From 190d0e677c812967a92ca63f979555e67ecaaf44 Mon Sep 17 00:00:00 2001
From: Anthony Potdevin <31413433+apotdevin@users.noreply.github.com>
Date: Sat, 20 Jul 2024 14:22:03 -0500
Subject: [PATCH] fix: correct encryption key (#25)

* fix: correct encryption key

* refactor: params
---
 src/app/(app)/(layout)/temp/recover/page.tsx  | 100 ++++++
 src/components/button/VaultButton.tsx         |  91 +++--
 src/components/form/LoginForm.tsx             |   8 +-
 src/components/wallet/SendAddressForm.tsx     |   8 +-
 src/components/wallet/SendInvoiceForm.tsx     |   8 +-
 .../queries/__generated__/user.generated.tsx  |   2 +
 src/graphql/queries/user.ts                   |   1 +
 src/graphql/types.ts                          |  33 ++
 src/hooks/message.ts                          |   7 +-
 src/stores/keys.ts                            |  12 +-
 src/utils/crypto.ts                           |  83 ++++-
 src/views/contacts/Messages.tsx               |   8 +-
 src/views/contacts/boxes/PayMessageBox.tsx    |  19 +-
 src/views/contacts/boxes/SendMessageBox.tsx   |   8 +-
 src/views/wallet/NewWallet.tsx                |  10 +-
 src/views/wallet/RestoreWallet.tsx            |  10 +-
 src/views/wallet/Settings.tsx                 |  22 +-
 src/workers/account/account.ts                | 128 +++----
 src/workers/account/types.ts                  |  25 +-
 src/workers/crypto/crypto.ts                  | 327 ++++++++++--------
 src/workers/crypto/types.ts                   |  14 +-
 21 files changed, 594 insertions(+), 330 deletions(-)
 create mode 100644 src/app/(app)/(layout)/temp/recover/page.tsx

diff --git a/src/app/(app)/(layout)/temp/recover/page.tsx b/src/app/(app)/(layout)/temp/recover/page.tsx
new file mode 100644
index 00000000..640d2488
--- /dev/null
+++ b/src/app/(app)/(layout)/temp/recover/page.tsx
@@ -0,0 +1,100 @@
+'use client';
+
+import { hexToBytes } from '@noble/hashes/utils';
+import { nip44 } from 'nostr-tools';
+import { useCallback, useEffect, useState } from 'react';
+
+import { Button } from '@/components/ui/button';
+import { Input } from '@/components/ui/input';
+import { Label } from '@/components/ui/label';
+import { useToast } from '@/components/ui/use-toast';
+import { useUserQuery } from '@/graphql/queries/__generated__/user.generated';
+import { generateMasterKeyAndHash } from '@/utils/crypto';
+
+export default function Page() {
+  const { data } = useUserQuery();
+
+  const { toast } = useToast();
+
+  const [email, setEmail] = useState<string>('');
+  const [password, setPassword] = useState<string>('');
+  const [protectedMnemonic, setProtectedMnemonic] = useState<string>('');
+  const [mnemonic, setMnemonic] = useState<string>('');
+  const [loading, setLoading] = useState<boolean>(false);
+
+  useEffect(() => {
+    if (!!email) return;
+    if (!data?.user.email) return;
+    setEmail(data.user.email);
+  }, [data, email]);
+
+  const decrypt = useCallback(async () => {
+    if (loading) return;
+
+    setLoading(true);
+
+    try {
+      const { masterKey } = await generateMasterKeyAndHash({ email, password });
+
+      const decrypted = nip44.v2.decrypt(
+        protectedMnemonic,
+        hexToBytes(masterKey)
+      );
+
+      setMnemonic(decrypted);
+    } catch (error) {
+      toast({
+        variant: 'destructive',
+        title: 'Error decrypting.',
+        description:
+          'Check your password and email and make sure you are copying the complete encrypted mnemonic.',
+      });
+      setMnemonic('');
+    }
+
+    setLoading(false);
+  }, [email, loading, password, protectedMnemonic, toast]);
+
+  return (
+    <div className="my-4 flex flex-col gap-4">
+      <div>
+        <Label>Email</Label>
+        <Input
+          value={email}
+          onChange={value => setEmail(value.target.value)}
+          placeholder="Type your email"
+        />
+      </div>
+      <div>
+        <Label>Password</Label>
+        <Input
+          type="password"
+          autoComplete="false"
+          value={password}
+          onChange={value => setPassword(value.target.value)}
+          placeholder="Type your password"
+        />
+      </div>
+      <div>
+        <Label>Encrypted Mnemonic</Label>
+        <Input
+          value={protectedMnemonic}
+          onChange={value => setProtectedMnemonic(value.target.value)}
+          placeholder="Type your encrypted mnemonic"
+        />
+      </div>
+      <Button
+        disabled={!email || !password || !protectedMnemonic || loading}
+        onClick={() => decrypt()}
+      >
+        {!loading ? 'Decrypt' : 'Decrypting...'}
+      </Button>
+      {!!mnemonic ? (
+        <div>
+          <Label>Mnemonic</Label>
+          <Input readOnly contentEditable={'false'} value={mnemonic} />
+        </div>
+      ) : null}
+    </div>
+  );
+}
diff --git a/src/components/button/VaultButton.tsx b/src/components/button/VaultButton.tsx
index eb9edb4f..ecea448c 100644
--- a/src/components/button/VaultButton.tsx
+++ b/src/components/button/VaultButton.tsx
@@ -1,14 +1,20 @@
 'use client';
 
+import { ApolloError, useApolloClient } from '@apollo/client';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { Loader2, Lock, Unlock } from 'lucide-react';
 import { FC, useEffect, useRef, useState } from 'react';
 import { useForm } from 'react-hook-form';
 import { z } from 'zod';
 
-import { useCheckPasswordMutation } from '@/graphql/mutations/__generated__/checkPassword.generated';
+import {
+  CheckPasswordDocument,
+  CheckPasswordMutation,
+  CheckPasswordMutationVariables,
+} from '@/graphql/mutations/__generated__/checkPassword.generated';
 import { useUserQuery } from '@/graphql/queries/__generated__/user.generated';
 import { useKeyStore } from '@/stores/keys';
+import { toWithError } from '@/utils/async';
 import { cn } from '@/utils/cn';
 import { handleApolloError } from '@/utils/error';
 import { WorkerMessage, WorkerResponse } from '@/workers/account/types';
@@ -42,6 +48,8 @@ const formSchema = z.object({
 const UnlockDialogContent: FC<{ callback: () => void }> = ({ callback }) => {
   const workerRef = useRef<Worker>();
 
+  const client = useApolloClient();
+
   const form = useForm<z.infer<typeof formSchema>>({
     resolver: zodResolver(formSchema),
     defaultValues: {
@@ -51,35 +59,24 @@ const UnlockDialogContent: FC<{ callback: () => void }> = ({ callback }) => {
 
   const { toast } = useToast();
 
