Skip to main content
Store and retrieve encryption keys from Turnkey’s secure enclave with policy-controlled access. Your infrastructure holds encrypted data and Turnkey holds the encryption key. Neither party alone can access plaintext. For an overview of Turnkey’s key management capabilities, see the Key Management Overview.

Powered by Turnkey

  • World App (by Tools for Humanity) — encrypts each user’s recovery bundle on-device and stores the encryption key in Turnkey’s secure enclave, gated by user authentication via OAuth. View on GitHub.

Key implementation decisions

Example: backup and recovery

A common pattern for applications: encrypt recovery bundles, store them in your infrastructure, and authenticate through Turnkey to decrypt when needed. No single party holds both the encrypted data and the decryption key.
2-of-2 security model diagram showing encrypted data in your infrastructure and encryption key in Turnkey secure enclave

Implementation steps

Explore the complete implementation in the GitHub encryption-key-escrow example.
1

Create encryption keypair

Generate a P-256 keypair in Turnkey using createPrivateKeys. The private key is stored in Turnkey’s secure enclave and never exposed.
2

Retrieve public key

Fetch the public key to use for encryption:
3

Encrypt data locally

Use the public key to encrypt sensitive data on your side. Turnkey never sees the plaintext or the encrypted result:
4

Authenticate and export decryption key

Authenticate the user through your normal auth flow, then request the encryption private key from Turnkey using exportPrivateKey:
Use Turnkey’s policy engine to add controls on key export:
This example requires two approvers for any export of the encryption key, adding human oversight to sensitive operations.
5

Decrypt and use locally

Decrypt your stored bundles and use them locally, with no further Turnkey calls:
When done, clear the decryption key and any decrypted data from memory:

Next steps