Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Multi-Recipient Encryption

Objekt encrypts content once and wraps the AES key individually for each recipient. Recipients decrypt independently — no coordination needed.

Encrypt for Multiple Recipients

objekt put secret.pdf -w my-wallet \
  --encrypt \
  --encryptFor 0x02abc...def \
  --encryptFor 1a35e1.eth

Recipients can be specified as:

  • Hex public key0x02... (33 bytes secp256k1) or 0x... (32 bytes X25519)
  • ENS name — resolves the sh.objekt.encpubkey text record

Cross-Chain Recipients

A single file can be encrypted for recipients on different chains simultaneously:

Recipient 1: eip155:1:0xabc...    (Ethereum, secp256k1)
Recipient 2: solana:5eykt:7xKX... (Solana, X25519)
Recipient 3: bip122:000...000:bc1q... (Bitcoin, secp256k1)

The CLI derives chain-specific encryption keypairs from your wallet signature:

# Show your encryption public keys per chain
objekt wallet encryption-key my-wallet

CAIP-10 Addressing

Recipients are identified by CAIP-10 addresses in the envelope:

<namespace>:<chain_reference>:<account_address>

Examples:

  • eip155:1:0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045 (Ethereum mainnet)
  • solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp:7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU (Solana)
  • bip122:000000000019d6689c085ae165831e93:bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t4 (Bitcoin)

This is embedded in the id field of each recipient stanza, making the envelope self-describing across all chains.

How Decryption Works

The decryptor provides their keypairs. The envelope is scanned for a matching (curve, publicKey) pair:

import { decryptEnvelope } from "@objekt.sh/ecies";
 
const { plaintext, mime, access } = decryptEnvelope(envelope, keypairs);

If no keypair matches but an access URL is present, the decryptor can purchase a view key from the reveal service.