nsecBunker: Nostr Keys Delegation

nsecBunker allows one to import your Nostr private keys to a secure, trusted environment (e.g. HSM, self-hosted in your basement, etc) and enforce various signing policies. Interested users can already join the waitlist.

nsecBunker: Nostr Keys Delegation
  • "The premise of nsecBunker is that you can store Nostr private keys (nsecs), use them remotely under certain policies, but these keys can never be exfiltrated from nsecBunker."
  • "All communication with nsecBunker happens through encrypted, ephemeral nostr events."
  • The waitlist (NIP-07) is available at: https://nsecbunker.com/
  • The project does not use NIP-26.

How it works

  • Within nsecBunker there are two distinct sets of keys: user keys and nsecBunker's key.
  • User keys: The keys that users want to sign with (e.g. your personal or company's keys).
  • "These keys are stored encrypted with a passphrase; the same way Lightning Network's LND stores keys locally: every time you start nsecBunker, you must enter the passphrase to decrypt it. Without this passphrase, keys cannot be used."
  • nsecBunker's key: "nsecBunker generates it's own private key, which is used solely to communicate with the nsecBunker administration UI. If these keys are compromised, no key material is at risk."
  • "To interact with nsecBunker's administration UI, the administrator(s)' keys must be whitelisted within nsecBunker. All communication between the administrator and the nsecBunker is end-to-end encrypted with these two set of keys."
  • "Non-whitelisted keys simply cannot talk to nsecBunker's Administration UI."

Blog Post / Archive