro enclave for convenience. That's all great stuff. It's just that with an company account I can't see any way that isn't kicking the can. Who knows though, sometimes solutions come round and bonk you on the head.