-  const setMasterKey = useKeyStore(s => s.setMasterKey);
+  const setKeys = useKeyStore(s => s.setKeys);
 
   const [loading, setLoading] = useState(true);
-  const [tempMasterKey, setTempMasterKey] = useState('');
-
-  const { data } = useUserQuery({ errorPolicy: 'ignore' });
 
-  const [checkPassword] = useCheckPasswordMutation({
-    onCompleted: () => {
-      setMasterKey(tempMasterKey);
-      callback();
-    },
-    onError: error => {
-      const messages = handleApolloError(error);
-
-      toast({
-        variant: 'destructive',
-        title: 'Unable to unlock.',
-        description: messages.join(', '),
-      });
-
-      setTempMasterKey('');
-      form.reset();
-    },
-  });
+  const { data, loading: userLoading, error } = useUserQuery();
 
   const handleSubmit = (values: z.infer<typeof formSchema>) => {
     setLoading(true);
-    if (loading || !data?.user.email || !workerRef.current) {
+
+    if (
+      loading ||
+      userLoading ||
+      error ||
+      !data?.user.email ||
+      !data?.user.protected_symmetric_key ||
+      !workerRef.current
+    ) {
+      setLoading(false);
       return;
     }
 
@@ -88,6 +85,7 @@ const UnlockDialogContent: FC<{ callback: () => void }> = ({ callback }) => {
       payload: {
         email: data.user.email,
         password: values.password,
+        protectedSymmetricKey: data.user.protected_symmetric_key,
       },
     };
 
@@ -99,18 +97,41 @@ const UnlockDialogContent: FC<{ callback: () => void }> = ({ callback }) => {
       new URL('../../workers/account/account.ts', import.meta.url)
     );
 
-    workerRef.current.onmessage = event => {
+    workerRef.current.onmessage = async event => {
       const message: WorkerResponse = event.data;
 
       switch (message.type) {
-        case 'generateMaster':
-          setTempMasterKey(message.payload.masterKey);
-
-          checkPassword({
-            variables: { password: message.payload.masterPasswordHash },
-          });
+        case 'generateMaster': {
+          const [, error] = await toWithError(
+            client.mutate<
+              CheckPasswordMutation,
+              CheckPasswordMutationVariables
+            >({
+              mutation: CheckPasswordDocument,
+              variables: { password: message.payload.masterPasswordHash },
+            })
+          );
+
+          if (error) {
+            const messages = handleApolloError(error as ApolloError);
+
+            toast({
+              variant: 'destructive',
+              title: 'Unable to unlock.',
+              description: messages.join(', '),
+            });
+
+            form.reset();
+          } else {
+            setKeys({
+              masterKey: message.payload.masterKey,
+              protectedSymmetricKey: message.payload.protectedSymmetricKey,
+            });
+            callback();
+          }
 
           break;
+        }
 
         case 'loaded':
           setLoading(false);
@@ -128,7 +149,7 @@ const UnlockDialogContent: FC<{ callback: () => void }> = ({ callback }) => {
     return () => {
       if (workerRef.current) workerRef.current.terminate();
     };
-  }, [checkPassword]);
+  }, [client, toast, callback, form, setKeys]);
 
   return (
     <>
@@ -189,7 +210,7 @@ export const VaultButton: FC<{
   className?: string;
   size?: 'sm';
 }> = ({ lockedTitle = 'Locked', className, size }) => {
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const clearKeys = useKeyStore(s => s.clear);
 
@@ -203,7 +224,7 @@ export const VaultButton: FC<{
   return (
     <Dialog open={open} onOpenChange={setOpen}>
       <DialogTrigger asChild>
-        {!!masterKey ? (
+        {!!keys ? (
           <Button
             type="button"
             variant="outline"
@@ -226,7 +247,7 @@ export const VaultButton: FC<{
         )}
       </DialogTrigger>
       <DialogContent className="sm:max-w-md">
-        {!!masterKey ? (
+        {!!keys ? (
           <>
             <DialogHeader>
               <DialogTitle>Lock your vault</DialogTitle>
diff --git a/src/components/form/LoginForm.tsx b/src/components/form/LoginForm.tsx
index cfb1edb1..682e89cb 100644
--- a/src/components/form/LoginForm.tsx
+++ b/src/components/form/LoginForm.tsx
@@ -18,7 +18,7 @@ import {
 } from '@/components/ui/form';
 import { Input } from '@/components/ui/input';
 import { useLoginMutation } from '@/graphql/mutations/__generated__/login.generated';
-import { argon2Hash } from '@/utils/crypto';
+import { generateMasterKeyAndHash } from '@/utils/crypto';
 import { handleApolloError } from '@/utils/error';
 import { ROUTES } from '@/utils/routes';
 
@@ -72,8 +72,10 @@ export function LoginForm() {
 
     setLoading(true);
     try {
-      const masterKey = await argon2Hash(data.password, data.email);
-      const masterPasswordHash = await argon2Hash(masterKey, data.password);
+      const { masterPasswordHash } = await generateMasterKeyAndHash({
+        email: data.email,
+        password: data.password,
+      });
 
       login({
         variables: {
diff --git a/src/components/wallet/SendAddressForm.tsx b/src/components/wallet/SendAddressForm.tsx
index f26a76ae..56010d37 100644
--- a/src/components/wallet/SendAddressForm.tsx
+++ b/src/components/wallet/SendAddressForm.tsx
@@ -96,7 +96,7 @@ export const SendAddressForm: FC<{
 
   const [stateLoading, setStateLoading] = useState(false);
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const form = useForm<z.infer<typeof formSchema>>({
     resolver: zodResolver(formSchema),
@@ -290,7 +290,7 @@ export const SendAddressForm: FC<{
       return;
     }
 
-    if (!result.data?.pay.liquid_address || !protected_mnemonic || !masterKey) {
+    if (!result.data?.pay.liquid_address || !protected_mnemonic || !keys) {
       setStateLoading(false);
       return;
     }
@@ -307,7 +307,7 @@ export const SendAddressForm: FC<{
         mnemonic: protected_mnemonic,
         descriptor: result.data.pay.liquid_address.wallet_account.descriptor,
         pset: result.data.pay.liquid_address.base_64,
-        masterKey,
+        keys,
       },
     };
 
@@ -454,7 +454,7 @@ export const SendAddressForm: FC<{
             ) : null}
 
             <div className="flex items-center justify-center pt-2">
-              {masterKey ? (
+              {!!keys ? (
                 <Button type="submit" disabled={loading} className="w-full">
                   {loading ? (
                     <Loader2 className="mr-2 h-4 w-4 animate-spin" />
diff --git a/src/components/wallet/SendInvoiceForm.tsx b/src/components/wallet/SendInvoiceForm.tsx
index 8ca88e1d..7e939bba 100644
--- a/src/components/wallet/SendInvoiceForm.tsx
+++ b/src/components/wallet/SendInvoiceForm.tsx
@@ -117,7 +117,7 @@ export const SendInvoiceForm: FC<{
 
   const [loading, setLoading] = useState(true);
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const form = useForm<z.infer<typeof formSchema>>({
     resolver: zodResolver(formSchema),
@@ -231,7 +231,7 @@ export const SendInvoiceForm: FC<{
     if (
       !result.data?.pay.lightning_invoice ||
       !walletInfo.protected_mnemonic ||
-      !masterKey
+      !keys
     ) {
       setLoading(false);
       return;
@@ -249,7 +249,7 @@ export const SendInvoiceForm: FC<{
         mnemonic: walletInfo.protected_mnemonic,
         descriptor: result.data.pay.lightning_invoice.wallet_account.descriptor,
         pset: result.data.pay.lightning_invoice.base_64,
-        masterKey,
+        keys,
       },
     };
 
