About Glassbreak
Glassbreak is an Australian company building a zero-knowledge, quorum-protected, multi-cloud break-glass surface for the credentials and emergency response no team can afford to lose access to.
Too many organisations rely on a single person, a single password manager, or a single cloud provider to protect their most sensitive secrets. When disaster strikes — an outage, a key person leaving, a provider going down, an SSO failure that locks out the recovery path itself — these single points of failure turn a bad day into a catastrophic one.
Glassbreak exists because no team should be locked out of their own critical credentials during an emergency, and because the system you reach for in an emergency cannot itself depend on the system that is failing.
Each card pairs a belief about how a break-glass platform should be built with the concrete mechanism that turns that belief into something you can verify. Grouped by the kind of property the mechanism protects.
A vendor that can decrypt your secrets is one subpoena, breach, or rogue admin away from leaking them. The right answer is that they cannot decrypt them at all.
AES-256-GCM on-device with keys derived from your passphrase via scrypt (N=2^16). The passphrase never leaves the browser. Server-side, we hold ciphertext and wrapped keys only.
When the platform forwards a share between approvers, it has the opportunity to read it. We don't take that opportunity, and we'd rather not have it.
Shares are re-wrapped to the requester's public key by the approver client-side. The platform forwards opaque ciphertext between participants. Even with full database access, we cannot reconstruct the secret.
A single person holding the keys is a single point of failure — whether they're malicious, missing, or just on holiday. Trust should be distributed, and the system should enforce it.
Shamir's Secret Sharing over GF(2^8). A database CHECK constraint allows only (T=1,N=1) personal secrets or (T≥2,N≥T) team secrets. Below threshold, the shares are zero-information — a polynomial property, not a policy choice.
The temptation to keep a 'just in case' key is enormous. We don't have one. If you lose your quorum, the data is gone — that is the trade we offer.
No back-channel decryption path exists in the code. The codebase is open to inspection on request. The trade is explicit in the Terms — recoverability is your quorum, full stop.
A break-glass platform that shares infrastructure with the system it backs up is not break-glass — it is the same fragility, twice.
Two independent stacks today: AWS Lambda + Neon Postgres (Frankfurt) and Scaleway Functions + Scaleway Serverless SQL (Paris). A third vertical (Fly.io / GCP) is queued. No shared database, control plane, or IdP.
A single CDN or DNS provider is a single point of failure. The brand surface should survive any one provider going dark.
Three independent surfaces with separate registrars: glassbreak.io (Fastly-routed), glassbreak.cloud (Scaleway-direct, EU-pure), glass-break.com (CloudFront-fronted Lambda, US-direct). Pick whichever is healthy.
Session-level logging hides what happened inside the session. Auditors and incident responders need to know exactly which credential, when, by whom, with whose approval.
Per-secret immutable log with requester, approvers (T of N), reason, timestamp, IP / device. Cryptographically integrity-checked. Exportable to your SIEM via the API.
If compliance requires bolt-on policy, it falls down when policy slips. The architecture itself should make non-compliant operation impossible.
The DB CHECK enforces quorum on team secrets. Zero-knowledge enforces that no operator can read content. Audit log entries are immutable. SOC 2 CC6, ISO 27001 A.5.15, NIST CSF Govern + Protect read cleanly off it.
The shorter, plain-language version of what is encoded in the architecture above.
Client-side encryption. Privacy-respecting analytics (Plausible, EU-hosted). No tracking cookies, no invasive data collection.
We are explicit that lost quorum means lost data. We do not hide that in the small print, and we will not bend the architecture to soften it.
Glassbreak does not run on your cloud, does not share your DNS, does not authenticate through your IdP. By construction, your outage is not Glassbreak's outage.
T-of-N Shamir split with a database CHECK constraint. No server-held extra share, no escrow, no per-secret service key.
Per-access log entries. Tamper-evident records. Failed logins, share retrievals, impersonations, GDPR requests — all in one immutable trail.
Operating from Australia under Australian law, with sub-processors and infrastructure spanning the EU and US for the resilience the product depends on.
We take security reports seriously. Please disclose responsibly before any public mention.
Free tier: one team, five members. Enough to validate the recovery flow against a real production credential before the next BCP audit.
Get product updates and security insights. No spam, unsubscribe anytime.
We respect your privacy. See our privacy policy.
