diff --git a/libs/keys.py b/libs/keys.py
new file mode 100644
index 0000000..0995458
--- /dev/null
+++ b/libs/keys.py
@@ -0,0 +1,14 @@
+from nacl.public import PrivateKey
+from nacl.encoding import Base64Encoder
+from bundlewrap.utils import Fault
+
+def gen_privkey(identifier):
+    return repo.vault.random_bytes_as_base64_for(identifier)
+
+def get_pubkey_from_privkey(identifier, privkey):
+    # FIXME this assumes the privkey is always a base64 encoded string
+    def derive_pubkey():
+        pub_key = PrivateKey(base64.b64decode(str(privkey))).public_key
+        return pub_key.encode(encoder=Base64Encoder).decode('ascii')
+
+    return Fault(f'pubkey from privkey {identifier}', derive_pubkey)
diff --git a/requirements.txt b/requirements.txt
index c8edcaf..c866f5b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1,2 @@
 bundlewrap>=4.2.0
+PyNaCl