Expand description
§Encrypted Secret Key Implementation
This module provides a unified interface for encrypting and decrypting cryptographic secret keys used throughout the OpenMina node. It implements password-based encryption compatible with the Mina Protocol’s key format.
§Usage
This module is used by:
- Block producer keys (
AccountSecretKey) for signing blocks and transactions - P2P networking keys (
SecretKey) for node identity and peer authentication
§Encryption Algorithms
The implementation uses industry-standard cryptographic algorithms:
§Key Derivation
- Argon2i: Password-based key derivation function (PBKDF) with configurable memory cost and time cost parameters
- Default parameters: 128MB memory cost, 6 iterations
- Salt: 32-byte random salt generated using OS entropy
§Symmetric Encryption
- XSalsa20Poly1305: Authenticated encryption with associated data (AEAD)
- Key size: 256-bit derived from password via Argon2i
- Nonce: 192-bit random nonce generated per encryption
- Authentication: Poly1305 MAC for ciphertext integrity
§Encoding
- Base58: All encrypted data (nonce, salt, ciphertext) encoded in Base58 with version bytes for format compatibility with Mina Protocol
- Version byte: 2 for encryption data format compatibility
§File Format
Encrypted keys are stored in JSON format with the following structure:
{
"box_primitive": "xsalsa20poly1305",
"pw_primitive": "argon2i",
"nonce": "base58-encoded-nonce",
"pwsalt": "base58-encoded-salt",
"pwdiff": [memory_cost_bytes, time_cost_iterations],
"ciphertext": "base58-encoded-encrypted-key"
}This format ensures compatibility with existing Mina Protocol tooling and wallet implementations.
§Reference Implementation
The encryption format is based on the OCaml implementation in the Mina
repository:
src/lib/secret_box
Structs§
- Base58
String 🔒 - Encrypted
Secret KeyFile - Represents the JSON structure of an encrypted secret key file.