Skip to content
Brivora

Key Management

Create an identity

Section titled “Create an identity”
import { crypto } from '@brivora/crypto';


const identity = await crypto.createIdentity();
// identity contains:
// - publicKey: { classical: { signing, encryption }, pqc: { signing, encryption } }
// - privateKey: { classical: { signing, encryption }, pqc: { signing, encryption } }
// - fingerprint: 'a1b2c3d4...'
// - algorithm: 'hybrid-pqc-v1'
// - createdAt: ISO timestamp

Export and import public keys

Section titled “Export and import public keys”
// Export (safe to share)
const exported = crypto.exportPublicKey(alice);


// Import (received from another party)
const imported = crypto.importPublicKey(exported);


// Use imported key for encryption
const encrypted = await crypto.encrypt('message', imported);

Key rotation

Section titled “Key rotation”
const { newIdentity, migration } = await crypto.rotateKeys(oldIdentity);


// migration is a signed proof linking old key -> new key
// Anyone can verify the rotation is legitimate:
const { valid } = await crypto.verify(migration, oldIdentity.publicKey);
// valid === true

Key derivation

Section titled “Key derivation”
const masterKey = crypto.randomBytes(32);


// Derive context-specific keys from a master secret
const encKey = crypto.deriveKey(masterKey, 'encryption');
const authKey = crypto.deriveKey(masterKey, 'authentication');


// Same context = same key (deterministic)
// Different context = different key

Upgrade from Ed25519

Section titled “Upgrade from Ed25519”
const upgraded = await crypto.upgradeKey({
  publicKey: existingEd25519PublicKey,
  secretKey: existingEd25519SecretKey,
});


// upgraded.identity is now hybrid PQC
// upgraded.migration is a signed proof of the upgrade