dWallet Commands

All dWallet operations are under the ika dwallet subcommand.

Shared Arguments

Several argument groups are reused across commands:

Seed Derivation Args

Commands that derive encryption keys accept these flags:

Flag	Description
`--seed-file <PATH>`	Path to a raw 32-byte seed file. Mutually exclusive with `--address`
`--address <ADDR>`	Derive seed from a specific Sui keystore address (default: active address)
`--encryption-key-index <N>`	Key derivation index (default: `0`). Used with address-based derivation
`--legacy-hash`	Use legacy V1 hash (curve byte always 0). Only needed for keys registered before the V2 hash fix

Seed derivation: When --seed-file is omitted, the seed is derived from the active Sui keystore address (or --address) using keccak256(keypair_bytes || index_le_bytes). Use --legacy-hash for encryption keys registered before the V2 hash fix (only affects non-SECP256K1 curves, since SECP256K1 has curve number 0 in both versions).

Payment Args

Flag	Description
`--ika-coin-id <ID>`	IKA coin object ID for payment. Auto-detected from wallet if omitted
`--sui-coin-id <ID>`	SUI coin object ID for payment. Uses the gas coin if omitted

Transaction Args

Flag	Description
`--gas-budget <MIST>`	Override the default gas budget
`--ika-config <PATH>`	Override the Ika network config path

`ika dwallet create`

Create a new dWallet via Distributed Key Generation (DKG). Waits for the DKG to complete on chain before returning.

ika dwallet create \
  --curve secp256k1 \
  --output-secret ./my_secret.bin

Flag	Required	Description
`--curve <CURVE>`	Yes	`secp256k1`, `secp256r1`, `ed25519`, `ristretto`
`--output-secret <PATH>`	No	Output path (default: `dwallet_secret_share.bin`)
`--public-share`	No	Create shared dWallet (public user key share)
`--sign-message <HEX>`	No	Sign during DKG
`--hash-scheme <HASH>`	No	`keccak256`, `sha256`, `double-sha256`, `sha512`, `merlin`
Seed args	No	`--seed-file`, `--address`, `--encryption-key-index`, `--legacy-hash`
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

JSON output (--json):

{
  "type": "create",
  "dwallet_id": "0x...",
  "dwallet_cap_id": "0x...",
  "public_key": "hex...",
  "secret_share_path": "/path/to/dwallet_secret_share.bin"
}

`ika dwallet sign`

Request a signature from a dWallet.

ika dwallet sign \
  --dwallet-cap-id <CAP_ID> \
  --dwallet-id <DWALLET_ID> \
  --message <HEX_MESSAGE> \
  --signature-algorithm ecdsa \
  --hash-scheme keccak256 \
  --secret-share ./my_secret.bin \
  --presign-cap-id <PRESIGN_CAP_ID> \
  --wait

Flag	Required	Description
`--dwallet-cap-id <ID>`	Yes	dWallet capability object ID
`--message <HEX>`	Yes	Message to sign (hex-encoded)
`--signature-algorithm <ALG>`	Yes	`ecdsa`, `taproot`, `eddsa`, `schnorrkel`
`--hash-scheme <HASH>`	Yes	`keccak256`, `sha256`, `double-sha256`, `sha512`, `merlin`
`--presign-cap-id <ID>`	Yes	Presign cap ID (verified or unverified — auto-verified if needed)
`--secret-share <PATH>`	No	Path to user secret share file. If omitted, decrypts from chain
`--secret-share-hex <HEX>`	No	User secret share as hex string (alternative to file)
`--presign-output <HEX>`	No	Presign output (hex). Auto-fetched from `--presign-cap-id` if omitted
`--dkg-output <HEX>`	No	DKG public output (hex). Auto-fetched from `--dwallet-id` if omitted
`--dwallet-id <ID>`	No	dWallet ID (auto-fetches curve and DKG output from chain)
`--curve <CURVE>`	No	Required if `--dwallet-id` not provided
`--wait`	No	Wait for sign session to complete and return the signature
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

Auto-detection

When --dwallet-id is provided, curve and DKG output are fetched from the dWallet object on chain. When --presign-output is omitted, it is fetched from the presign session referenced by --presign-cap-id. The presign cap is auto-verified if unverified (composed into the same transaction). Imported key dWallets are auto-detected and routed to the correct sign flow.

