Overview of the Narval Vault

The Vault provides secure key generation, storage, and signing for EVM transactions.

The Armory stack can secure a variety of key management and wallet systems, but for many common deployments that do not have a pre-existing key manager, Vault will be sufficient.

Key Generation

  • Generate multiple Root Keys (Seed Phrases)

  • Derive Accounts from Root Keys

Key Import

  • Existing Private Keys or Seed Phrases can be imported to the Vault

Key Storage

  • Keys are encrypted within the enclave and are only briefly decrypted within the enclave during a signing action

  • Encryption keys are bound to the enclave and cannot be exported or used by another system

Vault supports common EVM-related signing operations, as well as raw payload signing.

  • eth_signTransaction

  • eth_signTypedData

  • eth_personalSign

  • signRaw

Raw signing can be used for any other operation or signature, including ERC4337 userOps.


This only applies to the Narval Managed Cloud. If deploying the Armory Stack in a self-hosted environment, you are responsible for securing the system.

Vault is deployed in AWS Nitro Enclaves inside Narval's secure infrastructure. Nitro Enclaves enable Narval to host the system with no ability see what's running inside -- Narval is unable to export keys; keys can only be exported using an [optional] client-provided encryption key.

Vault uses the Armory Auth service for authorization, only signing transactions that have been authorized. Vault operators (Narval) have no ability to initiate transactions on behalf of users -- only the end-user has the keys used to originate requests.

For more information about our full security architecture, contact us.

Vault can be fully or partially self-hosted, and can run in an MPC configuration. Contact us for information on these options.

Last updated