/**
 * PGP Private Key Encryption
 *
 * Encrypts private keys using AES-GCM with the user's 2SKD KEK.
 * Issue #1374
 */
/**
 * Encryption result containing ciphertext and IV
 */
export interface EncryptedPrivateKey {
    /** AES-GCM encrypted private key bytes */
    encryptedPrivateKey: Uint8Array;
    /** 12-byte initialization vector for decryption */
    iv: Uint8Array;
}
/**
 * Encrypt private key bytes with the user's KEK using AES-GCM
 *
 * Uses a random 12-byte IV for each encryption operation.
 *
 * @param privateKeyBytes - Raw private key bytes (PKCS8 format)
 * @param kek - 32-byte Key Encryption Key from 2SKD
 * @returns Encrypted private key and IV
 */
export declare function encryptPrivateKey(privateKeyBytes: Uint8Array, kek: Uint8Array): Promise<EncryptedPrivateKey>;
/**
 * Decrypt private key bytes with the user's KEK using AES-GCM
 *
 * @param encryptedPrivateKey - AES-GCM encrypted private key bytes
 * @param iv - 12-byte initialization vector used during encryption
 * @param kek - 32-byte Key Encryption Key from 2SKD
 * @returns Decrypted private key bytes (PKCS8 format)
 * @throws Error if decryption fails (wrong key or tampered data)
 */
export declare function decryptPrivateKey(encryptedPrivateKey: Uint8Array, iv: Uint8Array, kek: Uint8Array): Promise<Uint8Array>;
/**
 * Import private key bytes as a CryptoKey for RSA-PSS signing
 *
 * @param privateKeyBytes - Private key in PKCS8 format
 * @returns CryptoKey configured for RSA-PSS signing with SHA-256
 */
export declare function importPrivateKey(privateKeyBytes: Uint8Array): Promise<CryptoKey>;
/**
 * Import a PEM-encoded public key as a CryptoKey for RSA-PSS verification
 *
 * @param publicKeyPem - Public key in PEM format (SPKI)
 * @returns CryptoKey configured for RSA-PSS verification with SHA-256
 */
export declare function importPublicKey(publicKeyPem: string): Promise<CryptoKey>;