AboutHTTP APITypescript SDKAppCrypto PaymentsTusky Encryption

Encryption

All data within private vaults is end-to-end encrypted, you can learn more about encryption in Tusky here.

The SDK provides two options for managing user keys:

Self hosted keysCopied!

Manage and store your encryption keys entirely on your own. This approach provides the highest level of control.

However, it also requires you to securely store and back up your keys, as losing them will result in permanent loss of access to your encrypted data.

Generate fresh set of encryption keys

import { X25519KeyPair } from "@tusky-io/ts-sdk";

const keypair = new X25519KeyPair();

Configure Tusky encrypter with the generated keypair

await tusky.addEncrypter({ keypair: keypair });

Export private key from the keypair & store it securely

const privateKeyHex = await keypair.privateKeyHex();

The next time you log in, configure Tusky encrypter from the private key

await tusky.addEncrypter({ keypair: X25519KeyPair.fromPrivateKeyHex(privateKeyHex) });

Password protected keysCopied!

Your encryption keys are still generated on your device, ensuring they are never visible to our servers in an unencrypted form.

However, for convenience, you can encrypt your keys with a password of your choice and store them securely on our servers. Only you can decrypt the keys using your password.

Setup passwordCopied!

This method will generate a fresh set of encryption keys, encrypt it on the client with a key derived from user password and save the encrypted set of keys on Tusky for easier retrieval.

If there is already a configured password for your Tusky account, the method me.setupPassword() will fail.

const { keypair } = await tusky.me.setupPassword("your-strong-password");

Configure Tusky encrypter with the newly generated keypair

await tusky.addEncrypter({ keypair });

The next time you log in, you can simply do

await tusky.addEncrypter({ password: "your-strong-password" });

Password backupCopied!

In addition to your password, you can back up your keys using a 24-word backup phrase. If you lose your password, the backup phrase allows you to regain access to your encrypted data.

This method will generate a fresh backup phrase, retrieve your keys locally using the password, re-encrypt the keys with a recovery key derived from a backup phrase and save the new encrypted set of keys on Tusky as a backup.

const { backupPhrase } = await tusky.me.backupPassword(password);

Later on, in case of password loss, you can reset the password using the backup phrase

await tusky.me.resetPassword(backupPhrase, newPassword);

You can also update the password

await tusky.me.changePassword(password, newPassword);

© 2025 Zero Knowledge Collective