In April 1940, a Hungarian chemist named George de Hevesy had a problem that no amount of clever engineering could solve in the conventional way.
Two Nobel Prize medals — solid gold, 23 karats, engraved with the names of their owners — were sitting in Niels Bohr's Institute of Theoretical Physics in Copenhagen. They belonged to German physicists Max von Laue and James Franck, both of whom had smuggled their medals out of Nazi Germany because owning gold was effectively a capital offense. The medals were supposed to be safe in Copenhagen. Then the Nazis invaded Denmark.
De Hevesy had maybe hours before German soldiers searched the institute. The medals were heavy, conspicuous, and inscribed with names that would get their owners killed. Burying them was out — Bohr pointed out that the Germans would dig up the grounds. Hiding them was futile. A pair of gold medals engraved with the names of wanted men isn't exactly something you tuck behind a filing cabinet.
So de Hevesy did something that, if you think about it long enough, contains the entire philosophy of modern data protection in a single afternoon.
He dissolved them.
The Chemistry of Disappearance
Gold is one of the most stable elements on Earth. It doesn't rust, doesn't tarnish, doesn't react with almost anything. Strong acids that would burn through other metals leave gold completely untouched. It's part of why humans have prized the stuff for millennia — it endures.
But there's one exception: aqua regia. A mixture of three parts hydrochloric acid and one part nitric acid. Separately, neither acid can touch gold. Together, they dissolve it completely.
While Nazi soldiers marched through the streets of Copenhagen, de Hevesy combined the acids and dropped in the two medals. It wasn't fast — these were 200-gram gold discs, 66 millimeters across. But slowly, the gold disappeared, transforming into a bright orange liquid indistinguishable from any other beaker of chemicals in a working laboratory.
He placed the flask on a shelf among hundreds of other bottles of colorful, unfriendly-looking solutions. And waited.
When the Nazis searched the institute, they were thorough. They examined documents, equipment, anything that looked valuable or suspicious. They did not pick up the beaker of orange liquid. They did not question it. They were looking for gold medals, and gold medals no longer existed.
De Hevesy fled to Sweden in 1943. When he returned after the war, the beaker was exactly where he'd left it. He reversed the chemistry, precipitated the gold back out of solution, and sent it to Stockholm. The Nobel Foundation recast the medals and returned them to von Laue and Franck in 1952.
The gold was the same. The information — the engravings, the form, the evidence — had been temporarily destroyed and then reconstituted. The medals survived the war precisely because, for five years, they didn't exist as medals.
The Lesson Nobody in Cybersecurity Wants to Hear
I tell this story a lot, and people usually respond with some version of "that's a great anecdote." Then they go back to managing their key vaults.
But here's what de Hevesy understood intuitively that the cybersecurity industry has spent decades failing to internalize: the best way to protect something valuable isn't to build a better vault. It's to make the valuable thing temporarily cease to exist in a recognizable form.
The Nazis didn't fail because they lacked resources or determination. They had both in abundance. They failed because they were looking for gold medals, and gold medals weren't there to be found. The gold still existed — the atoms were right there on the shelf — but in a form that was completely useless to anyone who didn't know exactly how to reverse the process.
Now think about how the data protection industry works today. We take valuable data. We encrypt it with keys. We store those keys in vaults. We protect the vaults with access controls. We rotate the keys on schedules. We audit the rotation. We monitor the access controls. We build elaborate, expensive infrastructure whose entire purpose is to keep a secret — the key — safe for as long as the data needs to be protected.
We are, in effect, building a really impressive hiding place for gold medals and hoping nobody digs up the garden.
The Key Management Problem Is the Whole Problem
I'm going to be specific about this, because vagueness is how the industry avoids confronting it.
Every major data breach that involves encrypted data ultimately traces back to the same failure: someone, somewhere, got access to the keys. Not because the encryption algorithm was broken. Not because the math was wrong. Because the keys — the physical, persistent, stored-somewhere-and-managed-by-someone keys — were compromised.