@@ -285,7 +285,7 @@ export const SendInvoiceForm: FC<{
             <Decoded invoice={watchInvoice[0]} />
 
             <div className="flex items-center justify-center">
-              {masterKey ? (
+              {!!keys ? (
                 <Button type="submit" disabled={loading} className="w-full">
                   {loading ? (
                     <Loader2 className="mr-2 h-4 w-4 animate-spin" />
diff --git a/src/graphql/queries/__generated__/user.generated.tsx b/src/graphql/queries/__generated__/user.generated.tsx
index 825fe026..0a8d4188 100644
--- a/src/graphql/queries/__generated__/user.generated.tsx
+++ b/src/graphql/queries/__generated__/user.generated.tsx
@@ -14,6 +14,7 @@ export type UserQuery = {
     __typename?: 'User';
     id: string;
     email: string;
+    protected_symmetric_key: string;
     default_wallet_id?: string | null;
   };
 };
@@ -23,6 +24,7 @@ export const UserDocument = gql`
     user {
       id
       email
+      protected_symmetric_key
       default_wallet_id
     }
   }
diff --git a/src/graphql/queries/user.ts b/src/graphql/queries/user.ts
index 0c134889..84d0403f 100644
--- a/src/graphql/queries/user.ts
+++ b/src/graphql/queries/user.ts
@@ -5,6 +5,7 @@ export const User = gql`
     user {
       id
       email
+      protected_symmetric_key
       default_wallet_id
     }
   }
diff --git a/src/graphql/types.ts b/src/graphql/types.ts
index 9b603e49..605c2910 100644
--- a/src/graphql/types.ts
+++ b/src/graphql/types.ts
@@ -29,6 +29,12 @@ export type Scalars = {
   Float: { input: number; output: number };
 };
 
+export type AmbossInfo = {
+  __typename?: 'AmbossInfo';
+  id: Scalars['String']['output'];
+  referral_codes: Array<ReferralCode>;
+};
+
 export type BroadcastLiquidTransaction = {
   __typename?: 'BroadcastLiquidTransaction';
   tx_id: Scalars['String']['output'];
@@ -181,6 +187,16 @@ export type LnUrlCurrency = {
   variable_fee_percentage: Scalars['String']['output'];
 };
 
+export type LnUrlInfo = {
+  __typename?: 'LnUrlInfo';
+  id: Scalars['String']['output'];
+  payment_options: Array<LnUrlCurrency>;
+};
+
+export type LnUrlInfoInput = {
+  money_address: Scalars['String']['input'];
+};
+
 export type LoginInput = {
   email: Scalars['String']['input'];
   master_password_hash: Scalars['String']['input'];
@@ -280,9 +296,14 @@ export type PayNetworkSwapInput = {
 
 export type PayQueries = {
   __typename?: 'PayQueries';
+  lnurl_info: LnUrlInfo;
   network_swap_quote: SwapQuote;
 };
 
+export type PayQueriesLnurl_InfoArgs = {
+  input: LnUrlInfoInput;
+};
+
 export type PayQueriesNetwork_Swap_QuoteArgs = {
   input: SwapQuoteInput;
 };
@@ -322,6 +343,15 @@ export type ReceiveSwapInput = {
   wallet_account_id: Scalars['String']['input'];
 };
 
+export type ReferralCode = {
+  __typename?: 'ReferralCode';
+  code: Scalars['String']['output'];
+  current_uses: Scalars['Float']['output'];
+  id: Scalars['String']['output'];
+  is_available: Scalars['Boolean']['output'];
+  max_allowed_uses: Scalars['Float']['output'];
+};
+
 export type RefreshToken = {
   __typename?: 'RefreshToken';
   access_token: Scalars['String']['output'];
@@ -363,6 +393,7 @@ export type SignUpInput = {
   master_password_hash: Scalars['String']['input'];
   password_hint?: InputMaybe<Scalars['String']['input']>;
   protected_symmetric_key: Scalars['String']['input'];
+  referral_code?: InputMaybe<Scalars['String']['input']>;
   secp256k1_key_pair: Secp256k1KeyPairInput;
   wallet?: InputMaybe<CreateWalletInput>;
 };
@@ -426,9 +457,11 @@ export type SwapQuoteInput = {
 
 export type User = {
   __typename?: 'User';
+  amboss?: Maybe<AmbossInfo>;
   default_wallet_id?: Maybe<Scalars['String']['output']>;
   email: Scalars['String']['output'];
   id: Scalars['String']['output'];
+  protected_symmetric_key: Scalars['String']['output'];
   swap_info: UserSwapInfo;
 };
 
diff --git a/src/hooks/message.ts b/src/hooks/message.ts
index 72fe50a9..ca2b21d6 100644
--- a/src/hooks/message.ts
+++ b/src/hooks/message.ts
@@ -9,6 +9,7 @@ import {
   SendMessageMutationVariables,
 } from '@/graphql/mutations/__generated__/contact.generated';
 import { GetWalletContactMessagesDocument } from '@/graphql/queries/__generated__/contacts.generated';
+import { KeysType } from '@/stores/keys';
 import { toWithError } from '@/utils/async';
 import { LOCALSTORAGE_KEYS } from '@/utils/constants';
 import { handleApolloError } from '@/utils/error';
@@ -100,14 +101,14 @@ export const useSendMessage = (cbk: () => void) => {
 
   const sendMessage = async ({
     contact_id,
-    masterKey,
+    keys,
     protectedPrivateKey,
     receiver_pubkey,
     receiver_money_address,
     message,
   }: {
     contact_id: string;
-    masterKey: string;
+    keys: KeysType;
     protectedPrivateKey: string;
     receiver_pubkey: string | undefined | null;
     receiver_money_address: string;
@@ -123,7 +124,7 @@ export const useSendMessage = (cbk: () => void) => {
         payload: {
           contact_id,
           protectedPrivateKey,
-          masterKey,
+          keys,
           receiver_pubkey,
           receiver_money_address,
           message,
diff --git a/src/stores/keys.ts b/src/stores/keys.ts
index 23c7a378..11b916f1 100644
--- a/src/stores/keys.ts
+++ b/src/stores/keys.ts
@@ -1,13 +1,15 @@
 import { create } from 'zustand';
 
