Overview

State-of-the-art key management focusing on advanced privacy and messaging capabilities.

The Vault service offers state-of-the-art key management with a focus on providing advanced privacy and messaging capabilities (i.e., zero-knowledge proofs, SNARK-friendly hash functions, double-ratchet algorithm, etc.) in a single enterprise-grade API.

This documentation is currently a work in progress!

Supported Curves & Specifications

This section describes the elliptic curves and key specifications which are currently supported by the API. Supported curves and key specs are defined with a type of either or symmetric or asymmetric and a corresponding usage of encrypt/decrypt or sign/verify. Certain symmetric keys support key derivation (i.e., such as the ChaCha20 stream cipher). Other key specs, such as RSA, are (or may) be provided for convenience and to more closely achieve parity with industry-standard key management solutions (i.e., such as AWS KMS).

Symmetric

Key Spec

Description

AES-256-GCM

default encryption for the master key of each Vault instance

ChaCha20

stream cipher useful with double-ratchet messaging algorithm

RSA

not yet supported; 2048, 3072 and 4096-bit RSAES_OAEP_SHA_1 and RSAES_OAEP_SHA_256 encryption algorithms may be added

Asymmetric

Key Spec

Description

babyJubJub

a twisted Edwards elliptic curve designed for zk-SNARK circuits

C25519

elliptic curve designed for Diffie–Hellman (ECDH) key exchange

Ed25519

EdDSA signature scheme using SHA-512 (SHA-2)

RSA

not yet supported; 2048, 3072 and 4096-bit support for various signing algorithms may be added

secp256k1

elliptic curve used with ECDSA (ETH/BTC)