How Privy Enables Deploy.Finance Wallets

Deploy.Finance's wallet infrastructure is enabled by Privy.io, a leading class solution provider of authentication and wallet infrastructure.

Privy builds authentication and wallet infrastructure to enable better products built on crypto rails. Get started in minutes to onboard users with wallets, spin up self-custodial wallets for users, and securely sign transactions through your app.

Deploy.Finance's agents and infrastructure leverage Privy's to generate wallets with private keys and sign transactions to complete delegation and withdraw activities.

Below is a description of the private key generation process and key management from Privy's documentaiton.

Privy's Private Key Generation Process

Privy generates private keys using distributed key sharding with Shamir's Secret Sharing (SSS), splitting each key into encrypted shares stored across separate security boundaries4.

The process involves:

  • Three share types: Device/enclave share (stored on user's device/TEE), auth share (stored by Privy), and recovery share (user-managed or Privy-backed)4.

  • Open-source cryptography: Uses the audited shamir-secret-sharing library, the most widely used open-source Typescript implementation of SSS4.

Privy's Key Management Architecture

Privy's key management architeture has several layers to mitigate risks associated with storage and retrieval.

  1. Secure Assembly: Private keys are only temporarily reconstructed within secure execution environments when exactly two shares are present4.

  2. Storage Isolation:

    • Web clients: Device share stored in browser's domain-partitioned local storage4.

    • API integrations: TEE (Trusted Execution Environment) acts as remote device4.

  3. Export Controls: Private key exports require explicit policy permission via HPKE-encrypted API1.

Learn more about Privy's process for key generation and management here.

Privy's Session Management

Privy enables secure delegation of Deploy.Finance's smart wallet activities through session keys using a combination of cryptographic controls and trusted execution environments.

Here's how this is implemented:

  1. User consent initiation You submit a request (such as "Delegate funds to DD NOS), triggering a delegation request requiring explicit user approval through Privy's client SDK. This generates a cryptographic proof of consent stored on-chain or in secure storage58.

  2. Key provisioning Privy's API creates a session key pair within a Trusted Execution Environment (TEE), splitting the private key using Shamir's Secret Sharing:

    • One share stored in the TEE

    • One share encrypted with user credentials

    • One share held by Privy's infrastructure56

  3. Secure key assembly When needed, the session key is temporarily reconstructed in the TEE using HPKE-encrypted API calls.

The session key remains active, allowing the agent to autonomously execute trading activities until you revoke access.

Learn more about Privy's security architecture here.

PreviousPrivate Key ManagementNextWhat are Deploy.Finance Agents?

Last updated