# Key management

Ripple Custody uses asymmetric cryptography throughout to ensure integrity and non-repudiation. Ripple Custody works with the following three types of cryptographic keys:

- User keys
- Governance engine and vault keys
- Blockchain account keys


Governance engine, vault, and blockchain keys are generated and stored securely by the custodian, using their preferred key management system (KMS).

For more information about supported KMS in Ripple Custody, see [Supported key management systems](/products/custody/v1.19/get-started/deployment/supported-kms).

The main properties of the three types of keys are as follows:

| Property | User keys | Governance engine and vault keys | Blockchain keys |
|  --- | --- | --- | --- |
| **Role** | Sign user decisions | Sign application data | Sign transactions |
| **Algorithm** | ECDSA secp256r1 | EdDSA Ed25519 | Blockchain-specific |
| **Key length** | 256-bit | 256-bit | Blockchain-specific |
| **Storage** | Mobile phone secure enclave, YubiKey, or KMS | KMS | KMS |
| **Backup** | None needed | Smart card and wrapped export | Smart card and wrapped export |
| **Rotation** | Lock user and create a new one | Redeploy governance engine and vault components | On-chain address sweeping |
| **Revocation** | Lock a user | Redeploy governance engine and vault components | Funds transferable to a new account |


## User keys

All users (human or machine) that require read or write access to the Ripple Custody platform are associated with a key. User keys are used to enforce governance of data updates in Ripple Custody, as follows:

- A user private key is stored externally and is never communicated to Ripple Custody. The private key is used to authenticate user requests to Ripple Custody, such as submission of a signed request to update an entity, or submission of a signed approval or rejection of an entity update request.
- The public key corresponding to the user private key is stored in the database and used by the governance engine to verify the signature of all update requests submitted by the user.


A valid public key is in DER format with Base64 encoding, as in the following example:


```bash
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEe32vCCfM0LXmT6VuZo4AykiZ8YfBMB92nKNX8K+PRhN7/qPhILzGlOv/7kDyefTxHSrytXG28OB0cPwErlHgyQ=="
```

User public keys are registered within the trusted state of Ripple Custody to prevent any risk of identity tampering on the server side. Registering a user public key is subject to a dedicated user creation intent, such as for any other critical state mutation.

Users are responsible for their own keys. They can safely store user keys, sign intent submissions, and submit approvals and rejections of intents in the Ripple Custody mobile application or Windows desktop app. The mobile application stores keys in the device secure enclave, which is a requirement for the app to function properly. For users of the Windows desktop app, the keys are stored in a YubiKey, which provides smart card functionality based on the Personal Identity Verification (PIV) interface.

YubiKey 5 FIPS Series devices are required for Windows desktop use. Alternatively, you can choose any other type of KMS.

User keys are generated by the user during system setup or registration.

For more information about user key generation, see [Register](/products/custody/v1.19/api/get-started/register) in the Ripple Custody API guide.

## Governance engine and vault keys

The governance engine and vault use keys to authenticate messages that pass between them and demonstrate authenticity to components external to Ripple Custody.

- The governance engine uses its private key to sign the root of the Merkle tree, thus securing the state of the system. It also uses a private key to authenticate messages dedicated to external components.
- The vault uses its private key to authenticate payloads dedicated to external components.


Governance engine keys and vault keys are generated during deployment.

## Blockchain keys

Ripple Custody uses blockchain keys to sign the transactions of a given account. The signature algorithm they use can vary according to the requirements of the underlying ledger protocols.

During account creation, Ripple Custody generates blockchain keys from the master seed using different strategies, depending on the KMS. Ripple Custody supports the following strategies:

- Deterministic key derivation strategies, such as BIP32 and SLIP10, in both hard and soft derivations: With hard derivation, each new derivation (for example, for the generation of a new address) needs access to the master seed in the vault, while soft derivation does not.
- Random key generation strategies: The key material for the new wallet is not derived at all from the seed, but generated randomly.


All these strategies store the keys in the database, wrapped with the master seed where applicable.

For more information about key derivation for accounts and ledgers, see [Key derivation](/products/custody/v1.19/overview/blockchain/accounts/key-derivation).