MPC & Key Management

Utilities

Age encryption key generation and MPC node recipient key lookup for secure key wrapping workflows.

Utilities

Helper components for age encryption key management — used alongside EXPORT_KEY_SHARE and IMPORT_KEY_SHARE to create secure backup and migration workflows.


GENERATE_AGE_ENCRYPTION

GENERATE_AGE_ENCRYPTION MPC Workflow Component

Generate a fresh age identity. Returns a public key for wrapping and an encrypted private key for secure storage.

Config

None.

Inputs

None.

Outputs

FieldTypeDescription
publicKeystringAge public key (age1...) — safe to store publicly; use as ageRecipient in EXPORT_KEY_SHARE
encryptedPrivateKeystringEncrypted age private key — store securely; required to decrypt wrapped key shares

SDK example

import { WorkspaceClient, ComponentModule } from '@zafeguard/caller-sdk';
const workspace = new WorkspaceClient({ apiKey: process.env.ZAFEGUARD_API_KEY! });

const { publicKey, encryptedPrivateKey } = await workspace
  .call(ComponentModule.GENERATE_AGE_ENCRYPTION, {})
  .promise();

// publicKey → pass as ageRecipient to EXPORT_KEY_SHARE
// encryptedPrivateKey → store securely (vault, HSM, etc.)
console.log(publicKey);           // age1...
console.log(encryptedPrivateKey); // encrypted age identity

GET_NODE_RECIPIENT_KEY

GET_NODE_RECIPIENT_KEY MPC Workflow Component

Fetch the MPC node's age public key. Use this as the recipient when exporting key shares to the node network — the node can then decrypt and import the wrapped share.

Config

FieldTypeRequiredDescription
server'OFFICIAL_1' | 'OFFICIAL_2' | 'OFFICIAL_3'YesMPC server whose age public key to fetch

Inputs

None.

Outputs

FieldTypeDescription
recipientKeystringNode's age public key (age1...)

SDK example

import { WorkspaceClient, ComponentModule } from '@zafeguard/caller-sdk';
const workspace = new WorkspaceClient({ apiKey: process.env.ZAFEGUARD_API_KEY! });

const { recipientKey } = await workspace
  .call(ComponentModule.GET_NODE_RECIPIENT_KEY, {})
  .promise();

// Use recipientKey as ageRecipient in EXPORT_KEY_SHARE
console.log(recipientKey); // age1...

Typical usage pattern

These utilities are always used together with the key management components:

GET_NODE_RECIPIENT_KEY ← server config
        │ recipientKey

EXPORT_KEY_SHARE ← keyId + ageRecipient: recipientKey
        │ wrappedKeyShare

IMPORT_KEY_SHARE ← wrappedKeyShare + server config
        │ keyId

    [Key migrated to new node]
GENERATE_AGE_ENCRYPTION
        │ publicKey            │ encryptedPrivateKey
        ▼                      ▼
EXPORT_KEY_SHARE          [Store securely]
  ← ageRecipient: publicKey
        │ wrappedKeyShare

    [Off-chain backup]

On this page