This is achieved by creating physically separate security zones in hardware systems without direct access from one zone to another. These zones are inter-connected by a number of well-defined Hardware Functional Gates (HFGs), which are cryptographic functions that modify data as it moves from one zone to another. Communication only occurs if data passes through these gates and is sufficiently modified in such a way that it is impossible to recover the original data if the user is unauthorized. For example, data passing from physical zone A to physical zone B must traverse an AES encryption hardware gate, which modifies the data based upon a key held in Zone A. Zone B cannot reasonably understand the encrypted data, but it can move it to another zone. If the data passes back to zone A (within the same or another device), it can pass through a separate HFG that implements AES, and be transformed into its original form, provided the correct hardware decryption key is used. The hardware keys that are used to modify the data passing between zones can only exist in unmodified states in the original zone. If no data value can be known outside of a secure zone, then it is impossible for the cryptographic key to leak, as it will need to pass through an AES functional gate using some value already in zone A, which cannot be known. The security of such a system is provable because the destination of all moving data can be traced through well-defined transformative HFG.