The more I think about nsec/privatekey security, the more I bend towards:
- keyrotation and
- delegation
So an ideal scenario is:
- You would have an offline keystorage. Can be an old phone with a secure enclave/trusted execution environment/secure element, that you wipe, and put in offline mode forever.
- This would store your "master" key.
- Then you create a delegated key for your current phone. (also in secure enclave)
- Authorize this key with your other key.
- Then you use your phone for signing is usual.
The rotation can come in, by enabling delegated keys for a certain time only, then you create a new one.
Rip this idea off please.
#asknostr #nostr
Crusty 👨💻
npub1ry…e5a5f
2025-06-29 19:49:20 UTC
Author Public Key
npub1ry5wud2c748rzexcr5nvxhsj8sj5htsjsd2dwcta0lvx94cdng4s8e5a5fSeen on
wss://relay.damus.ioPublished at
2025-06-29 19:49:20 UTCEvent JSON
{
"id": "652ba7aa585b098def7f2ce6f37e359e067ffaf09f0661f7e403660db8b048b4",
"pubkey": "1928ee3558f54e3164d81d26c35e123c254bae128354d7617d7fd862d70d9a2b",
"created_at": 1751226560,
"kind": 1,
"tags": [
[
"t",
"asknostr"
],
[
"t",
"nostr"
]
],
"content": "The more I think about nsec/privatekey security, the more I bend towards:\n- keyrotation and\n- delegation\n\nSo an ideal scenario is:\n- You would have an offline keystorage. Can be an old phone with a secure enclave/trusted execution environment/secure element, that you wipe, and put in offline mode forever.\n- This would store your \"master\" key.\n- Then you create a delegated key for your current phone. (also in secure enclave)\n- Authorize this key with your other key.\n- Then you use your phone for signing is usual.\n\nThe rotation can come in, by enabling delegated keys for a certain time only, then you create a new one.\n\nRip this idea off please.\n\n#asknostr #nostr",
"sig": "8f609502ab4984115a3f586d507c9297233a4f0d41dc2f3411efa601f86178835c6b1a8ade3701e77af20906d0c6a5b75f81ef3b21347fecd168236f7a9404a9"
}