Builder Vault supports import and export of keys by calling the ImportKey and ExportKey methods on the SDK. This allows you to (1) import an external key into Builder Vault; (2) export a key from Builder Vault; and (3) migrate a key between two Builder Vault instances.

📘

Key import/export versus key share import/export

Builder Vault has two kinds of import/export that should not be confused, though they have somewhat overlapping use cases:

(1) Key import/export (described here). These are MPC operations that require all MPC nodes to interact with each other. The main use case for this is import of an entire key into Builder Vault, out of Builder Vault, or between two Builder Vault instances.

(2) Key share import/export (described next). This is a local operation on a single MPC node, that does not require communication with the other MPC nodes. The main application for this is to generate a backup of the key share held by a single MPC node, e.g. a node running on a mobile device.

For key import/export, Builder Vault applies several mechanisms to protect the key while in transit:

1. The key is exported from / imported to the Builder Vault via an MPC session. The MPC session only runs if all MPC nodes holding key shares agree to perform the export. Each SDK user therefore has the opportunity to enforce whatever policy it finds necessary, before it allows the key export / import.
2. The key is exported / imported as a secret sharing, one key share exported from / imported to each MPC node. This lets you transfer the key to its destination using multiple channels.
3. The key sharing is automatically re-randomized before export and after import. This means that security will not be affected, even if up to t of the shares in transit are compromized, where t is the security threshold of the key.
4. Each key share is not exported in the clear, but is encrypted (wrapped) using a provided public key before being exported. You can restrict the set of allowed wrapping keys in your application, simply by making sure that the SDK only requests the export MPC session with an allowed wrapping key (because the MPC session export will only run if all SDKs agree on the wrapping key). Alternatively, the MPC nodes can be configured to only accept a certain set of wrapping keys.
5. The export MPC session outputs the public key along with the private key shares. The public key can also be provided to the key import session, and will be used to verify the authenticity of the private key.

Key Import/Export Use Cases

• Redundancy and fail-over When running in a high availability system, it may be important to have a fail-over site that can be switched to in case of failure in the primary site. Import and export allow you to easily move keys from one Builder Vault TSM instance to another. Builder Vault lets you keep the same key ID in the destination TSM so that users do not notice that the load has been shifted to an alternate TSM.
• Key migration The import / export may be used to import keys from, or export to, an external key store, such as an external (non-MPC) wallet. The external key is usually not secret shared, so you will have to handle the secret sharing and the wrapping of the key shares yourself. The SDK provides helper functions for this, as shown in the code examples below.