We already looked at using BIP38 to encrypt a key, however this BIP is in reality two ideas in one document.
The second part of the BIP, shows how you can delegate Key and Address creation to an untrusted peer. It will fix one of our concerns.
The idea is to generate a PassphraseCode to the key generator. With this PassphraseCode, they will be able to generate encrypted keys on your behalf, without knowing your password, nor any private key.
This PassphraseCode can be given to your key generator in WIF format.
Tip: In NBitcoin, all types prefixed by “Bitcoin” are Base58 (WIF) data.
So, as a user that wants to delegate key creation, first you will create the PassphraseCode.
var passphraseCode =newBitcoinPassphraseCode("my secret", Network.Main,null);
You then give this passphraseCode to a third party key generator.
The third party will then generate new encrypted keys for you.