# Cryptograph > Cryptograph is the hardware wallet for Apple Watch. Sign crypto transactions from your wrist while your keys stay on-watch, secured by Apple's Secure Enclave. Cryptograph is a crypto wallet built around Apple Watch as the signing authority. The watch generates the wallet, secures its encrypted mnemonic with the Secure Enclave, and approves every signature on-watch. The iPhone companion app displays your portfolio, prepares requests, and handles networking. Signing happens on the watch. Security features include Time Lock delays, location-aware spend limits, hold-to-approve transaction signing, readable transaction details, contract address checks, and a verified contract registry. Portfolio widgets and watch complications show value, prices, allocation, and recent movement at a glance. Recovery is via an encrypted printed Recovery Sheet or Photo Backup, which can hide an encrypted backup in an ordinary photo. No account. No analytics. No trackers. No customer database. Nothing to hack. Nothing to leak. Supported chains: Bitcoin, Ethereum, Solana, Base, BNB Smart Chain, Arbitrum, Polygon, TRON, XRP Ledger, Zcash, and more. ## Trust Model - Users trust Apple's Secure Enclave hardware and watchOS security protections. - Users trust Cryptograph's wallet implementation. Security-critical code is open source (https://cryptograph.watch/opensource.html). - Private spending keys stay on the watch. Cryptograph does not run a custody backend or hold customer keys. - The app uses network services for balances, prices, and optional notifications, but no account is required. - The app is distributed exclusively through the Apple App Store. ## Supply Chain Security **Updatable wallets require trust.** A compromised update can misuse legitimate key-access paths. True for any wallet with updatable software or firmware. **The update mechanism is the security boundary.** A hardware wallet is only as trustworthy as its latest firmware update. The device is not the boundary; the update path is. **Complexity expands the attack surface.** Firmware, companion apps, update channels, dependencies: every layer increases the trusted computing base. **Cryptograph keeps the critical path narrow.** Keys on the watch, signing on the watch, no backend custody, no large host application. **Independent distribution adds friction.** App Store review is an independent gate, not a guarantee, but an attacker must compromise both the developer and pass external review. **Small, inspectable code surface.** Native code, small dependency surface, security-critical components open source. The goal is not to eliminate trust, but to make it visible. ## Limits - Compromised updates: Any updatable wallet must trust its update mechanism. If an attacker compromises the developer's build pipeline, a tampered version of the app can misuse legitimate key-access paths and exfiltrate secrets. Secure Enclave protects keys at rest, not against a compromised version of the app at runtime. Mitigated by narrow key use, App Store distribution, and publicly inspectable security-critical code. - Apple platform compromise (Secure Enclave breach) is out of scope. Cryptograph trusts Apple hardware. - User mishandling of recovery material (weak PIN, exposed Recovery Sheet) is not preventable. - Physical coercion is mitigated by Time Lock delays but not fully solved against sustained attackers. ## FAQ **Where are private keys stored?** On the Apple Watch only. Encrypted by a Secure Enclave key. Never in iCloud or iTunes backups. **Does the phone ever see my private keys?** No. Private keys never reach the phone in plaintext. The watch signs; the phone relays. **What does the watch do vs. the phone?** The watch is the signing authority: generates keys, stores them, decodes transactions, signs. The phone is transport: displays portfolio, handles networking, relays unsigned transactions. The phone cannot sign. **What happens if the watch passcode is removed?** watchOS permanently destroys all Keychain-stored keys, including your wallet. Restore from Recovery Sheet or Photo Backup. **Are backups encrypted?** Yes. Encrypted on-watch before any data reaches the phone. PBKDF2 (1M iterations) + ChaCha20-Poly1305. **Can iCloud restore my wallet?** No. Keys stored with kSecAttrAccessibleWhenUnlockedThisDeviceOnly, excluded from all backups. **What happens if I lose my watch?** Keys are gone with the watch. Restore from Recovery Sheet or Photo Backup. **What happens if I lose my recovery material?** If you lose both watch and all recovery material, funds are permanently inaccessible. No backdoor, no server recovery, no override. **Can Cryptograph access my funds?** No. Non-custodial. We never see, store, or have access to private keys. **Can Apple access my funds?** No. Secure Enclave key is hardware-bound and not exportable. Apple has no mechanism to access your funds. **Can app updates compromise my wallet?** Any updatable wallet must trust its update mechanism. If an attacker compromises the developer's build pipeline, a tampered version of the app can misuse legitimate key-access paths and exfiltrate secrets. Secure Enclave protects keys at rest, not against a compromised version of the app at runtime. Mitigated by narrow key use, App Store distribution, and publicly inspectable security-critical code. **What do I have to trust?** Apple Secure Enclave + watchOS. Cryptograph's implementation. App Store distribution. No server, cloud, or custodian trust required. **What does this not protect against?** Compromised updates (mitigated, not eliminated). Apple platform compromise. Loss of all recovery material. Sustained physical coercion beyond Time Lock delay. ## Product - [Homepage](https://cryptograph.watch/) - [How It Works](https://cryptograph.watch/how-it-works.html) - [FAQ](https://cryptograph.watch/faq.html) - [Operation Guide](https://cryptograph.watch/docs.html) ## Security - [Technical Security Overview](https://cryptograph.watch/security.html) - [Bug Bounty Program](https://cryptograph.watch/bug-bounty.html) - [Time Lock & Anti-Coercion](https://cryptograph.watch/docs.html#time-lock) - [Location Lock](https://cryptograph.watch/docs.html#location-lock) - [Transaction Verification](https://cryptograph.watch/security.html#transaction-verification) - [Signing Authorization](https://cryptograph.watch/security.html#signing-authorization) ## Privacy - [Privacy Policy](https://cryptograph.watch/privacy.html) - [Zero-Knowledge Architecture](https://cryptograph.watch/#privacy) ## Recovery - [Recovery Sheet & Photo Backup](https://cryptograph.watch/docs.html#recovery-sheet) - [Recovery Encryption Details](https://cryptograph.watch/security.html#recovery-encryption) ## Support - [Support & Troubleshooting](https://cryptograph.watch/support.html) - [Contact: support@cryptograph.watch](mailto:support@cryptograph.watch) ## Legal - [Terms of Service](https://cryptograph.watch/terms.html) - [Privacy Policy](https://cryptograph.watch/privacy.html) ## Open Source - [Open Source Philosophy & Repositories](https://cryptograph.watch/opensource.html) - [GitHub: perpetua-engineering](https://github.com/perpetua-engineering) - [Third-Party Licenses](https://cryptograph.watch/LICENSES.txt)