nsecBunker: Nostr Keys Delegation
nsecBunker allows one to import your Nostr private keys to a secure, trusted environment (e.g. HSM, self-hosted in your basement, etc) and enforce various signing policies. Interested users can already join the waitlist.
- "The premise of nsecBunker is that you can store Nostr private keys (nsecs), use them remotely under certain policies, but these keys can never be exfiltrated from nsecBunker."
- "All communication with nsecBunker happens through encrypted, ephemeral nostr events."
- The waitlist (NIP-07) is available at: https://nsecbunker.com/
- The project does not use NIP-26.
How it works
- Within nsecBunker there are two distinct sets of keys: user keys and nsecBunker's key.
- User keys: The keys that users want to sign with (e.g. your personal or company's keys).
- "These keys are stored encrypted with a passphrase; the same way Lightning Network's LND stores keys locally: every time you start nsecBunker, you must enter the passphrase to decrypt it. Without this passphrase, keys cannot be used."
- nsecBunker's key: "nsecBunker generates it's own private key, which is used solely to communicate with the nsecBunker administration UI. If these keys are compromised, no key material is at risk."
- "To interact with nsecBunker's administration UI, the administrator(s)' keys must be whitelisted within nsecBunker. All communication between the administrator and the nsecBunker is end-to-end encrypted with these two set of keys."
- "Non-whitelisted keys simply cannot talk to nsecBunker's Administration UI."
