Key Management
Import, export, rewrap, and recover MPC key shares. Use these components to back up keys, migrate them across MPC node networks, or perform controlled key recovery.
IMPORT_KEY_SHARE
IMPORT_KEY_SHARE MPC Workflow ComponentImport an age-encrypted wrapped key share into the MPC node network.
Config
| Field | Type | Required | Description |
|---|---|---|---|
server | 'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3' | Yes | Target MPC server to store the imported share. Note: you cannot import a key with the same ID into a node that already holds it |
Inputs
| Field | Type | Description |
|---|---|---|
wrappedKeyShare | string | Age-encrypted key share (produced by EXPORT_KEY_SHARE or REWRAPPING_KEY_SHARE) |
Outputs
| Field | Type | Description |
|---|---|---|
keyId | string | Key share ID in the target node |
EXPORT_KEY_SHARE
EXPORT_KEY_SHARE MPC Workflow ComponentExport a key share encrypted to a recipient's age public key. Only the holder of the corresponding age private key can decrypt it.
Config
| Field | Type | Default | Description |
|---|---|---|---|
server | 'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3' | — | MPC server holding the key share to export |
deleteAfterExport | boolean | false | Permanently delete the key share from the node after export. Irreversible |
Inputs
| Field | Type | Description |
|---|---|---|
keyId | string | Key share to export |
ageRecipient | string | Recipient's age public key (age1...) |
Outputs
| Field | Type | Description |
|---|---|---|
wrappedKeyShare | string | Age-encrypted key share |
curve | 'SECP256k1' | 'ED25519' | 'P256' | 'P384' | 'P521' | 'ED448' | 'SECP256K1_SCHNORR' | Curve of the exported key share |
REWRAPPING_KEY_SHARE
REWRAPPING_KEY_SHARE MPC Workflow ComponentRe-encrypt an existing wrapped key share to a new age identity — without decrypting the underlying key material.
Config
| Field | Type | Required | Description |
|---|---|---|---|
server | 'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3' | Yes | MPC server to import the rewrapped key share into |
Inputs
| Field | Type | Description |
|---|---|---|
ageIdentity | string | Age private key (decrypts the current wrapping) |
wrappedKeyShare | string | Currently wrapped key share |
Outputs
| Field | Type | Description |
|---|---|---|
rewrappedKeyShare | string | Key share wrapped for the new identity |
RECOVER_PRIVATE_KEY
RECOVER_PRIVATE_KEY MPC Workflow ComponentReconstruct the raw private key from a key share. Requires the threshold number of shares to be present.
Use with caution
This component exposes the raw private key in the workflow output. Only use it for controlled key escrow or migration workflows. The output will appear in run stage logs.
Config
| Field | Type | Default | Description |
|---|---|---|---|
servers | Array<'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'> | — | MPC servers holding the key shares (must meet the threshold) |
deleteAfterRecover | boolean | false | Permanently delete the key shares from the nodes after recovery. Irreversible |
Inputs
| Field | Type | Description |
|---|---|---|
keyId | string | Key share ID to reconstruct |
Outputs
| Field | Type | Description |
|---|---|---|
privateKey | string | Raw private key (hex) |
Key backup workflow
GET_NODE_RECIPIENT_KEY ← server: OFFICIAL_1
│ recipientKey (node's age public key)
▼
GENERATE_AGE_ENCRYPTION
│ publicKey (your age key) │ encryptedPrivateKey
▼ │
EXPORT_KEY_SHARE ← ageRecipient: recipientKey
│ wrappedKeyShare
▼
[Store wrappedKeyShare safely]
│
▼ (later, to restore)
IMPORT_KEY_SHARE ← server: OFFICIAL_2
│ keyId
▼
[Restored]