vetkd
vetKeys (Verifiable Encrypted Threshold Keys)
Note: vetKeys is a newer feature of the IC. The
ic-vetkeysRust crate and@dfinity/vetkeysnpm package are published, but the APIs may still change over time. Pin your dependency versions and check the DFINITY forum for any migration guides after upgrades.
What This Is
vetKeys (verifiably encrypted threshold keys) bring on-chain privacy to the IC via the vetKD protocol: secure, on-demand key derivation so that a public blockchain can hold and work with secret data. Keys are verifiable (users can check correctness and lack of tampering), encrypted (derived keys are encrypted under a user-supplied transport key—no node or canister ever sees the raw key), and threshold (a quorum of subnet nodes cooperates to derive keys; no single party has the master key). A canister requests a derived key from the subnet’s threshold infrastructure, receives it encrypted under the client’s transport public key, and only the client decrypts it locally. This unlocks decentralized key management (DKMS), encrypted on-chain storage, private messaging, identity-based encryption (IBE), timelock encryption, threshold BLS, and verifiable randomness—use cases.
Prerequisites
- Rust:
ic-vetkeys = "0.6"(crates.io) - Motoko: Use the raw management canister approach shown below
- Frontend:
@dfinity/vetkeysv0.4.0