Device Identity

In trueseal, identity is a keypair. That’s it.

A device generates its own identity locally on first launch without talking to anyone. The identity is two keypairs, and as far as the protocol is concerned, those keypairs are the device.

TL;DR

What identity isTwo keypairs (X25519 + Ed25519), generated locally on first launch.
What it isn’tA human, an account, portable across devices, recoverable if lost.
Who knows about itOnly the devices in your group. The relay never holds your keys.

Two keypairs, two roles

KeypairAlgorithmRole
NoiseX25519Encrypted sessions with the relay, and addressed encryption of blobs. The public key is the device’s routing address.
SigningEd25519Signs every envelope. The signing public key is what the Group Manifest tracks as the authoritative identity of a member.

Both keypairs are generated locally on first launch and never leave the device. Private keys are never transmitted, never stored on the relay, and never seen by any trueseal infrastructure.

The noise public key is fine to share. It’s published in the Group Manifest to every member, and the relay sees it as the routing target. Knowing it doesn’t grant access to anything — it just lets a sender address an encrypted blob to that device. Only the matching private key can open the blob.

No registration

There’s no step where a device tells a central authority “I exist.” No server hands out IDs. No account links multiple devices to a person. A device just generates its keypairs. Until it pairs with another device, it exists only locally — the relay has no record, the protocol has no concept of it.

Any registration system would force a server to know about your device, which puts the trust problem right back in the middle of the stack we built to avoid it.

Identity persistence

The keypairs are the device’s persistent identity. They live in the local Session State managed by trueseal-sync — an embedded SQLite database on the device — and they survive process restarts, crashes, and OS kills.

If that Session State gets wiped, on purpose or by accident, the device loses its identity. From the group’s point of view, it’s a new, unknown device. To rejoin any group it used to be in, it has to pair again.

What identity is not

Not a human. One person can have many devices, each with its own keypair. The protocol treats them as separate participants. Mapping devices to humans is the caller’s job.

Not portable. Private keys don’t leave the device. You can’t “log in” from another device. New phone, new device, fresh pairing.

Not recoverable. No password reset. No seed phrase. No recovery flow. If a private key is gone, that identity is gone with it. The device can come back as a new member of a group, but it can’t get its old identity back.