Key Management
Import, export, rewrap, and recover MPC key shares for backup and migration workflows.
Key Management
Import, export, rewrap, and recover MPC key shares. Use these components to back up keys, migrate them across MPC node networks, or perform controlled key recovery.
IMPORT_KEY_SHARE
IMPORT_KEY_SHARE MPC Workflow Component
Import an age-encrypted wrapped key share into the MPC node network.
Config
| Field | Type | Required | Description |
|---|---|---|---|
server | 'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3' | Yes | Target MPC server to store the imported share. Note: you cannot import a key with the same ID into a node that already holds it |
Inputs
| Field | Type | Description |
|---|---|---|
wrappedKeyShare | string | Age-encrypted key share (produced by EXPORT_KEY_SHARE or REWRAPPING_KEY_SHARE) |
Outputs
| Field | Type | Description |
|---|---|---|
keyId | string | Key share ID in the target node |
EXPORT_KEY_SHARE
EXPORT_KEY_SHARE MPC Workflow Component
Export a key share encrypted to a recipient's age public key. Only the holder of the corresponding age private key can decrypt it.
Config
| Field | Type | Default | Description |
|---|---|---|---|
server | 'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3' | — | MPC server holding the key share to export |
deleteAfterExport | boolean | false | Permanently delete the key share from the node after export. Irreversible |
Inputs
| Field | Type | Description |
|---|---|---|
keyId | string | Key share to export |
ageRecipient | string | Recipient's age public key (age1...) |
Outputs
| Field | Type | Description |
|---|---|---|
wrappedKeyShare | string | Age-encrypted key share |
curve | 'SECP256k1' | 'ED25519' | 'P256' | 'P384' | 'P521' | 'ED448' | 'SECP256K1_SCHNORR' | Curve of the exported key share |
REWRAPPING_KEY_SHARE
REWRAPPING_KEY_SHARE MPC Workflow Component
Re-encrypt an existing wrapped key share to a new age identity — without decrypting the underlying key material.
Config
| Field | Type | Required | Description |
|---|---|---|---|
server | 'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3' | Yes | MPC server to import the rewrapped key share into |
Inputs
| Field | Type | Description |
|---|---|---|
ageIdentity | string | Age private key (decrypts the current wrapping) |
wrappedKeyShare | string | Currently wrapped key share |
Outputs
| Field | Type | Description |
|---|---|---|
rewrappedKeyShare | string | Key share wrapped for the new identity |
RECOVER_PRIVATE_KEY
RECOVER_PRIVATE_KEY MPC Workflow Component
Reconstruct the raw private key from a key share. Requires the threshold number of shares to be present.
This component exposes the raw private key in the workflow output. Only use it for controlled key escrow or migration workflows. The output will appear in run stage logs.
Config
| Field | Type | Default | Description |
|---|---|---|---|
servers | Array<'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'> | — | MPC servers holding the key shares (must meet the threshold) |
deleteAfterRecover | boolean | false | Permanently delete the key shares from the nodes after recovery. Irreversible |
Inputs
| Field | Type | Description |
|---|---|---|
keyId | string | Key share ID to reconstruct |
Outputs
| Field | Type | Description |
|---|---|---|
privateKey | string | Raw private key (hex) |
RECOVER_CHILD_PRIVATE_KEY
RECOVER_CHILD_PRIVATE_KEY MPC Workflow Component
Recover the private key for a specific BIP-32 child path directly from the threshold-many key shares — without ever reconstructing the root private key. Use this when you only need a derived child key (e.g. one hot-wallet address out of an HD tree) and would rather not materialise the root scalar at all.
The child private key still appears in the workflow output. Run this component offline / in a controlled environment, and treat the output as you would any raw key material.
Hardened path components (index >= 0x80000000) cannot be derived without the root private key by definition — the component rejects them at the entry point. Pass non-hardened indices only.
Config
| Field | Type | Default | Description |
|---|---|---|---|
servers | Array<'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'> | — | MPC servers holding the key shares (must meet the threshold) |
Inputs
| Field | Type | Description |
|---|---|---|
keyId | string | Key share ID to derive a child from |
derivationPath | number[] | Non-hardened BIP-32 path. Empty array recovers the root key (equivalent to RECOVER_PRIVATE_KEY) |
Outputs
| Field | Type | Description |
|---|---|---|
childPrivateKey | string (hex) — secret | The derived child private key |
childPublicKey | string (hex) | The derived child public key (uncompressed) |
childChainCode | string (hex) | The derived child chain code (for further derivation) |
DERIVE_ROOT_PRIVATE_KEY
DERIVE_ROOT_PRIVATE_KEY Workflow Component
Derives a child key from a previously-recovered root private key + chain code along a BIP-32 derivation path. Use it together with RECOVER_PRIVATE_KEY when you need to walk a BIP-32 tree off-line (e.g. emergency recovery on a single airgapped machine).
The privateKey output is marked secret: true and is omitted from run-status payloads. Treat it like any other key material.
Inputs
| Field | Type | Description |
|---|---|---|
curve | 'SECP256K1' | 'ED25519' | Elliptic curve of the root key |
rootPrivateKey | string (hex) | The root private key obtained from RECOVER_PRIVATE_KEY |
rootChainCode | string (hex) | The matching root chain code |
derivationPath | number[] | BIP-32 path components (use GET_*_DERIVATION_PATH to build one) |
Outputs
| Field | Type | Description |
|---|---|---|
privateKey | string (hex) — secret | The child private key |
publicKey | string (hex) | The child public key |
chainCode | string (hex) | The child chain code (for further derivation) |
Key backup workflow
GET_NODE_RECIPIENT_KEY ← server: OFFICIAL_1
│ recipientKey (node's age public key)
▼
GENERATE_AGE_ENCRYPTION
│ publicKey (your age key) │ encryptedPrivateKey
▼ │
EXPORT_KEY_SHARE ← ageRecipient: recipientKey
│ wrappedKeyShare
▼
[Store wrappedKeyShare safely]
│
▼ (later, to restore)
IMPORT_KEY_SHARE ← server: OFFICIAL_2
│ keyId
▼
[Restored]