llms.txt
@mysten/sui v2.0 and a new dApp Kit are here! Check out the migration guide
Mysten Labs SDKs

Seal SDK

Decentralized secrets management with threshold encryption on Sui.

This is a beta version of Seal. See https://github.com/MystenLabs/seal for more details.

The Seal SDK provides threshold encryption capabilities for Sui applications, enabling secure data encryption with configurable key servers.

Installation

npm install --save @mysten/seal @mysten/sui

Setup

To use the Seal SDK, create a Sui client and extend it with the Seal extension:

import { SuiGrpcClient } from '@mysten/sui/grpc';
import { seal } from '@mysten/seal';

const client = new SuiGrpcClient({
	network: 'testnet',
	baseUrl: 'https://fullnode.testnet.sui.io:443',
}).$extend(
	seal({
		serverConfigs: [
			{ objectId: '0x...keyserver1', weight: 1 },
			{ objectId: '0x...keyserver2', weight: 1 },
		],
	}),
);

Configuration options

The seal() function accepts the following options:

  • serverConfigs (required) - Array of key server configurations (see Choosing key servers). Each entry contains:
    • objectId (required) - The key server object ID
    • weight (required) - How many times the key server can contribute towards reaching the decryption threshold
    • aggregatorUrl (required for decentralized servers) - The aggregator endpoint URL
    • apiKeyName and apiKey (optional) - Required if the server requires API key authentication
  • verifyKeyServers (optional) - Whether to verify key server authenticity (default: true)
  • timeout (optional) - Timeout in milliseconds for network requests (default: 10000)

Choosing key servers

Seal supports two server types, independent and decentralized (committee mode), which you can use individually or in combination. Each key server counts as one server in your threshold configuration. Decentralized servers require an aggregatorUrl, because all fetch key calls go through an aggregator:

const client = new SuiGrpcClient({
	network: 'testnet',
	baseUrl: 'https://fullnode.testnet.sui.io:443',
}).$extend(
	seal({
		serverConfigs: [
			// Decentralized (committee mode) server
			{
				objectId: '0xb012378c9f3799fb5b1a7083da74a4069e3c3f1c93de0b27212a5799ce1e1e98',
				aggregatorUrl: 'https://seal-aggregator-testnet.mystenlabs.com',
				weight: 1,
			},
			// Independent server
			{
				objectId: '0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75',
				weight: 1,
			},
		],
	}),
);

If a server requires API key authentication, include apiKeyName and apiKey in its configuration object. The SDK sends these as an HTTP header in the format apiKeyName: apiKey.

For more details on server types, verified key servers, and API key authentication, see Using Seal in the main Seal documentation.

Basic usage

Encrypting data

const data = new Uint8Array([1, 2, 3]);

const { encryptedObject } = await client.seal.encrypt({
	threshold: 2, // Number of key servers needed to decrypt
	packageId: '0x...your-package-id',
	id: '0x...your-object-id',
	data,
});

Decrypting data

import { SessionKey } from '@mysten/seal';

// Create a session key for decryption
const sessionKey = await SessionKey.create({
	address: senderAddress,
	packageId: '0x...your-package-id',
	ttlMin: 10, // Time-to-live in minutes
	signer: keypair,
	suiClient: client,
});

// Build transaction bytes that call seal_approve
const txBytes = await buildApprovalTransaction(/* ... */);

// Decrypt the data
const decryptedData = await client.seal.decrypt({
	data: encryptedObject,
	sessionKey,
	txBytes,
});

Resources

For detailed documentation on threshold encryption and key server setup, see the Seal repository.

On this page