+export type KeysType = { masterKey: string; protectedSymmetricKey: string };
+
 type KeyState = {
-  masterKey: string | undefined;
-  setMasterKey: (masterKey: string) => void;
+  keys: KeysType | undefined;
+  setKeys: (keys: KeysType) => void;
   clear: () => void;
 };
 
 export const useKeyStore = create<KeyState>()(set => ({
-  masterKey: undefined,
-  setMasterKey: (masterKey: string) => set({ masterKey }),
-  clear: () => set({ masterKey: undefined }),
+  keys: undefined,
+  setKeys: (keys: KeysType) => set({ keys }),
+  clear: () => set({ keys: undefined }),
 }));
diff --git a/src/utils/crypto.ts b/src/utils/crypto.ts
index 47c9dcff..32edc19b 100644
--- a/src/utils/crypto.ts
+++ b/src/utils/crypto.ts
@@ -5,6 +5,8 @@ import { wordlist } from '@scure/bip39/wordlists/english';
 import argon2 from 'argon2-browser';
 import { nip44 } from 'nostr-tools';
 
+import { KeysType } from '@/stores/keys';
+
 export const ARGON_DEFAULTS = {
   hash_length: 32,
   iterations: 3,
@@ -28,7 +30,30 @@ export const uint8arrayToUtf8 = (str: Uint8Array): string => {
   return decoder.decode(str);
 };
 
-export const secp256k1GenerateProtectedKeyPair = (masterKey: string) => {
+export const generateMasterKeyAndHash = async ({
+  email,
+  password,
+}: {
+  email: string;
+  password: string;
+}): Promise<{ masterKey: string; masterPasswordHash: string }> => {
+  const masterKey = await argon2Hash({ key: password, salt: email });
+  const masterPasswordHash = await argon2Hash({
+    key: masterKey,
+    salt: password,
+  });
+
+  return {
+    masterKey,
+    masterPasswordHash,
+  };
+};
+
+export const secp256k1GenerateProtectedKeyPair = ({
+  symmetricKey,
+}: {
+  symmetricKey: string;
+}) => {
   const privateKey = utils.randomPrivateKey();
   const publicKey = getPublicKey(privateKey);
 
@@ -36,7 +61,7 @@ export const secp256k1GenerateProtectedKeyPair = (masterKey: string) => {
 
   const protectedPrivateKey = nip44.v2.encrypt(
     privateKeyHex,
-    hexToBytes(masterKey)
+    hexToBytes(symmetricKey)
   );
 
   return {
@@ -45,9 +70,16 @@ export const secp256k1GenerateProtectedKeyPair = (masterKey: string) => {
   };
 };
 
-export const generateNewMnemonic = (masterKey: string) => {
+export const generateNewMnemonic = ({
+  symmetricKey,
+}: {
+  symmetricKey: string;
+}) => {
   const mnemonic = generateMnemonic(wordlist);
-  const protectedMnemonic = nip44.v2.encrypt(mnemonic, hexToBytes(masterKey));
+  const protectedMnemonic = nip44.v2.encrypt(
+    mnemonic,
+    hexToBytes(symmetricKey)
+  );
 
   return {
     mnemonic,
@@ -55,8 +87,17 @@ export const generateNewMnemonic = (masterKey: string) => {
   };
 };
 
-export const restoreMnemonic = (mnemonic: string, masterKey: string) => {
-  const protectedMnemonic = nip44.v2.encrypt(mnemonic, hexToBytes(masterKey));
+export const restoreMnemonic = ({
+  mnemonic,
+  symmetricKey,
+}: {
+  mnemonic: string;
+  symmetricKey: string;
+}) => {
+  const protectedMnemonic = nip44.v2.encrypt(
+    mnemonic,
+    hexToBytes(symmetricKey)
+  );
 
   return {
     mnemonic,
@@ -64,10 +105,13 @@ export const restoreMnemonic = (mnemonic: string, masterKey: string) => {
   };
 };
 
-export const argon2Hash = async (
-  key: string,
-  salt: string
-): Promise<string> => {
+export const argon2Hash = async ({
+  key,
+  salt,
+}: {
+  key: string;
+  salt: string;
+}): Promise<string> => {
   const hashedPasswordHash = await argon2.hash({
     pass: key,
     salt,
@@ -81,13 +125,24 @@ export const argon2Hash = async (
   return hashedPasswordHash.hashHex;
 };
 
-export const createProtectedSymmetricKey = (masterKey: string): string => {
-  const symmetricKey = Buffer.from(randomBytes(64));
+export const createProtectedSymmetricKey = ({
+  masterKey,
+}: {
+  masterKey: string;
+}): { symmetricKey: string; protectedSymmetricKey: string } => {
+  const symmetricKey = Buffer.from(randomBytes(64)).toString('hex');
 
   const protectedSymmetricKey = nip44.v2.encrypt(
-    symmetricKey.toString('hex'),
+    symmetricKey,
     hexToBytes(masterKey)
   );
 
-  return protectedSymmetricKey;
+  return { symmetricKey, protectedSymmetricKey };
+};
+
+export const decryptSymmetricKey = (keys: KeysType): string => {
+  return nip44.v2.decrypt(
+    keys.protectedSymmetricKey,
+    hexToBytes(keys.masterKey)
+  );
 };
diff --git a/src/views/contacts/Messages.tsx b/src/views/contacts/Messages.tsx
index be73cbb6..69552152 100644
--- a/src/views/contacts/Messages.tsx
+++ b/src/views/contacts/Messages.tsx
@@ -34,7 +34,7 @@ export const Messages = () => {
 
   const [workerLoaded, setWorkerLoaded] = useState<boolean>(false);
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const [value] = useLocalStorage(LOCALSTORAGE_KEYS.currentWalletId, '');
 
@@ -69,7 +69,7 @@ export const Messages = () => {
   }, [messages]);
 
   useEffect(() => {
-    if (!masterKey) return;
+    if (!keys) return;
     if (!workerLoaded) return;
     if (loading || error) return;
     if (!data?.wallets.find_one.contacts.find_one.messages.length) return;
@@ -80,7 +80,7 @@ export const Messages = () => {
       const workerMessage: CryptoWorkerMessage = {
         type: 'decryptMessages',
         payload: {
-          masterKey,
+          keys,
           messages: contacts.find_one.messages,
           protectedPrivateKey:
             secp256k1_key_pair.protected_encryption_private_key,
@@ -89,7 +89,7 @@ export const Messages = () => {
 
       workerRef.current.postMessage(workerMessage);
     }
-  }, [loading, error, data, workerLoaded, masterKey]);
+  }, [loading, error, data, workerLoaded, keys]);
 
   useEffect(() => {
     workerRef.current = new Worker(
diff --git a/src/views/contacts/boxes/PayMessageBox.tsx b/src/views/contacts/boxes/PayMessageBox.tsx
index 7bf218ca..a1b6af9f 100644
--- a/src/views/contacts/boxes/PayMessageBox.tsx
+++ b/src/views/contacts/boxes/PayMessageBox.tsx
@@ -74,7 +74,7 @@ export const PayMessageBox: FC<{
 
   const [loading, setLoading] = useState<boolean>(false);
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
   const currentContact = useContactStore(s => s.currentContact);
 
   const setCurrentPaymentOption = useChat(s => s.setCurrentPaymentOption);
@@ -193,7 +193,7 @@ export const PayMessageBox: FC<{
     if (
       !result.data?.pay.money_address ||
       !walletInfo.protected_mnemonic ||
-      !masterKey
+      !keys
     ) {
       setLoading(false);
       return;
@@ -211,7 +211,7 @@ export const PayMessageBox: FC<{
         mnemonic: walletInfo.protected_mnemonic,
         descriptor: result.data.pay.money_address.wallet_account.descriptor,
         pset: result.data.pay.money_address.base_64,
-        masterKey,
+        keys,
       },
     };
 
