The root key is never stored on the web. That can stay locked away with you and only ever used when you want to rotate keys
Buut the root key have to be able to sign events righ? Or how this root key can sign without being online?
That’s the beauty frost. The key shares are able to signed valid messages for the root key if they meet the threshold needed (which is set during the key generation step) So a client + bunker key pair means valid root key signed messages