Import Fireblocks private keys

This page described how to import private keys from a Fireblocks wallet.

It is recommended you learn more about performing this process and the prerequsites before you begin.

Repeat these steps for each key you wish to import.

1. Base64-encode your Fireblocks backup.zip file and RSA.pem key:

   base64 -i ./fireblock_backup_zip_file.zip -o base64_encoded_backup_zip_file.txt

   base64 -i ./fireblock_rsa_private_key.pem -o base64_encoded_rsa_key.txt

2. Upload encrypted key material:

   To start the import process, you will need to gather the relevant key material which can include the encrypted shares package and decryption key. You can either:

   • Contact support to initiate the import process.
     OR

   • Call the Import Keys API.
     Here's a sample payload:

     {  
     "type": "fireblocks",
     "key_name": "<THE NAME OF THE KEY TO IMPORT>",   
     "backup_zip_content": "<BASE64 ENCODED CONTENT OF YOUR BACKUP ZIP FILE>",  
     "rsa_pem": "<BASE64 ENCODED CONTENT OF YOUR BACKUP DECRYPTION KEY IN PEM FORMAT>",  
     "rsa_pem_password": "<THE PASSWORD FOR THE BACKUP DECRYPTION KEY>"
     }

     You can upload the rsa_pem to be used to decrypt the enclave shares within the backup_zip_content.

     Alternatively, you can use the following fixed public key to encrypt the shares, in which case you need to omit the rsa_pem and rsa_pem_password fields. The Fordefi enclave holds the corresponding private key.

     -----BEGIN PUBLIC KEY-----
     MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxcYhWPOSYwV0zC1286Gd
     2c7ptH/4atHqlRDxxsNr/1h3+F1EmjBXB0TdEiETHoEDvFrVTtkU2U9wwqxnFC1V
     NOWI3aOECgV93TaKeqvFQobB7xsfZ6Wi+dpTIMBSQGvxGI9RvVusdEF/1pveeYUt
     UDFl8/wZcvX74a2T3Kk02F4dt4JmH8hLD2XQhBhMdXFnYYGXaFLpzSovkCG0VHlz
     Y9j5YJH2Tvn2wlleCAoB+y/Nrbd6hHeUXLWJWgNwT06x8xJ6Nn6CBa37/aJbCPul
     F5lCQuD+zBHCPdVs3e6cakWA+bVinj/Ea/rfvQs1MuNdKxg6TRx/AVK77XRETJW2
     R+F7ThJmBMI2g5y8wcY0zmnhNB6jsyI7Xd3AHCxkNgSajqTwg31AwJVDpo9KqbiD
     JT+njNOuRXHToIrZyU/sjO15XoX8j/6Q5i4UExiMOVE2b4shWg22Z9zMhSLpvwIr
     p3nCtTSVRqJySqBfwkjHdhNGZwSMGcEAAFRdvCUiJy5nAgMBAAE=
     -----END PUBLIC KEY-----

   The response contains a set of keys, with an ID for each key. Here's a sample response:

       {
         "keys": [
           {
             "key_id": "1e779c8a-6786-4c89-b7c3-a6666f5fd6b5",
             "key_name": "native-ecdsa",
             "key_type": "ecdsa_secp256k1",
             "key_origin": "native",
             "xpub": "xpub661MyMwAqRbcGE6Hjdqf5sQgNEAUAnghFLKBPQEGug3U1HG1sy4MLhEPLjUyyFfYvy45wMHQjAYEk7nHRznCwWSqi3WBQve7UWu1dXemXyv",
             "public_key_compressed": "A6YrN9ak58u3pOQHUossG2oFoVIPxvPP/b0fXkiMEJR8"
           }
         ]
       }

3. Decrypt and run the MPC protocol:

   After you upload the key, all of the workspace's admins are notified. One of them must do the following: when prompted by the Fordefi mobile application, enter the Fireblocks recovery passphrase that will decrypt the mobile share.

   Fordefi then loads the MPC shares into its secure enclaves and mobile device to be used in the platform.

   

4. You can now find the new key and its ID in the response to a call to the List Keys endpoint.

Next step

Continue to Create Imported Vaults.