@@ -261,12 +261,7 @@ export const PayMessageBox: FC<{
             description: `Money has been sent to this contact.`,
           });
 
-          if (
-            !currentContact?.id ||
-            !masterKey ||
-            !money_address ||
-            !currentAsset
-          ) {
+          if (!currentContact?.id || !keys || !money_address || !currentAsset) {
             cbk();
             return;
           }
@@ -286,7 +281,7 @@ export const PayMessageBox: FC<{
           sendMessage({
             contact_id: currentContact.id,
             protectedPrivateKey: protected_encryption_private_key,
-            masterKey,
+            keys,
             receiver_pubkey: encryption_pubkey,
             receiver_money_address: money_address,
             message: `${fiatAmount} (${amount})`,
@@ -308,7 +303,7 @@ export const PayMessageBox: FC<{
     client,
     toast,
     currentContact,
-    masterKey,
+    keys,
     sendMessage,
     encryption_pubkey,
     money_address,
@@ -450,7 +445,7 @@ export const PayMessageBox: FC<{
         <div className="flex items-center p-3 pt-0">
           {iconOptions}
 
-          {masterKey ? (
+          {!!keys ? (
             <Button
               type="submit"
               disabled={isLoading || !currentPaymentOption || !inputValue}
diff --git a/src/views/contacts/boxes/SendMessageBox.tsx b/src/views/contacts/boxes/SendMessageBox.tsx
index 457dc71d..b36b007c 100644
--- a/src/views/contacts/boxes/SendMessageBox.tsx
+++ b/src/views/contacts/boxes/SendMessageBox.tsx
@@ -27,7 +27,7 @@ export const SendMessageBox: FC<{ iconOptions?: ReactNode }> = ({
 
   const { toast } = useToast();
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const currentContact = useContactStore(s => s.currentContact);
 
@@ -62,7 +62,7 @@ export const SendMessageBox: FC<{ iconOptions?: ReactNode }> = ({
       return;
     }
 
-    if (!masterKey) {
+    if (!keys) {
       toast({
         variant: 'destructive',
         title: 'Vault Locked',
@@ -87,7 +87,7 @@ export const SendMessageBox: FC<{ iconOptions?: ReactNode }> = ({
       protectedPrivateKey:
         data.wallets.find_one.secp256k1_key_pair
           .protected_encryption_private_key,
-      masterKey,
+      keys,
       receiver_pubkey:
         data.wallets.find_one.contacts.find_one.encryption_pubkey,
       receiver_money_address:
@@ -116,7 +116,7 @@ export const SendMessageBox: FC<{ iconOptions?: ReactNode }> = ({
       <div className="flex items-center p-3 pt-0">
         {iconOptions}
 
-        {masterKey ? (
+        {!!keys ? (
           <Button
             type="submit"
             disabled={isLoading || !message}
diff --git a/src/views/wallet/NewWallet.tsx b/src/views/wallet/NewWallet.tsx
index a013e505..6afa26a1 100644
--- a/src/views/wallet/NewWallet.tsx
+++ b/src/views/wallet/NewWallet.tsx
@@ -40,7 +40,7 @@ const NewWalletButton = () => {
   const workerRef = useRef<Worker>();
   const { push } = useRouter();
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const [createWallet, { loading: createLoading }] = useCreateWalletMutation({
     onCompleted: data => {
@@ -72,7 +72,7 @@ const NewWalletButton = () => {
 
   const handleCreate = async () => {
     if (isLoading) return;
-    if (!masterKey) {
+    if (!keys) {
       return;
     }
 
@@ -82,7 +82,7 @@ const NewWalletButton = () => {
       const message: CryptoWorkerMessage = {
         type: 'newWallet',
         payload: {
-          masterKey,
+          keys,
         },
       };
 
@@ -141,9 +141,9 @@ const NewWalletButton = () => {
 };
 
 export function NewWallet() {
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
-  if (!masterKey) {
+  if (!keys) {
     return (
       <div>
         <h1 className="mx-2 mb-2 font-semibold">Create New Wallet</h1>
diff --git a/src/views/wallet/RestoreWallet.tsx b/src/views/wallet/RestoreWallet.tsx
index 869af16d..23ded887 100644
--- a/src/views/wallet/RestoreWallet.tsx
+++ b/src/views/wallet/RestoreWallet.tsx
@@ -75,7 +75,7 @@ const RestoreWalletButton = () => {
     },
   });
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const [createWallet, { loading: createLoading }] = useCreateWalletMutation({
     onCompleted: data => {
@@ -107,7 +107,7 @@ const RestoreWalletButton = () => {
 
   const handleSubmit = async (formData: z.infer<typeof formSchema>) => {
     if (isLoading) return;
-    if (!masterKey || !formData.mnemonic) {
+    if (!keys || !formData.mnemonic) {
       return;
     }
 
@@ -118,7 +118,7 @@ const RestoreWalletButton = () => {
         type: 'restoreWallet',
         payload: {
           mnemonic: formData.mnemonic,
-          masterKey,
+          keys,
         },
       };
 
@@ -215,9 +215,9 @@ const RestoreWalletButton = () => {
 };
 
 export function RestoreWallet() {
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
-  if (!masterKey) {
+  if (!keys) {
     return (
       <div>
         <h1 className="mx-4 mb-2 font-semibold">Restore Wallet</h1>
diff --git a/src/views/wallet/Settings.tsx b/src/views/wallet/Settings.tsx
index 14ca6ece..48f9d151 100644
--- a/src/views/wallet/Settings.tsx
+++ b/src/views/wallet/Settings.tsx
@@ -114,7 +114,7 @@ const WalletMnemonic: FC<{ walletId: string }> = ({ walletId }) => {
   const [protectedMnemonic, setProtectedMnemonic] = useState('');
   const [mnemonic, setMnemonic] = useState('');
 
-  const masterKey = useKeyStore(s => s.masterKey);
+  const keys = useKeyStore(s => s.keys);
 
   const { data, loading: walletLoading } = useGetWalletDetailsQuery({
     variables: { id: walletId },
@@ -141,6 +141,14 @@ const WalletMnemonic: FC<{ walletId: string }> = ({ walletId }) => {
       switch (message.type) {
         case 'decryptMnemonic':
           setMnemonic(message.payload.mnemonic);
+          break;
+        case 'error':
+          toast({
+            variant: 'destructive',
+            title: 'Error decrypting mnemonic.',
+            description: `Please reach out to support. ${message.msg}`,
+          });
+
           break;
       }
 
