Key Store

The management and storage of private keys is the responsibility of the client. The DeltaKeyStore provides the interface for a key-storage implementation. The FileSystemKeyStore is an implementation to store keys in PEM formats on the file system.

Retrieval and usage of these keys is required in the following use cases:

  • Request Signing - all endpoints requiring authentication will require the private signing key of the requesting identity as part of the CVT1 request signing process.
  • Retrieving Secret Content - to retrieve secret content, a client will need access to the secret encryption key, which can only be decrypted with their private decryption key.

The Delta framework does not dictate or impose restrictions on how a client should manage and store private keys. It is therefore up to the implementation on whether to develop a custom solution or use pre-existing solutions, as long as the keys are accessible in the above use cases.


Loads a private encryption key instance for the given identity id.

Parameters:identity_id (str) – the identity id of the key owner
Returns:the cryptographic private key object

Loads a private signing key instance for the given identity id.

Parameters:identity_id (str) – the identity id of the key owner
Returns:the signing private key object
store_keys(identity_id, private_signing_key, private_encryption_key)[source]

Stores the signing and encryption key pairs under a given identity id.

  • identity_id (str) – the identity id of the key owner
  • private_signing_key (RSAPrivateKey) – the private signing key object
  • private_encryption_key (RSAPrivateKey) – the private cryptographic key object

File-System Key Store

Implementation of the DeltaKeyStore abstract base class using the file system. Private keys are saved in the file system as encrypted PEM formats and are only decrypted in memory on read.

class, key_store_passphrase)[source]


Constructs a new Filesystem-backed DeltaKeyStore with the given configuration.

  • key_store_path (str) – the path to the private key store
  • key_store_passphrase (str) – the passphrase to decrypt the keys