JSON output (--json):

Without --wait:

{
  "type": "sign",
  "digest": "base58...",
  "status": "Success",
  "sign_session_id": "0x..."
}

With --wait:

{
  "type": "sign",
  "digest": "base58...",
  "status": "Success",
  "sign_session_id": "0x...",
  "signature": "hex..."
}

`ika dwallet future-sign`

Future/conditional signing operations. Has two subcommands: create (partial signature) and fulfill (complete signature).

`ika dwallet future-sign create`

Create a partial user signature (first step of future signing).

ika dwallet future-sign create \
  --dwallet-id <DWALLET_ID> \
  --message <HEX_MESSAGE> \
  --hash-scheme sha256 \
  --presign-cap-id <PRESIGN_CAP_ID> \
  --secret-share ./my_secret.bin \
  --signature-algorithm ecdsa

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
`--message <HEX>`	Yes	Message to sign
`--hash-scheme <HASH>`	Yes	`keccak256`, `sha256`, `double-sha256`, `sha512`, `merlin`
`--presign-cap-id <ID>`	Yes	Verified presign cap ID
`--secret-share <PATH>`	No	Path to user secret share. If omitted, decrypts from chain
`--secret-share-hex <HEX>`	No	User secret share as hex string (alternative to file)
`--signature-algorithm <ALG>`	Yes	`ecdsa`, `taproot`, `eddsa`, `schnorrkel`
`--presign-output <HEX>`	No	Presign output (hex). Auto-fetched if omitted
`--dkg-output <HEX>`	No	DKG public output (hex). Auto-fetched if omitted
`--curve <CURVE>`	No	Override auto-detected curve
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet future-sign fulfill`

Fulfill a future sign using a partial user signature cap (second step).

ika dwallet future-sign fulfill \
  --partial-cap-id <PARTIAL_CAP_ID> \
  --dwallet-cap-id <CAP_ID> \
  --message <HEX_MESSAGE> \
  --signature-algorithm ecdsa \
  --hash-scheme keccak256

Flag	Required	Description
`--partial-cap-id <ID>`	Yes	Partial user signature cap ID (from `future-sign create`)
`--dwallet-cap-id <ID>`	Yes	dWallet cap ID (for message approval)
`--dwallet-id <ID>`	Yes	dWallet ID (used to resolve curve for validation)
`--message <HEX>`	Yes	Message to sign
`--signature-algorithm <ALG>`	Yes	`ecdsa`, `taproot`, `eddsa`, `schnorrkel`
`--hash-scheme <HASH>`	Yes	`keccak256`, `sha256`, `double-sha256`, `sha512`, `merlin`
`--wait`	No	Wait for sign session to complete and return the signature
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet presign`

Request a presign for a dWallet.

ika dwallet presign --dwallet-id <ID> --signature-algorithm ecdsa --count 5 --wait

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
`--signature-algorithm <ALG>`	Yes	`ecdsa`, `taproot`, `eddsa`, `schnorrkel`
`--count <N>`	No	Number of presigns to create in a single transaction (1-20, default: 1)
`--wait`	No	Wait for presigns to complete and auto-verify the caps
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet global-presign`

Request a global presign using the network encryption key. The network encryption key is auto-fetched from the Ika coordinator.

ika dwallet global-presign --curve secp256k1 --signature-algorithm ecdsa --wait

Flag	Required	Description
`--curve <CURVE>`	Yes	`secp256k1`, `secp256r1`, `ed25519`, `ristretto`
`--signature-algorithm <ALG>`	Yes	`ecdsa`, `taproot`, `eddsa`, `schnorrkel`
`--wait`	No	Wait for presign to complete and auto-verify the cap
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet import`

Import an external key as a dWallet. Requires a previously registered encryption key.

ika dwallet import \
  --curve secp256k1 \
  --secret-key ./my_external_key.bin

The secret key file format depends on the curve:

secp256k1 / secp256r1: 33 bytes (compressed public key prefix byte + 32-byte scalar)
ed25519 / ristretto: 32 bytes (raw scalar, must be a valid scalar for the curve)

Flag	Required	Description
`--curve <CURVE>`	Yes	`secp256k1`, `secp256r1`, `ed25519`, `ristretto`
`--secret-key <PATH>`	Yes	Path to the secret key file to import
`--output-secret <PATH>`	No	Where to save user secret share (default: `imported_dwallet_secret_share.bin`)
Seed args	No	`--seed-file`, `--address`, `--encryption-key-index`, `--legacy-hash`
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet register-encryption-key`