@@ -158,7 +166,7 @@ const WalletMnemonic: FC<{ walletId: string }> = ({ walletId }) => {
   }, []);
 
   const handleDecrypt = () => {
-    if (!masterKey) return;
+    if (!keys) return;
     if (!data?.wallets.find_one.details.protected_mnemonic) return;
 
     setLoading(true);
@@ -168,7 +176,7 @@ const WalletMnemonic: FC<{ walletId: string }> = ({ walletId }) => {
         type: 'decryptMnemonic',
         payload: {
           protectedMnemonic: data.wallets.find_one.details.protected_mnemonic,
-          masterKey,
+          keys,
         },
       };
 
@@ -190,12 +198,12 @@ const WalletMnemonic: FC<{ walletId: string }> = ({ walletId }) => {
             readOnly
             defaultValue={protectedMnemonic}
           />
-          {!masterKey ? (
+          {!keys ? (
             <VaultButton lockedTitle="Unlock to Decrypt" />
           ) : (
             <Button
               className="w-40"
-              disabled={loading || !!mnemonic || !masterKey}
+              disabled={loading || !!mnemonic || !keys}
               onClick={() => handleDecrypt()}
             >
               Decrypt
@@ -214,7 +222,7 @@ const WalletMnemonic: FC<{ walletId: string }> = ({ walletId }) => {
             placeholder="Clear text Mnemonic"
           />
           <Button
-            disabled={loading || !mnemonic || !masterKey}
+            disabled={loading || !mnemonic || !keys}
             onClick={() => copyMnemonic(mnemonic)}
             size={'icon'}
             className="px-2"
@@ -228,7 +236,7 @@ const WalletMnemonic: FC<{ walletId: string }> = ({ walletId }) => {
           </Button>
           <Button
             className="w-40"
-            disabled={loading || !mnemonic || !masterKey}
+            disabled={loading || !mnemonic || !keys}
             onClick={() => setMnemonic('')}
           >
             Clear Memory
diff --git a/src/workers/account/account.ts b/src/workers/account/account.ts
index 4b89d4ff..ba801a54 100644
--- a/src/workers/account/account.ts
+++ b/src/workers/account/account.ts
@@ -1,16 +1,11 @@
 import {
-  argon2Hash,
   createProtectedSymmetricKey,
+  generateMasterKeyAndHash,
   secp256k1GenerateProtectedKeyPair,
 } from '@/utils/crypto';
 
 import { createNewWallet } from '../crypto/crypto';
-import {
-  CreateAccountResult,
-  GenerateMasterKeyAndHashResult,
-  WorkerMessage,
-  WorkerResponse,
-} from './types';
+import { CreateAccountResult, WorkerMessage, WorkerResponse } from './types';
 
 async function generateAccount(
   email: string,
@@ -18,15 +13,20 @@ async function generateAccount(
   password_hint?: string,
   referral_code?: string
 ): Promise<CreateAccountResult> {
-  const masterKey = await argon2Hash(password, email);
-  const masterPasswordHash = await argon2Hash(masterKey, password);
+  const { masterKey, masterPasswordHash } = await generateMasterKeyAndHash({
+    email,
+    password,
+  });
 
-  const protectedSymmetricKey = createProtectedSymmetricKey(masterKey);
+  const { symmetricKey, protectedSymmetricKey } = createProtectedSymmetricKey({
+    masterKey,
+  });
 
-  const { publicKey, protectedPrivateKey } =
-    secp256k1GenerateProtectedKeyPair(masterKey);
+  const { publicKey, protectedPrivateKey } = secp256k1GenerateProtectedKeyPair({
+    symmetricKey,
+  });
 
-  const wallet = await createNewWallet(masterKey);
+  const wallet = await createNewWallet({ symmetricKey });
 
   return {
     email,
@@ -42,64 +42,72 @@ async function generateAccount(
   };
 }
 
-async function generateMasterKeyAndHash(
-  email: string,
-  password: string
-): Promise<GenerateMasterKeyAndHashResult> {
-  const masterKey = await argon2Hash(password, email);
-  const masterPasswordHash = await argon2Hash(masterKey, password);
-
-  return {
-    masterKey,
-    masterPasswordHash,
-  };
-}
-
 self.onmessage = async e => {
   const message: WorkerMessage = e.data;
-  switch (message.type) {
-    case 'create': {
-      const {
-        payload: { email, password, password_hint, referral_code },
-      } = message;
-
-      const accountParams = await generateAccount(
-        email,
-        password,
-        password_hint,
-        referral_code
-      );
-
-      const response: WorkerResponse = {
-        type: 'create',
-        payload: accountParams,
-      };
 
-      self.postMessage(response);
+  try {
+    switch (message.type) {
+      case 'create': {
+        const {
+          payload: { email, password, password_hint, referral_code },
+        } = message;
 
-      break;
-    }
+        const accountParams = await generateAccount(
+          email,
+          password,
+          password_hint,
+          referral_code
+        );
 
-    case 'generateMaster': {
-      const {
-        payload: { email, password },
-      } = message;
+        const response: WorkerResponse = {
+          type: 'create',
+          payload: accountParams,
+        };
 
-      const result = await generateMasterKeyAndHash(email, password);
+        self.postMessage(response);
 
-      const response: WorkerResponse = {
-        type: 'generateMaster',
-        payload: result,
-      };
+        break;
+      }
+
+      case 'generateMaster': {
+        const {
+          payload: { email, password, protectedSymmetricKey },
+        } = message;
+
+        const result = await generateMasterKeyAndHash({ email, password });
+
+        const response: WorkerResponse = {
+          type: 'generateMaster',
+          payload: { ...result, protectedSymmetricKey },
+        };
+
+        self.postMessage(response);
 
-      self.postMessage(response);
+        break;
+      }
 
-      break;
+      default:
+        console.error('Unhandled message type:', e.data.type);
+        break;
+    }
+  } catch (error) {
+    console.error(error);
+
+    let response: WorkerResponse;
+
+    if (error instanceof Error) {
+      response = {
+        type: 'error',
+        msg: error.message,
+      };
+    } else {
+      response = {
+        type: 'error',
+        msg: 'Unknown error',
+      };
     }
 
-    default:
-      console.error('Unhandled message type:', e.data.type);
-      break;
+    self.postMessage(response);
   }
 };
 
diff --git a/src/workers/account/types.ts b/src/workers/account/types.ts
index 74ff2d26..9e48ce03 100644
--- a/src/workers/account/types.ts
+++ b/src/workers/account/types.ts
@@ -7,11 +7,6 @@ export type CreateAccount = {
   referral_code?: string;
 };
 
-export type GenerateMasterKeyAndHash = {
-  email: string;
-  password: string;
-};
-
 export type WorkerMessage =
   | {
       type: 'create';
@@ -19,7 +14,11 @@ export type WorkerMessage =
     }
   | {
       type: 'generateMaster';
-      payload: GenerateMasterKeyAndHash;
+      payload: {
+        email: string;
+        password: string;
+        protectedSymmetricKey: string;
+      };
     };
 
 export type CreateAccountResult = {
@@ -35,11 +34,6 @@ export type CreateAccountResult = {
   wallet: CryptoNewWalletPayload;
 };
 
