Skip to content

recovery: enable clients to send encrypted recovery secrets #878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

recovery: enable clients to send encrypted recovery secrets #878

wants to merge 3 commits into from
+832 −350

Conversation

@daniel-weisse
Copy link
Member

@daniel-weisse daniel-weisse commented Nov 19, 2025

Clients may not want to bring the key material needed to decrypt the recovery secrets, or the recovery secrets themselves, onto machines exposed to the internet.
To enable a recovery workflow where the recovery secrets (or the needed key material) are kept on an airgapped machine, this PR adds a new endpoint to the Coordinator, allowing clients to retrieve an RSA public key generated by the Coordinator for the recovery workflow.
Clients can use this public key to encrypt their shares on the airgapped machine, transfer the encrypted share, and upload it to the Coordinator, where it is decrypted inside the SGX enclave.

Proposed changes

  • Add a new endpoint /api/v2/recover/public-key to retrieve a public key generated for the recovery
  • Add API functions to retrieve the Coordinator's public recovery key and encrypt your recovery secret (share)
  • Add CLI command to retrieve the Coordinator's public recovery key

@daniel-weisse daniel-weisse added the feature This change introduces new functionality label Nov 19, 2025
@netlify
Copy link

netlify bot commented Nov 19, 2025
edited
Loading

Deploy Preview for marblerun-docs canceled.

Name Link
🔨 Latest commit 201b09d
🔍 Latest deploy log https://app.netlify.com/projects/marblerun-docs/deploys/691dd8043b1d5e00085cc660

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomasten thomasten Awaiting requested review from thomasten

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

feature This change introduces new functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daniel-weisse