Store your nsec in a secure enclave! We've spent a big part of 2024 trying to make a ...

Why Nostr? What is Njump?

npub1xd…mntxy

2025-04-11 12:53:43

Store your nsec in a secure enclave!

We've spent a big part of 2024 trying to make a reliable non-custodial signer with nsec.app. It hasn't worked out perfectly - remote access to keys stored on a mobile device is still unreliable, especially on iOS.

That's why we got very interested in AWS Nitro Enclaves - h/t Marks (nprofile…j64l) and MapleAI team for inspiration!

The idea is to have an open-source custodial signer and deploy it in an isolated environment that provides attestation for the deployed code. Anyone would be able to reproduce the code build and verify that the signer is running the correct code in a safe environment.

So here it is: https://github.com/nostrband/noauth-enclaved

Each instance of a signer deployed in an enclave announces itself on Nostr. We added some Nostr to attestation provided by AWS - the report is linked to pubkeys of a person building the code image, and a person running it. This way you can choose a signer based on your own preferences.

It's already integrated into nsec.app, go to Settings => Secure enclave and try to upload your keys to the server. The signer API is described in README.

DO NOT deploy your real keys just yet - it's running in a production environment, but the code hasn't been well audited yet. First we need some community members to review the code and reproduce the code image.

The signer can also be used to generate throwaway keys for automated testing of nip46 implementations, check out "generate_test_key" method.

Looking forward to your feedback!

(Signed by my nsec from the enclave)

Author Public Key

npub1xdtducdnjerex88gkg2qk2atsdlqsyxqaag4h05jmcpyspqt30wscmntxy

Seen on

wss://relay.primal.net wss://nos.lol wss://nostr.wine wss://relay.damus.io wss://relay.damus.io

Show more details

Published at

2025-04-11 12:53:43

Kind type

1 Short Text Note

Event JSON

{ "id": "7eb061768eceb185a56ed8bddb5bc95bec58d3b4491f31d1069d99376de9c8e6", "pubkey": "3356de61b39647931ce8b2140b2bab837e0810c0ef515bbe92de0248040b8bdd", "created_at": 1744376023, "kind": 1, "tags": [ [ "p", "8ea485266b2285463b13bf835907161c22bb3da1e652b443db14f9cee6720a43", "wss://premium.primal.net/" ], [ "imeta", "bh L5Nm+vjF_3_N00j[D$Rj00WBM_IU", "blurhash L5Nm+vjF_3_N00j[D$Rj00WBM_IU", "dim 1290x2795", "m image/png", "ox c94c04248420e49a0c9c3c13727943d47b629ec63c9a5078fd9302f675e7032f", "thumb https://image.nostr.build/thumb/c94c04248420e49a0c9c3c13727943d47b629ec63c9a5078fd9302f675e7032f.png", "url https://image.nostr.build/c94c04248420e49a0c9c3c13727943d47b629ec63c9a5078fd9302f675e7032f.png", "x d45142e6e09a6614212674fa46b8289f99e52ccfa2d7430f721140fc9e256e92" ] ], "content": "Store your nsec in a secure enclave!\n\nWe've spent a big part of 2024 trying to make a reliable non-custodial signer with nsec.app. It hasn't worked out perfectly - remote access to keys stored on a mobile device is still unreliable, especially on iOS.\n\nThat's why we got very interested in AWS Nitro Enclaves - h/t nostr:nprofile1qyvhwumn8ghj7urjv4kkjatd9ec8y6tdv9kzumn9wshszxmhwden5te0deex2mrp0yhxxttnw3jkcmrpwghxuet59uq35amnwvaz7tmjv4kxz7fwdehhxarjvd5x2cmt9ekk2tcpzdmhxue69uhhqatjwpkx2urpvuhx2ue0qythwumn8ghj7un9d3shjtnwdaehgu3wvfskuep0qqsgafy9ye4j9p2x8vfmlq6equtpcg4m8ks7v545g0d3f7wwueeq5scudj64l and MapleAI team for inspiration! \n\nThe idea is to have an open-source custodial signer and deploy it in an isolated environment that provides attestation for the deployed code. Anyone would be able to reproduce the code build and verify that the signer is running the correct code in a safe environment. \n\nSo here it is: https://github.com/nostrband/noauth-enclaved\n\nEach instance of a signer deployed in an enclave announces itself on Nostr. We added some Nostr to attestation provided by AWS - the report is linked to pubkeys of a person building the code image, and a person running it. This way you can choose a signer based on your own preferences.\n\nIt's already integrated into nsec.app, go to Settings =\u003e Secure enclave and try to upload your keys to the server. The signer API is described in README.\n\nhttps://image.nostr.build/c94c04248420e49a0c9c3c13727943d47b629ec63c9a5078fd9302f675e7032f.png\n\nDO NOT deploy your real keys just yet - it's running in a production environment, but the code hasn't been well audited yet. First we need some community members to review the code and reproduce the code image. \n\nThe signer can also be used to generate throwaway keys for automated testing of nip46 implementations, check out \"generate_test_key\" method. \n\nLooking forward to your feedback!\n\n(Signed by my nsec from the enclave)", "sig": "604550d7ac80c2a3907fa56ae98503a45a5e40e53d650fe887499c44aa44a217948e876554162c863002e684066604491fbbdd845df5c430e50d8d5101e1ffd7" }