Skip to main content

Public Key Configuration

Before your VASP goes live, setting up a public key is essential and mandatory. This public key will be used to encrypt PII (Personally Identifiable Information) sent from your counterpart VASP, and you will use your private key to decrypt the payload. Thanks to the Public Key Private Key Pair and encryption algorithm adopted by GTR, neither GTR nor any other intermediary can decrypt and access the plain text of transmitted PII in any way.

Entry point to configure Public Key for your VASP:

[Settings -> Public Key]

GTR Custody Key vs Self Custody Key

There are two different types of Key Management in GTR. Information security remains un-compromised regardless of the type chosen by your VASP.

GTR Custody Key

GTR Custody Key is designed for clients operating as GTR Manual Member who wishes to manually initialize a Travel Rule or respond to a received request with simple clicks on the GTR website.

In this type, Your VASP only needs to set up and remember a password consisting of 6 digits. The rest of Key Pair generation and configuration is handled by GTR.

Client's Key Pair is secured by the user-input password, which cannot be accessed or recovered by GTR or any other system.

Self Custody Key

If your VASP prefers to connect to the GTR network via API calls, then this Self-Custody Key is the optimal choice. Your VASP needs to share the Public Key with GTR while keeping the Private Key to your VASP itself.

Generate Key Pair

On GTR, there are multiple ways to generate the Key Pair of Public Key and Private Key.

  1. Create GTR-Custody Key Pair
  2. Create Self-Custody Key Pair in your Local Environment and upload to GTR
  3. Let GTR create Self-Custody Key Pair

Create GTR-Custody Key Pair

Applicable to: GTR Manual Members Entry point: [Settings -> Public Key] , and then select the "GTR Custody Key" option

Select the GTR Custody Key option, which is designed specifically for clients who aim to comply with the Travel Rule manually.

Next, set up a 6-digits AES Password along with a password hint.

⚠️ This password is THE MOST IMPORTANT THING and the ONLY THING you have to keep it secure and not lost. You can write it down on paper, or save it as a text file and store it on your computer or your VASP’s cloud. The bottom line is DON’T FORGET THIS PASSWORD. There is no way to recover it if lost.

What if I lost the AES Password for my VASP

Once you confirm, Key Pair is generated. You are free to operate on Travel Rule in a manual way. You can manually enter a new Travel Rule request, or respond to any received ones. Enjoy your journey.

Upload your Self-Custody Key

Applicable to: GTR API Members Entry point: [Settings -> Public Key], and then select the "Self Custody Key" option, and next the "Add / Upload My Owned Key"

If your VASP is full of tech resources, of course you can generate Key Pair in your local environment. Once generated, you will paste / upload the Public Key on GTR. Then you are ready.

The Private Key is kept by your VASP itself.

Create a Curve 25519 public key (recommended over the 2048 bit variant) and a private key using your local computer for the VASP public key. This key allows other business users to encrypt their files before sending them to you. The keys can be changed frequently at any time, with only a re-login required.

To set up a public key, navigate to the GTR Website, sign into your account, and go to [My Account] > [Settings] > [Public Key]. Add your public key to the given table. Once added, the public key takes effect immediately.

The example below shows what a Curve 25519 public key and private key look like. These keys are represented in base64. Please refrain from using these exact keys in your environment, they are provided purely for demonstrative purposes.

Public Key:

Sbw4m3P12A1FQlUbc/sQ68f2bimZGVVZq4fVJqX5j74=

Private Key:

eBzRhnnLIKjAHhQPVG/u6JzDh/RQjVvpe9XVX1O5Pu0=

We provide some code snippets that use to generate the key on your local environment, please refer to:

For Java

For Golang

For Python

*It is strongly recommended that you make these key-pair on your local environment rather than using online web tools with anonymous sources.

Create Self-Custody Key Pair on GTR

Applicable to: GTR API Members Entry point: [Settings -> Public Key] , and then select the "Self Custody Key" option, and next the "Let GTR Generate Keys for me"

Generating keys locally can be complex, so GTR offers this simpler solution. By selecting the “Let GTR Generate Keys for Me” option, you can have a Key Pair created effortlessly (GTR handles all painstaking work silently).

Once you see keys are generated and populated on the website, click on the “Download” button to save the key pair to your local device.

Finally, click on “Add Key” to configure the new public key as your VASP Public Key.

Add Private Key

Applicable to: GTR Advanced Mode clients

Entry point: [Settings -> Public Key], and then click the "Add Private Key" button

If you are a GTR Advanced Mode clients and you already has a pair of Self-Custody Key Pair meaning your Public Key is configured on GTR while your Private Key is kept only by your VASP, there are added advantages if you custody your Private Key to GTR:

  • You can manually initialize a Travel Rule request on the Travel Rule History page.
  • You can decrypt the PII payload to see the plain-text PII information, no matter it is transmitted in an API or manual way;

Your Private Key is secured by a password you provide. This password cannot be accessed or recovered by GTR or any other system, ensuring the security of your Private Key remains uncompromised.

Once you decided to custody the Private Key to GTR,

  • You need to upload the Private Key file that paired to the current in-used Public Key
  • You need to set up a 6-digit AES password along with a password hint. This password will be required whenever you attempt to access your Private Key for decrypting transmitted PII or manually initiating a Travel Rule request.

⚠️ This password is THE MOST IMPORTANT THING and the ONLY THING you have to keep it secure and not lost. You can write it down on paper, or save it as a text file and store it on your computer or your VASP’s cloud. The bottom line is DON’T FORGET THIS PASSWORD. There is no way to recover it if lost.

What if I lost the AES Password for my VASP

Copyright (C) 2025 Global Travel Rule. All Rights Reserved
General
About
FAQ
Contact
Developer
Documentation
Legal
Terms of Use
Privacy Policy