export interface BackupKeys {
    /**
     * 32-byte raw key for the Askar store, base64url-encoded. Pass to
     * `Store.copyTo({ keyMethod: 'raw', passKey })`.
     *
     * The raw bytes are also exposed via `askarPassKeyBytes` for the rare
     * Askar binding that wants a non-base64url shape.
     */
    askarPassKey: string;
    askarPassKeyBytes: Uint8Array;
    /**
     * Passphrase fed to the outer vault encryption (S3 suite, Argon2id). 32
     * bytes of HKDF output encoded as base64url. Treated as a string
     * passphrase by `encryptWithPassphraseRn` / `VaultsApi.create`.
     */
    vaultPassphrase: string;
    /**
     * Deterministic vault lookup ID. 16 bytes → 22 base64url chars. Use as
     * `vaultId` in StoreVaultMessage / RetrieveVaultMessage so any device with
     * the same seed locates the same vault on the server.
     */
    vaultId: string;
}
/**
 * Derive the three recovery keys from a wallet seed.
 *
 * @param seed Raw seed bytes (e.g. the entropy of a BIP-39 24-word phrase, 32
 *             bytes). Minimum 16 bytes accepted; 32+ recommended.
 */
export declare function deriveBackupKeysFromSeed(seed: Uint8Array): BackupKeys;
/**
 * The HKDF labels used by `deriveBackupKeysFromSeed`. Exported as constants
 * so external test suites can pin against them.
 */
export declare const BackupKeyLabels: {
    readonly askarPassKey: "vaults/v1/askar-store-key";
    readonly vaultPassphrase: "vaults/v1/vault-passphrase";
    readonly vaultId: "vaults/v1/vault-id";
};