Vault
Overview of the Narval Vault
The Vault provides secure key generation, storage, and signing for EVM transactions.
The Armory stack can secure a variety of key management and wallet systems, but for many common deployments that do not have a pre-existing key manager, Vault will be sufficient.
Key Generation
Generate multiple Root Keys (Seed Phrases)
Derive Accounts from Root Keys
Key Import
Existing Private Keys or Seed Phrases can be imported to the Vault
Key Storage
Keys are encrypted within the enclave and are only briefly decrypted within the enclave during a signing action
Encryption keys are bound to the enclave and cannot be exported or used by another system
Vault supports common EVM-related signing operations, as well as raw payload signing.
eth_signTransaction
eth_signTypedData
eth_personalSign
signRaw
Raw signing can be used for any other operation or signature, including ERC4337 userOps.
Security
This only applies to the Narval Managed Cloud. If deploying the Armory Stack in a self-hosted environment, you are responsible for securing the system.
Vault is deployed in AWS Nitro Enclaves inside Narval's secure infrastructure. Nitro Enclaves enable Narval to host the system with no ability see what's running inside -- Narval is unable to export keys; keys can only be exported using an [optional] client-provided encryption key.
Vault uses the Armory Auth service for authorization, only signing transactions that have been authorized. Vault operators (Narval) have no ability to initiate transactions on behalf of users -- only the end-user has the keys used to originate requests.
For more information about our full security architecture, contact us.
Vault can be fully or partially self-hosted, and can run in an MPC configuration. Contact us for information on these options.
Last updated