Motr Enclave
Motr Enclave is the encrypted key storage layer for the Nebula wallet. It provides a secure, client-side SQLite environment for managing sensitive identity and cryptographic material.
Overview
The enclave is built as a SQLite WASM database, ensuring that sensitive data remains on the user's device. All data is encrypted at rest using a secret derived from the user's WebAuthn credentials, providing a seamless yet highly secure experience.
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ NEBULA WALLET │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────┐ ┌──────────────────────────────────┐ │
│ │ SQLite Enclave │ │ API Clients (Live Data) │ │
│ │ (Encrypted WASM) │ │ │ │
│ ├──────────────────────┤ ├──────────────────────────────────┤ │
│ │ • WebAuthn Creds │ │ • Token Balances │ │
│ │ • MPC Key Shares │ │ • Transaction History │ │
│ │ • UCAN Tokens │ │ • NFT Holdings │ │
│ │ • Device Sessions │ │ • Price Data │ │
│ │ • Service Grants │ │ • Chain State │ │
│ │ • DID State │ │ • Network Status │ │
│ │ • Capability Delgs │ │ │ │
│ └──────────────────────┘ └──────────────────────────────────┘ │
│ │ │ │
│ │ Encrypted with │ REST/gRPC │
│ │ WebAuthn-derived key │ │
│ ▼ ▼ │
│ ┌──────────────────────┐ ┌──────────────────────────────────┐ │
│ │ IndexedDB/OPFS │ │ Sonr Protocol / Indexers │ │
│ │ (Browser Storage) │ │ (PostgreSQL for live queries) │ │
│ └──────────────────────┘ └──────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
Data Storage
The enclave stores security-critical information required for wallet operations:
- Identity: Local cache of DID documents and associated verification methods.
- Credentials: WebAuthn registrations for device-bound authentication.
- Key Material: MPC key shares and derived blockchain accounts.
- Authorization: UCAN tokens, capability delegations, and service grants.
- State: Active device sessions and protocol sync checkpoints.
Security Model
The enclave employs a WebAuthn-based encryption strategy. Using the WebAuthn PRF (Pseudo-Random Function) extension, a unique secret is derived during authentication. This secret is then used via HKDF to generate a 256-bit AES key that encrypts the SQLite database at rest (stored in IndexedDB or OPFS).
Project Structure
db/schema.sql: Database schema definition.db/query.sql: SQLC query definitions for type-safe Go code generation.sqlc.yaml: Configuration for the SQLC compiler.
Development
Prerequisites
Generating Code
To regenerate the Go database implementation after modifying the schema or queries:
sqlc generate
This will update the Go files in the db/ directory, providing type-safe interfaces for all database operations.
Tables
The enclave database consists of the following primary tables:
did_documents: Local cache of Sonr DID state and documents.verification_methods: Cryptographic keys associated with a DID for various purposes.credentials: WebAuthn credential storage for secure device-bound authentication.key_shares: MPC/TSS key share storage encrypted at rest.accounts: Blockchain accounts derived from key shares using BIP44 paths.ucan_tokens: Capability authorization tokens for fine-grained permissioning.sessions: Active device sessions for managing wallet access.services: Registry of connected third-party services and dApps.grants: User-authorized permissions and scopes granted to specific services.delegations: Chains of capability delegations between DIDs for resource access.