# E2EE Module The E2EE (End-to-End Encryption) Module provides a secure, decentralized public-key infrastructure (PKI) natively within the Uniocean blockchain. Rather than bloating the state machine by processing or storing encrypted ciphertexts on-chain, the module operates strictly as a highly available registry for cryptographic identities. The actual encryption and decryption of data payloads are executed entirely off-chain at the client edges. ## Cryptographic Primitives and State Model The module's cryptography is built around the `age` encryption standard, specifically utilizing the **X25519** elliptic curve for fast, secure key agreement. The on-chain state consists of a streamlined KVStore that maps a standard Uniocean account address to its raw, registered X25519 public recipient string. Users publish their public keys to the network via a `MsgRegisterEncryptionKey` transaction. To guarantee cryptographic authenticity, the protocol enforces strict signer authorization: the transaction signature must perfectly match the account address of the key being registered or overwritten, ensuring no third party can manipulate another user's public identity. ## Client-Side Execution Flow Uniocean provides a dedicated client CLI suite to abstract the complexities of off-chain encryption while dynamically sourcing recipient keys from the blockchain's state: * **Key Generation:** Users generate X25519 identities locally. The private identity string is stored securely in the local keyring, while the corresponding public recipient string is broadcasted to the chain's registry. * **Dynamic Encryption:** To encrypt a payload for specific recipients, the client queries the E2EE module for the target addresses' registered public keys. The client parses the returned X25519 recipient strings and encrypts the file entirely off-chain. * **Decryption:** The recipient loads their private identity from their local keyring and decrypts the ciphertext locally. ## Validator Communication Utility A powerful operational feature of the E2EE client tooling is the `encrypt-to-validators` utility. This pipeline queries the staking module for the current active validator set, maps their operator addresses to their standard account addresses, and retrieves their registered E2EE public keys in a single batch query. This enables developers, protocol administrators, or users to securely encrypt sensitive payloads (such as zero-day vulnerability disclosures or private node configuration data) exclusively for the active consensus participants. The client tooling is designed to be fault-tolerant, gracefully skipping validators that have not yet registered an encryption key. ## Security Boundaries This architectural separation of concerns ensures that the Uniocean blockchain never processes, stores, or exposes plaintext data or ciphertexts within its consensus rounds. The E2EE module guarantees the *authenticity* and *availability* of the public keys tied to account control, while the mathematical security and privacy of the encrypted payloads remain strictly bounded to the user's local execution environment. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://uniocean.gitbook.io/uniocean-docs/core-platform-modules/e2ee-module.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.