How to export the private keys of my own did:plc?

[mettlex]

How to export the private keys of the DID connected with one's own account from Bluesky Client App?

[bnewbold]

The short answer is that private keys usually shouldn't ever be "exported", new keys should be created and rotated to.

In the current federation architecture, the signing key (of which there is exactly one active at a time) lives exclusively in the PDS and there are not multiple copies. There are ideas about how to have the repo signing key live offline or on a client device, and we support experimentation in that direction using atproto, but it isn't something we are likely to have time to support or document in the near future.

A separate issue is control over identity. For DID PLC there are multiple "rotation keys" which control the identity, and have the ability to change the repo signing key. It will make sense to have some of these keys in end-user control, and it is technically possible to provide alternative PLC rotation keys at account sign-up time today, if you use the API, but it is difficult and undocumented and only a handful of accounts have ever done this. The plan is to finish the API/protocol for this around the same time as full account migration. This is a pretty critical part of delivering our on our goals for user-control and autonomy in the system!

[mettlex]

@bnewbold Hi! I hope, you're doing well. Let me know if anyone is successfully attempting the self-custodial DID this week.

[bnewbold]

in the in-between week, we've actually re-planned how this is going to work. we should have some basic public docs about control over did:plc key control in the next week or two

[mettlex]

That's wonderful to know. Thanks for the update!

[simsinght]

hey asking here since this is the only relevant google result -- could you add a link to aforementioned public docs regarding did key control?

[bnewbold]

the best docs on this subject right now are probably: https://github.com/bluesky-social/pds/blob/main/ACCOUNT_MIGRATION.md