Register a user encryption key for dWallet operations. Encryption keys are derived stateless from the active Sui keystore address.

ika dwallet register-encryption-key --curve secp256k1

Flag	Required	Description
`--curve <CURVE>`	Yes	`secp256k1`, `secp256r1`, `ed25519`, `ristretto`
Seed args	No	`--seed-file`, `--address`, `--encryption-key-index`, `--legacy-hash`
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet get-encryption-key`

Get an encryption key by its object ID.

ika dwallet get-encryption-key --encryption-key-id <ID>

Flag	Required	Description
`--encryption-key-id <ID>`	Yes	Encryption key object ID
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet verify-presign`

Verify a presign capability.

ika dwallet verify-presign --presign-cap-id <ID>

Flag	Required	Description
`--presign-cap-id <ID>`	Yes	Unverified presign cap ID
Transaction args	No	`--gas-budget`, `--ika-config`

Note

The sign command auto-verifies unverified presign caps. This command is only needed if you want to verify a presign cap separately.

`ika dwallet get`

Query dWallet information.

ika dwallet get --dwallet-id <ID>

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet pricing`

Query current pricing information.

ika dwallet pricing

Flag	Required	Description
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet generate-keypair`

Generate a class-groups encryption keypair offline (useful for debugging or pre-generating keys).

ika dwallet generate-keypair --curve secp256k1

Flag	Required	Description
`--curve <CURVE>`	Yes	`secp256k1`, `secp256r1`, `ed25519`, `ristretto`
Seed args	No	`--seed-file`, `--address`, `--encryption-key-index`, `--legacy-hash`

`ika dwallet list`

List dWallet capabilities owned by the active address.

ika dwallet list

Flag	Required	Description
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet list-presigns`

List presign caps owned by the active address, grouped by status and curve.

ika dwallet list-presigns

Flag	Required	Description
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet public-key`

Extract the signing public key from a dWallet.

ika dwallet public-key --dwallet-id <ID>

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet decrypt`

Decrypt a user secret share from the on-chain encrypted share (offline utility).

ika dwallet decrypt --dwallet-id <ID> --output-secret ./decrypted_share.bin

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
`--output-secret <PATH>`	No	Save decrypted secret share to this file
Seed args	No	`--seed-file`, `--address`, `--encryption-key-index`, `--legacy-hash`
Transaction args	No	`--gas-budget`, `--ika-config`

`ika dwallet epoch`

Query current network epoch.

ika dwallet epoch

Flag	Required	Description
Transaction args	No	`--gas-budget`, `--ika-config`

Make user secret key shares public (enables autonomous signing).

ika dwallet share make-public --dwallet-id <ID> --secret-share ./my_secret.bin

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
`--secret-share <PATH>`	No	Path to user secret share file. If omitted, decrypts from chain
`--secret-share-hex <HEX>`	No	User secret share as hex string (alternative to file)
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

Re-encrypt user share for a different encryption key.

ika dwallet share re-encrypt \
  --dwallet-id <ID> \
  --destination-address <ADDR> \
  --secret-share ./my_secret.bin \
  --source-encrypted-share-id <ID> \
  --destination-encryption-key <HEX> \
  --curve secp256k1

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
`--destination-address <ADDR>`	Yes	Destination address to re-encrypt for
`--secret-share <PATH>`	No	Path to user secret share file. If omitted, decrypts from chain
`--secret-share-hex <HEX>`	No	User secret share as hex string (alternative to file)
`--source-encrypted-share-id <ID>`	Yes	Source encrypted user secret key share ID
`--destination-encryption-key <HEX>`	Yes	Destination user's encryption key (hex)
`--curve <CURVE>`	Yes	`secp256k1`, `secp256r1`, `ed25519`, `ristretto`
Payment args	No	`--ika-coin-id`, `--sui-coin-id`
Transaction args	No	`--gas-budget`, `--ika-config`

Accept a re-encrypted user share.

ika dwallet share accept \
  --dwallet-id <ID> \
  --encrypted-share-id <ID> \
  --user-output-signature <HEX>

Flag	Required	Description
`--dwallet-id <ID>`	Yes	dWallet object ID
`--encrypted-share-id <ID>`	Yes	Encrypted share object ID
`--user-output-signature <HEX>`	Yes	User output signature (hex)
Transaction args	No	`--gas-budget`, `--ika-config`

On this page