MPC & Key Management

Key Management

Import, export, rewrap, and recover MPC key shares for backup and migration workflows.

Key Management

Import, export, rewrap, and recover MPC key shares. Use these components to back up keys, migrate them across MPC node networks, or perform controlled key recovery.


IMPORT_KEY_SHARE

IMPORT_KEY_SHARE MPC Workflow Component

Import an age-encrypted wrapped key share into the MPC node network.

Config

FieldTypeRequiredDescription
server'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'YesTarget MPC server to store the imported share. Note: you cannot import a key with the same ID into a node that already holds it

Inputs

FieldTypeDescription
wrappedKeySharestringAge-encrypted key share (produced by EXPORT_KEY_SHARE or REWRAPPING_KEY_SHARE)

Outputs

FieldTypeDescription
keyIdstringKey share ID in the target node

EXPORT_KEY_SHARE

EXPORT_KEY_SHARE MPC Workflow Component

Export a key share encrypted to a recipient's age public key. Only the holder of the corresponding age private key can decrypt it.

Config

FieldTypeDefaultDescription
server'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'MPC server holding the key share to export
deleteAfterExportbooleanfalsePermanently delete the key share from the node after export. Irreversible

Inputs

FieldTypeDescription
keyIdstringKey share to export
ageRecipientstringRecipient's age public key (age1...)

Outputs

FieldTypeDescription
wrappedKeySharestringAge-encrypted key share
curve'SECP256k1' | 'ED25519' | 'P256' | 'P384' | 'P521' | 'ED448' | 'SECP256K1_SCHNORR'Curve of the exported key share

REWRAPPING_KEY_SHARE

REWRAPPING_KEY_SHARE MPC Workflow Component

Re-encrypt an existing wrapped key share to a new age identity — without decrypting the underlying key material.

Config

FieldTypeRequiredDescription
server'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'YesMPC server to import the rewrapped key share into

Inputs

FieldTypeDescription
ageIdentitystringAge private key (decrypts the current wrapping)
wrappedKeySharestringCurrently wrapped key share

Outputs

FieldTypeDescription
rewrappedKeySharestringKey share wrapped for the new identity

RECOVER_PRIVATE_KEY

RECOVER_PRIVATE_KEY MPC Workflow Component

Reconstruct the raw private key from a key share. Requires the threshold number of shares to be present.

This component exposes the raw private key in the workflow output. Only use it for controlled key escrow or migration workflows. The output will appear in run stage logs.

Config

FieldTypeDefaultDescription
serversArray<'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'>MPC servers holding the key shares (must meet the threshold)
deleteAfterRecoverbooleanfalsePermanently delete the key shares from the nodes after recovery. Irreversible

Inputs

FieldTypeDescription
keyIdstringKey share ID to reconstruct

Outputs

FieldTypeDescription
privateKeystringRaw private key (hex)

RECOVER_CHILD_PRIVATE_KEY

RECOVER_CHILD_PRIVATE_KEY MPC Workflow Component

Recover the private key for a specific BIP-32 child path directly from the threshold-many key shares — without ever reconstructing the root private key. Use this when you only need a derived child key (e.g. one hot-wallet address out of an HD tree) and would rather not materialise the root scalar at all.

The child private key still appears in the workflow output. Run this component offline / in a controlled environment, and treat the output as you would any raw key material.

Hardened path components (index >= 0x80000000) cannot be derived without the root private key by definition — the component rejects them at the entry point. Pass non-hardened indices only.

Config

FieldTypeDefaultDescription
serversArray<'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'>MPC servers holding the key shares (must meet the threshold)

Inputs

FieldTypeDescription
keyIdstringKey share ID to derive a child from
derivationPathnumber[]Non-hardened BIP-32 path. Empty array recovers the root key (equivalent to RECOVER_PRIVATE_KEY)

Outputs

FieldTypeDescription
childPrivateKeystring (hex) — secretThe derived child private key
childPublicKeystring (hex)The derived child public key (uncompressed)
childChainCodestring (hex)The derived child chain code (for further derivation)

DERIVE_ROOT_PRIVATE_KEY

DERIVE_ROOT_PRIVATE_KEY Workflow Component

Derives a child key from a previously-recovered root private key + chain code along a BIP-32 derivation path. Use it together with RECOVER_PRIVATE_KEY when you need to walk a BIP-32 tree off-line (e.g. emergency recovery on a single airgapped machine).

The privateKey output is marked secret: true and is omitted from run-status payloads. Treat it like any other key material.

Inputs

FieldTypeDescription
curve'SECP256K1' | 'ED25519'Elliptic curve of the root key
rootPrivateKeystring (hex)The root private key obtained from RECOVER_PRIVATE_KEY
rootChainCodestring (hex)The matching root chain code
derivationPathnumber[]BIP-32 path components (use GET_*_DERIVATION_PATH to build one)

Outputs

FieldTypeDescription
privateKeystring (hex) — secretThe child private key
publicKeystring (hex)The child public key
chainCodestring (hex)The child chain code (for further derivation)

Key backup workflow

GET_NODE_RECIPIENT_KEY ← server: OFFICIAL_1
        │ recipientKey (node's age public key)

GENERATE_AGE_ENCRYPTION
        │ publicKey (your age key)   │ encryptedPrivateKey
        ▼                            │
EXPORT_KEY_SHARE ← ageRecipient: recipientKey
        │ wrappedKeyShare

[Store wrappedKeyShare safely]

        ▼ (later, to restore)
IMPORT_KEY_SHARE ← server: OFFICIAL_2
        │ keyId

    [Restored]

On this page