View on Github
Edit

Secret Manager

Toolkit for secure handling of seed phrases and encrypted payloads

The Secret Manager is a secure, in‑memory system for generating, encrypting, decrypting, and managing wallet seed phrases (mnemonics) and sessions. It is designed for wallet applications where user secrets must be protected and never stored in plaintext. Generates, encrypts, decrypts, and converts BIP39 mnemonics using strong, modern cryptography.

Powered by @tetherto/wdk-secret-manager.

Features

  • Seed & Entropy Protection: Generate and encrypt BIP39 seed (64‑byte) and entropy (16‑byte)

  • Strong Key Derivation: PBKDF2‑SHA256 with configurable iterations (default 100,000)

  • Authenticated Encryption: libsodium secretbox (XSalsa20‑Poly1305) with versioned, self‑describing headers

  • Mnemonic Utilities: 16‑byte entropy ↔ 12‑word BIP39 mnemonic helpers

  • Secure Randoms: Cryptographically secure salt and entropy generators

  • Master‑Key Mode: Optional 32‑byte key to skip PBKDF2 when you already have a derived key

  • Memory Safety: In‑memory operation, explicit zeroization, and dispose() to wipe secrets

  • Cross‑Runtime: Works in Node and Bare environments

Why this matters

  • Seed phrases grant full control over funds and must never be exposed

  • Best practice: never persist plaintext; always encrypt with a user passkey

  • Memory‑only handling and prompt zeroization reduce attack surface

Secret Manager Configuration

Get started with WDK Secret Manager

Secret Manager API Reference

Check the API Reference and examples

Need Help?