-export type GenerateMasterKeyAndHashResult = {
-  masterKey: string;
-  masterPasswordHash: string;
-};
-
 export type WorkerResponse =
   | {
       type: 'create';
@@ -47,6 +41,11 @@ export type WorkerResponse =
     }
   | {
       type: 'generateMaster';
-      payload: GenerateMasterKeyAndHashResult;
+      payload: {
+        masterKey: string;
+        masterPasswordHash: string;
+        protectedSymmetricKey: string;
+      };
     }
-  | { type: 'loaded' };
+  | { type: 'loaded' }
+  | { type: 'error'; msg: string };
diff --git a/src/workers/crypto/crypto.ts b/src/workers/crypto/crypto.ts
index b623dc3b..2df98bca 100644
--- a/src/workers/crypto/crypto.ts
+++ b/src/workers/crypto/crypto.ts
@@ -13,6 +13,7 @@ import { Event, nip44 } from 'nostr-tools';
 import { toWithError } from '@/utils/async';
 import {
   bufToHex,
+  decryptSymmetricKey,
   generateNewMnemonic,
   hexToUint8Array,
   restoreMnemonic,
@@ -26,13 +27,16 @@ import {
   CryptoWorkerResponse,
 } from './types';
 
-export const createNewWallet = async (
-  masterKey: string
-): Promise<CryptoNewWalletPayload> => {
-  const { mnemonic, protectedMnemonic } = generateNewMnemonic(masterKey);
+export const createNewWallet = async ({
+  symmetricKey,
+}: {
+  symmetricKey: string;
+}): Promise<CryptoNewWalletPayload> => {
+  const { mnemonic, protectedMnemonic } = generateNewMnemonic({ symmetricKey });
 
-  const { publicKey, protectedPrivateKey } =
-    secp256k1GenerateProtectedKeyPair(masterKey);
+  const { publicKey, protectedPrivateKey } = secp256k1GenerateProtectedKeyPair({
+    symmetricKey,
+  });
 
   const liquidDescriptor = await generateLiquidDescriptor(mnemonic);
 
@@ -75,191 +79,222 @@ const signPset = (mnemonic: string, descriptor: string, pset: string) => {
 self.onmessage = async e => {
   const message: CryptoWorkerMessage = e.data;
 
-  switch (message.type) {
-    case 'newWallet': {
-      const { masterKey } = message.payload;
+  try {
+    switch (message.type) {
+      case 'newWallet': {
+        const { keys } = message.payload;
 
-      const payload = await createNewWallet(masterKey);
+        const symmetricKey = decryptSymmetricKey(keys);
 
-      const response: CryptoWorkerResponse = {
-        type: 'newWallet',
-        payload,
-      };
+        const payload = await createNewWallet({ symmetricKey });
 
-      self.postMessage(response);
+        const response: CryptoWorkerResponse = {
+          type: 'newWallet',
+          payload,
+        };
 
-      break;
-    }
+        self.postMessage(response);
+
+        break;
+      }
+
+      case 'restoreWallet': {
+        const { keys } = message.payload;
 
-    case 'restoreWallet': {
-      const { masterKey } = message.payload;
+        const symmetricKey = decryptSymmetricKey(keys);
 
-      const { mnemonic, protectedMnemonic } = restoreMnemonic(
-        message.payload.mnemonic,
-        masterKey
-      );
+        const { mnemonic, protectedMnemonic } = restoreMnemonic({
+          mnemonic: message.payload.mnemonic,
+          symmetricKey,
+        });
+
+        const { publicKey, protectedPrivateKey } =
+          secp256k1GenerateProtectedKeyPair({ symmetricKey });
+
+        const [liquidDescriptor, error] = await toWithError(
+          generateLiquidDescriptor(mnemonic)
+        );
+
+        if (error) {
+          self.postMessage({ type: 'error', msg: error });
+        } else {
+          const response: CryptoWorkerResponse = {
+            type: 'newWallet',
+            payload: {
+              protectedMnemonic: protectedMnemonic,
+              liquidDescriptor,
+              secp256k1_key_pair: {
+                public_key: publicKey,
+                protected_private_key: protectedPrivateKey,
+              },
+            },
+          };
+
+          self.postMessage(response);
+        }
+
+        break;
+      }
 
-      const { publicKey, protectedPrivateKey } =
-        secp256k1GenerateProtectedKeyPair(masterKey);
+      case 'signPset': {
+        const { descriptor, keys, pset, wallet_account_id } = message.payload;
 
-      const [liquidDescriptor, error] = await toWithError(
-        generateLiquidDescriptor(mnemonic)
-      );
+        const symmetricKey = decryptSymmetricKey(keys);
+
+        const unprotectedMnemonic = nip44.v2.decrypt(
+          message.payload.mnemonic,
+          hexToBytes(symmetricKey)
+        );
+
+        const signedPset = signPset(
+          Buffer.from(unprotectedMnemonic).toString('utf-8'),
+          descriptor,
+          pset
+        );
 
-      if (error) {
-        self.postMessage({ type: 'error', msg: error });
-      } else {
         const response: CryptoWorkerResponse = {
-          type: 'newWallet',
+          type: 'signPset',
           payload: {
-            protectedMnemonic: protectedMnemonic,
-            liquidDescriptor,
-            secp256k1_key_pair: {
-              public_key: publicKey,
-              protected_private_key: protectedPrivateKey,
-            },
+            wallet_account_id,
+            signedPset,
           },
         };
 
         self.postMessage(response);
+
+        break;
       }
 
-      break;
-    }
+      case 'decryptMnemonic': {
+        const { protectedMnemonic, keys } = message.payload;
 
-    case 'signPset': {
-      const { descriptor, masterKey, pset, wallet_account_id } =
-        message.payload;
-
-      const unprotectedMnemonic = nip44.v2.decrypt(
-        message.payload.mnemonic,
-        hexToBytes(masterKey)
-      );
-
-      const signedPset = signPset(
-        Buffer.from(unprotectedMnemonic).toString('utf-8'),
-        descriptor,
-        pset
-      );
-
-      const response: CryptoWorkerResponse = {
-        type: 'signPset',
-        payload: {
-          wallet_account_id,
-          signedPset,
-        },
-      };
+        const symmetricKey = decryptSymmetricKey(keys);
 
-      self.postMessage(response);
+        const unprotectedMnemonic = nip44.v2.decrypt(
+          protectedMnemonic,
+          hexToBytes(symmetricKey)
+        );
 
-      break;
-    }
+        const response: CryptoWorkerResponse = {
+          type: 'decryptMnemonic',
+          payload: {
+            mnemonic: Buffer.from(unprotectedMnemonic).toString('utf-8'),
+          },
+        };
+
+        self.postMessage(response);
 
