Cloud wallet
Last updated
Was this helpful?
Last updated
Was this helpful?
The Cloud Wallet feature allows secure storage and synchronization of wallet documents via an .
File Path: @docknetwork/wallet-sdk-core/src/cloud-wallet
The Cloud Wallet integrates with an to securely store, sync, and manage documents. Once initialized, it automatically synchronizes documents between the EDV and the wallet, allowing you to add, update, remove, without dealing with the synchronization logic.
The example below demonstrates how to initialize and use the Cloud Wallet for managing documents.
First, you need to create local data storage to connect to the credential wallet.
Next, we generate key and mnemonic for interacting with the cloud wallet. Use the same Cloud Wallet key across multiple devices to access the same documents. These keys are used to encrypt, decrypt, and locate documents in the EDV.
The masterKey is used to derive encryption keys for the EDV, while the mnemonic is used to recover the master key.
Note: Encryption keys can be derived from biometric data through a third-party service, offering enhanced security by linking the keys to a user's unique biometric profile
If the master key is lost, the mnemonic can be used to recover it. Store the mnemonic securely and do not share it with anyone.
After setting up the data store and generating key, initialize the Cloud Wallet and connect it to the local data storage. This ensures continuous synchronization between the EDV and the wallet.
The pullDocuments function synchronizes the EDV and the wallet by comparing documents and updating the data store accordingly. Documents can be credentials or messages.
Now, create a credential wallet inside of the data storage. This will allow you to add, update, and remove documents.
You can add a document to the wallet using the following code:
You can issue credentials directly to a cloud wallet using the Truvera Workspace/API. The credential will be automatically distributed to the holder's cloud wallet through the DIDComm protocol, eliminating the need for direct API calls or manual credential handling.
For the DIDComm automatic distribution to work properly, the subject ID of the credential must be set to the holder's DID when issuing the credential. This enables the system to route the credential to the correct wallet.
After a credential has been issued to a holder's DID, the cloud wallet only needs to fetch and process DIDComm messages to receive it:
The Cloud Wallet supports multiple authentication methods to unlock the same wallet, providing both security and convenience.
Mnemonic-based authentication: The traditional recovery phrase approach
Biometric authentication: Using fingerprints, facial recognition, or other biometric data
Future extensions: Can be extended to support passkeys and other authentication methods
The Cloud Wallet uses a key mapping system that allows a secondary key (e.g. derived from biometrics) to unlock the same master key that was originally derived from a mnemonic phrase.
The system uses a two-vault architecture:
KeyMappingVault: Stores encrypted master keys that can only be accessed with proper authentication
CloudWalletVault: The main vault containing wallet documents, secured by the master key
To set up biometric authentication, enroll the user with their biometric data and identifier (typically an email):
The enrollment process:
Creates a unique master key and mnemonic
Generates encryption keys from the biometric data
Encrypts the master key with the biometric-derived keys
Stores the encrypted master key in the KeyMappingVault, indexed by the user's email
Next, when the user wants to access their wallet, they can authenticate with their biometric data:
The authentication process:
Uses biometric data and email to access the KeyMappingVault
Finds the encrypted master key associated with the user's email
Derives decryption keys from the provided biometric data
Decrypts the master key
Uses the master key to access the CloudWalletVault