Blockstream Enterprise Custody SDK
Core Concepts

Key management

AMP2 requires RSA and ECDSA P-256 key pairs for issuer encryption and request signing. The page explains key generation, format requirements, validation, and rotation.

AMP2 requires two asymmetric key pairs for every issuer: an RSA key pair for encryption and an ECDSA P-256 key pair for request signing. This page covers generation, format requirements, validation, and rotation.

What you need

KeyAlgorithmFormat for AMP2Purpose
RSA public keyRSA-2048PEM stringAMP2 encrypts responses with this key
RSA private keyRSA-2048PEM fileClient decrypts responses (never sent to AMP2)
ECDSA public keyP-256 (prime256v1)Compressed hex (66 chars)AMP2 verifies request signatures
ECDSA private keyP-256 (prime256v1)PEM fileClient signs requests (never sent to AMP2)

Only the public keys are sent to AMP2 during account creation and key rotation.

Generate RSA key pair

# Generate private key
openssl genrsa -out rsa_private_key.pem 2048

# Extract public key
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem

Validate the keys:

openssl rsa -in rsa_private_key.pem -check -noout
# Expected: RSA key ok

openssl rsa -pubin -in rsa_public_key.pem -text -noout
# Expected: shows key size and modulus

Generate ECDSA key pair

# Generate private key
openssl ecparam -name prime256v1 -genkey -noout -out ecdsa_private_key.pem

# Extract public key (PEM)
openssl ec -in ecdsa_private_key.pem -pubout -out ecdsa_public_key.pem

Validate:

openssl ec -in ecdsa_private_key.pem -check -noout
# Expected: EC Key valid.

openssl ec -pubin -in ecdsa_public_key.pem -text -noout
# Expected: shows P-256 curve and public key point

Export ECDSA public key as compressed hex

AMP2 expects the ECDSA public key in compressed hex format, not PEM. Export it in two steps:

# 1. Create DER with compressed point encoding
openssl ec -in ecdsa_private_key.pem -pubout -conv_form compressed -outform DER -out ecdsa_public_key_compressed.der

# 2. Convert DER to hex string
xxd -p ecdsa_public_key_compressed.der | tr -d '\n' > ecdsa_public_key_compressed.hex

Verify the output:

cat ecdsa_public_key_compressed.hex
# Expected: starts with 02 or 03, total length is 66 hex characters

The 02 or 03 prefix indicates the point compression. The 66 character length represents the SEC1 compressed encoding of a P-256 public key (1 byte prefix + 32 bytes x-coordinate).

File permissions

Set strict permissions on private key files:

chmod 600 rsa_private_key.pem ecdsa_private_key.pem

Public keys can be more permissive:

chmod 644 rsa_public_key.pem ecdsa_public_key.pem

What goes to AMP2 vs. what stays secret

ArtifactSent to AMP2Where it lives
rsa_public_key.pemYes (at account creation and key rotation)AMP2 database (user table)
rsa_private_key.pemNeverIssuer's secure environment (secret manager, HSM, encrypted vault)
ecdsa_public_key_compressed.hexYes (at account creation and key rotation)AMP2 database (user table)
ecdsa_private_key.pemNeverIssuer's secure environment

Key rotation

AMP2 supports in place key rotation without recreating the account:

  1. Generate new key pairs (RSA and ECDSA) using the commands above.
  2. Update your SDK/runtime configuration with the new private keys.
  3. Call the change-keys resource via the SDK to register the new public keys with AMP2.

After the rotation call succeeds, AMP2 immediately starts using the new public keys. The old keys are invalidated.

Caution: Coordinate the rotation carefully. The change-keys call must be signed with the current private keys. After it succeeds, all subsequent requests must use the new private keys. Ensure your deployment switches keys atomically to avoid a window where requests fail.

Operational checklist

  • Keys generated in a secure, ephemeral environment (not on developer laptops)
  • Private keys stored in a secret manager or encrypted vault
  • Public keys exported in the correct format (PEM for RSA, compressed hex for ECDSA)
  • File permissions set (600 for private, 644 for public)
  • Tested on testnet before using on mainnet
  • Rotation process documented and rehearsed
  • Key material never committed to source control

On this page