This shouldn't surprise anyone. Key management infrastructure is, by definition, attack surface. HSMs have firmware vulnerabilities. Key vaults have API endpoints. Rotation policies have timing windows. Bootstrap processes have chicken-and-egg trust problems. Service accounts that access key management systems have credentials that can be phished, leaked, or misconfigured.
And that's before we talk about the insider threat, the supply chain risk, or the fact that your key management system probably has a support portal accessible to a vendor's level-two engineer in a jurisdiction you've never thought about.
The industry's response to this has been, essentially: build a better vault. Add more layers. Rotate faster. Monitor more closely. It's the cybersecurity equivalent of burying the medals deeper in the garden. The Nazis will dig deeper.
What De Hevesy Got Right
De Hevesy's genius wasn't in the chemistry — aqua regia had been dissolving gold since the 14th century. His genius was in recognizing that the form of the thing was the vulnerability. Gold medals are findable. Gold in solution isn't. The same atoms, in a different state, become invisible to the threat.
This is exactly the principle behind ephemeral frame encryption.
At HyperSphere, we don't build better vaults. We dissolve the medals.
Our technology fragments data into frames and encrypts each frame with keys that exist only for the instant they're needed — the moment of encryption or decryption. Then they're gone. Not stored in a vault. Not rotated on a schedule. Not managed by infrastructure that can be compromised. Gone, like gold dissolved in acid.
To be clear about the chemistry of our metaphor: the keys exist. Just as the gold atoms still existed in de Hevesy's beaker, ephemeral keys are real cryptographic keys doing real encryption. What we eliminate is the persistence — the state in which keys sit around in recognizable, targetable, stealable form. We eliminate key management, not keys.
An attacker who breaches your perimeter and goes looking for cryptographic keys finds… nothing. A shelf full of orange liquid. No vault to crack. No rotation schedule to exploit. No bootstrap process to reverse-engineer. The medals aren't buried in the garden. They've been dissolved.
Why This Matters More Than It Did Last Year
I'll spare you the full threat landscape briefing — you've read the headlines. But the short version is that AI-powered attacks are compressing every timeline in cybersecurity. Vulnerability discovery that used to take weeks now takes hours. Privilege escalation that required a skilled human adversary can now be automated by an AI agent at machine speed.
The "harvest now, decrypt later" strategy — where adversaries exfiltrate your encrypted data today, betting that quantum computing will let them crack it tomorrow — is the modern equivalent of the Nazis planning to search every building in Copenhagen. They're patient. They're systematic. And if your keys persist, they'll eventually find them.
Ephemeral frame encryption makes that strategy pointless. You can harvest all the encrypted data you want. The keys that protected it no longer exist. There's nothing to crack, nothing to brute-force, nothing to wait for a quantum computer to break. The gold is in solution. The medals are gone.
The Part of the Story Everyone Forgets
Here's my favorite detail from the de Hevesy story, and the part that makes it a perfect metaphor rather than just a good one.
After the war, he reversed the chemistry. He precipitated the gold out of solution, sent it to Stockholm, and the Nobel Foundation recast the medals. Von Laue and Franck got their prizes back in 1952.
The data wasn't destroyed. It was temporarily inaccessible — rendered into a form that couldn't be found, stolen, or misused by an adversary — and then reconstituted by the authorized party when it was safe to do so.
That's not a metaphor for data destruction. It's a metaphor for data protection done right. The information survives. The vulnerability doesn't.
De Hevesy won his own Nobel Prize in 1943, for unrelated work on radioactive tracers. But I'd argue his best experiment was the one he ran on that April afternoon in Copenhagen, with the Nazis at the door and two gold medals in his hands.
He didn't build a vault. He changed the state of the thing itself. And eighty-six years later, that's still the right idea.
HyperSphere's zero-management architecture
HyperSphere's ephemeral frame encryption platform embodies de Hevesy's approach: data is transformed into a non-reconstructable state at rest. Valid credentials and cloud access don't yield usable information. Like the dissolved medals, the data is present in storage but requires proper reconstruction capability — not a stored key — to restore.