-    case 'decryptMnemonic': {
-      const { protectedMnemonic, masterKey } = message.payload;
+        break;
+      }
 
-      const unprotectedMnemonic = nip44.v2.decrypt(
-        protectedMnemonic,
-        hexToBytes(masterKey)
-      );
+      case 'encryptMessage': {
+        const {
+          contact_id,
+          keys,
+          protectedPrivateKey,
+          receiver_money_address,
+          receiver_pubkey,
+        } = message.payload;
 
-      const response: CryptoWorkerResponse = {
-        type: 'decryptMnemonic',
-        payload: {
-          mnemonic: Buffer.from(unprotectedMnemonic).toString('utf-8'),
-        },
-      };
+        const symmetricKey = decryptSymmetricKey(keys);
 
-      self.postMessage(response);
+        const unprotectedPrivateKey = nip44.v2.decrypt(
+          protectedPrivateKey,
+          hexToBytes(symmetricKey)
+        );
 
-      break;
-    }
+        const publicKey = getPublicKey(unprotectedPrivateKey).subarray(1, 33);
 
-    case 'encryptMessage': {
-      const {
-        contact_id,
-        masterKey,
-        protectedPrivateKey,
-        receiver_money_address,
-        receiver_pubkey,
-      } = message.payload;
+        const sender_payload = encryptMessage(
+          message.payload.message,
+          hexToUint8Array(unprotectedPrivateKey),
+          bufToHex(publicKey)
+        );
 
-      const unprotectedPrivateKey = nip44.v2.decrypt(
-        protectedPrivateKey,
-        hexToBytes(masterKey)
-      );
+        let receiver_payload: Event | null = null;
 
-      const publicKey = getPublicKey(unprotectedPrivateKey).subarray(1, 33);
+        if (!!receiver_pubkey) {
+          receiver_payload = encryptMessage(
+            message.payload.message,
+            hexToUint8Array(unprotectedPrivateKey),
+            receiver_pubkey.substring(2)
+          );
+        }
 
-      const sender_payload = encryptMessage(
-        message.payload.message,
-        hexToUint8Array(unprotectedPrivateKey),
-        bufToHex(publicKey)
-      );
+        const response: CryptoWorkerResponse = {
+          type: 'encryptMessage',
+          payload: {
+            contact_id,
+            receiver_money_address,
+            sender_payload: JSON.stringify(sender_payload),
+            receiver_payload: receiver_payload
+              ? JSON.stringify(receiver_payload)
+              : null,
+          },
+        };
 
-      let receiver_payload: Event | null = null;
+        self.postMessage(response);
 
-      if (!!receiver_pubkey) {
-        receiver_payload = encryptMessage(
-          message.payload.message,
-          hexToUint8Array(unprotectedPrivateKey),
-          receiver_pubkey.substring(2)
-        );
+        break;
       }
 
-      const response: CryptoWorkerResponse = {
-        type: 'encryptMessage',
-        payload: {
-          contact_id,
-          receiver_money_address,
-          sender_payload: JSON.stringify(sender_payload),
-          receiver_payload: receiver_payload
-            ? JSON.stringify(receiver_payload)
-            : null,
-        },
-      };
+      case 'decryptMessages': {
+        const { protectedPrivateKey, keys, messages } = message.payload;
 
-      self.postMessage(response);
+        const symmetricKey = decryptSymmetricKey(keys);
 
-      break;
-    }
+        const unprotectedPrivateKey = nip44.v2.decrypt(
+          protectedPrivateKey,
+          hexToBytes(symmetricKey)
+        );
 
-    case 'decryptMessages': {
-      const { protectedPrivateKey, masterKey, messages } = message.payload;
+        const unprotectedMessages = messages.map(m => {
+          try {
+            const event = JSON.parse(m.payload);
 
-      const unprotectedPrivateKey = nip44.v2.decrypt(
-        protectedPrivateKey,
-        hexToBytes(masterKey)
-      );
+            const message = decryptMessage(
+              event,
+              hexToUint8Array(unprotectedPrivateKey)
+            );
 
-      const unprotectedMessages = messages.map(m => {
-        try {
-          const event = JSON.parse(m.payload);
+            return { ...m, message };
+          } catch (error) {
+            return { ...m, message: 'Error decrypting message.' };
+          }
+        });
 
-          const message = decryptMessage(
-            event,
-            hexToUint8Array(unprotectedPrivateKey)
-          );
+        const response: CryptoWorkerResponse = {
+          type: 'decryptMessages',
+          payload: unprotectedMessages,
+        };
 
-          return { ...m, message };
-        } catch (error) {
-          return { ...m, message: 'Error decrypting message.' };
-        }
-      });
+        self.postMessage(response);
 
-      const response: CryptoWorkerResponse = {
-        type: 'decryptMessages',
-        payload: unprotectedMessages,
-      };
+        break;
+      }
 
-      self.postMessage(response);
+      default:
+        console.log('Unhandled event', { message });
+        break;
+    }
+  } catch (error) {
+    console.error(error);
+
+    let response: CryptoWorkerResponse;
 
-      break;
+    if (error instanceof Error) {
+      response = {
+        type: 'error',
+        msg: error.message,
+      };
+    } else {
+      response = {
+        type: 'error',
+        msg: 'Unknown error',
+      };
     }
 
-    default:
-      console.log('Unhandled event', { message });
-      break;
+    self.postMessage(response);
   }
 };
 
diff --git a/src/workers/crypto/types.ts b/src/workers/crypto/types.ts
index b907de34..7a2a4154 100644
--- a/src/workers/crypto/types.ts
+++ b/src/workers/crypto/types.ts
@@ -1,15 +1,17 @@
+import { KeysType } from '@/stores/keys';
+
 export type CryptoWorkerMessage =
   | {
       type: 'newWallet';
       payload: {
-        masterKey: string;
+        keys: KeysType;
       };
     }
   | {
       type: 'restoreWallet';
       payload: {
         mnemonic: string;
-        masterKey: string;
+        keys: KeysType;
       };
     }
   | {
@@ -18,7 +20,7 @@ export type CryptoWorkerMessage =
         wallet_account_id: string;
         mnemonic: string;
         descriptor: string;
-        masterKey: string;
+        keys: KeysType;
         pset: string;
       };
     }
@@ -26,7 +28,7 @@ export type CryptoWorkerMessage =
       type: 'decryptMnemonic';
       payload: {
         protectedMnemonic: string;
-        masterKey: string;
+        keys: KeysType;
       };
     }
   | {
@@ -34,7 +36,7 @@ export type CryptoWorkerMessage =
       payload: {
         contact_id: string;
         protectedPrivateKey: string;
-        masterKey: string;
+        keys: KeysType;
         receiver_pubkey: string | null | undefined;
         receiver_money_address: string;
         message: string;
@@ -44,7 +46,7 @@ export type CryptoWorkerMessage =
       type: 'decryptMessages';
       payload: {
         protectedPrivateKey: string;
-        masterKey: string;
+        keys: KeysType;
         messages: {
           id: string;
           contact_is_sender: boolean;