|
| 1 | +# Root Keypair Generation in Polykey |
| 2 | + |
| 3 | +Polykey’s entire encryption model revolves around Hybrid Elliptic Curve Integrated Encryption Scheme (ECIES), and the Root Keypair is the foundation of everything. It’s the cryptographic identity of a node, making secure communication, encryption, and key derivation possible. |
| 4 | + |
| 5 | +This doc covers: |
| 6 | +* What the Root Keypair is. |
| 7 | +* How it’s generated. |
| 8 | +* How it spits out a DEK (Data Encryption Key). |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +## What is the Root Keypair? |
| 13 | +The Root Keypair is an Ed25519 elliptic curve keypair that serves as the node’s identity in Polykey. |
| 14 | + |
| 15 | +It’s made up of: |
| 16 | +* Private Key **:** A 256-bit secret, randomly generated and never shared. |
| 17 | +* Public Key **:** Derived from the private key and used for authentication and key exchange. |
| 18 | + |
| 19 | +### Why do we care? |
| 20 | +1. Identity **:** Every Polykey node has a unique Root Public Key |
| 21 | +2. Key Exchange **:** It’s used in the Key Encapsulation Mechanism (KEM) to securely share encryption keys. |
| 22 | +3. Data Encryption **:** It’s how we derive a DEK , which encrypts stored data. |
| 23 | + |
| 24 | +--- |
| 25 | + |
| 26 | +## Generating the Root Keypair |
| 27 | +The process is deterministic, secure, and clean: |
| 28 | + |
| 29 | +1. Get High Entropy Randomness |
| 30 | + * A cryptographically secure random number generator (CSPRNG) provides the randomness needed. |
| 31 | + * This ensures the private key is unpredictable and safe. |
| 32 | + |
| 33 | +2. Generate the Ed25519 Keypair |
| 34 | + * A 256-bit private key is generated. |
| 35 | + * A public key is derived from it using Curve25519 elliptic curve math. |
| 36 | + |
| 37 | +3. Store the Keypair |
| 38 | + * The private key is stored securely in the Polykey vault. |
| 39 | + * The public key is used for authentication and key exchange. |
| 40 | + |
| 41 | +4. Use It to Generate a DEK |
| 42 | + * The Root Keypair is fed into a KDF (Key Derivation Function) to generate a DEK (Data Encryption Key). |
| 43 | + * The DEK is then used to encrypt Polykey’s stored data. |
| 44 | + |
| 45 | +--- |
| 46 | + |
| 47 | +## How is the DEK Made? |
| 48 | +The DEK (Data Encryption Key) is derived from the Root Keypair using a KDF. Here’s the breakdown: |
| 49 | + |
| 50 | +1. Elliptic Curve Diffie-Hellman (ECDH) |
| 51 | + * The Root Private Key and another node’s Public Key are combined to create a shared secret. |
| 52 | + |
| 53 | +2. Run It Through a KDF |
| 54 | + * A Key Derivation Function (probably HKDF-SHA256) turns the shared secret into a 256-bit symmetric DEK. |
| 55 | + |
| 56 | +3. Store or Re-Derive the DEK |
| 57 | + * The DEK is either stored securely or regenerated when needed. |
| 58 | + |
| 59 | +--- |
| 60 | + |
| 61 | +## Wrapping it Up |
| 62 | +The Root Keypair is the cornerstone of Polykey’s encryption model. It enables secure messaging, key exchange, and encryption using Ed25519 elliptic curve cryptography. |
| 63 | + |
| 64 | +The DEK, derived from the Root Keypair, locks down all stored data with strong encryption. This whole setup is more efficient, faster, and more secure than traditional RSA-based encryption. |
| 65 | + |
| 66 | +That’s it. Root Keypair = Identity. DEK = Encrypted data. Simple, secure, and built for performance. |
0 commit comments