Seal SDK
Decentralized secrets management with threshold encryption on Sui.
This is a beta version of Seal. See https://github.com/MystenLabs/seal for more details.
The Seal SDK provides threshold encryption capabilities for Sui applications, enabling secure data encryption with configurable key servers.
Installation
npm install --save @mysten/seal @mysten/suiSetup
To use the Seal SDK, create a Sui client and extend it with the Seal extension:
import { SuiGrpcClient } from '@mysten/sui/grpc';
import { seal } from '@mysten/seal';
const client = new SuiGrpcClient({
network: 'testnet',
baseUrl: 'https://fullnode.testnet.sui.io:443',
}).$extend(
seal({
serverConfigs: [
{ objectId: '0x...keyserver1', weight: 1 },
{ objectId: '0x...keyserver2', weight: 1 },
],
}),
);Configuration options
The seal() function accepts the following options:
serverConfigs(required) - Array of key server configurations (see Choosing key servers). Each entry contains:objectId(required) - The key server object IDweight(required) - How many times the key server can contribute towards reaching the decryption thresholdaggregatorUrl(required for decentralized servers) - The aggregator endpoint URLapiKeyNameandapiKey(optional) - Required if the server requires API key authentication
verifyKeyServers(optional) - Whether to verify key server authenticity (default:true)timeout(optional) - Timeout in milliseconds for network requests (default:10000)
Choosing key servers
Seal supports two server types, independent and decentralized (committee mode), which you
can use individually or in combination. Each key server counts as one server in your threshold
configuration. Decentralized servers require an aggregatorUrl, because all fetch key calls go
through an aggregator:
const client = new SuiGrpcClient({
network: 'testnet',
baseUrl: 'https://fullnode.testnet.sui.io:443',
}).$extend(
seal({
serverConfigs: [
// Decentralized (committee mode) server
{
objectId: '0xb012378c9f3799fb5b1a7083da74a4069e3c3f1c93de0b27212a5799ce1e1e98',
aggregatorUrl: 'https://seal-aggregator-testnet.mystenlabs.com',
weight: 1,
},
// Independent server
{
objectId: '0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75',
weight: 1,
},
],
}),
);If a server requires API key authentication, include apiKeyName and apiKey in its configuration
object. The SDK sends these as an HTTP header in the format apiKeyName: apiKey.
For more details on server types, verified key servers, and API key authentication, see Using Seal in the main Seal documentation.
Basic usage
Encrypting data
const data = new Uint8Array([1, 2, 3]);
const { encryptedObject } = await client.seal.encrypt({
threshold: 2, // Number of key servers needed to decrypt
packageId: '0x...your-package-id',
id: '0x...your-object-id',
data,
});Decrypting data
import { SessionKey } from '@mysten/seal';
// Create a session key for decryption
const sessionKey = await SessionKey.create({
address: senderAddress,
packageId: '0x...your-package-id',
ttlMin: 10, // Time-to-live in minutes
signer: keypair,
suiClient: client,
});
// Build transaction bytes that call seal_approve
const txBytes = await buildApprovalTransaction(/* ... */);
// Decrypt the data
const decryptedData = await client.seal.decrypt({
data: encryptedObject,
sessionKey,
txBytes,
});Resources
For detailed documentation on threshold encryption and key server setup, see the Seal repository.