Back to glossary

Private Key

Table of Contents

What is a private key

A private key in blockchain is a unique, cryptographically generated string of numbers and letters that enables users to access and control their digital assets. It is the fundamental security mechanism in public-key cryptography, allowing the holder to sign transactions and prove ownership of blockchain-based assets.

The function of private keys

The private key is used to sign transactions and verify the sender has authorized the transfer of assets. It works in tandem with a public key, which is derived from the private key but does not reveal it. When a transaction is signed, the network can verify its authenticity without exposing the private key itself.

Why private key security is important

The private key is the single point of control over an externally owned account (EOA) wallet. If a private key is lost, access to the associated assets is permanently lost. If it is stolen or exposed, the attacker gains full control over the wallet and can transfer assets without restriction. Unlike centralized systems, blockchain transactions are irreversible, meaning stolen funds cannot be recovered.

How a private key is generated

Private keys in Ethereum are always 256-bit numbers, generated using a cryptographically secure pseudo-random number generator (CSPRNG). The process ensures that each key is unique, unpredictable, and resistant to brute-force attacks.

Mechanism of private key generation
  1. Entropy collection: The CSPRNG gathers randomness from secure sources such as hardware-based random number generators, keyboard/mouse movements, or system entropy pools.
  2. Random number generation: A CSPRNG processes the entropy to create a truly random 256-bit (32-byte) number.
  3. Formatting for Ethereum: The number is converted into a 64-character hexadecimal string. Ethereum private keys specifically adhere to the secp256k1 elliptic curve standard for cryptographic security.

Private key storage

Since manually managing private keys is risky, users often rely on several secure methods to protect them from theft, loss, and online threats:

  • Seed phrases (mnemonics): 12 to 24 words that represent a private key and can be used as a backup to regenerate the private key.
  • Hardware wallets: Physical, offline devices (e.g., Ledger, Trezor) that store private keys in a tamper-resistant chip. Transactions are signed within the device, so the private key never appears on an internet-connected computer, greatly reducing exposure to malware or hacking.
  • Cold storage: Keeping private keys completely offline to eliminate online attack vectors. Examples:
    • Paper wallets (physically printing or writing the private key and storing it securely).
    • Air-gapped devices that have no network connections preventing remote access.
    • Metal backups (engraving seed phrases or private keys on durable steel plates).
  • Wallets with encrypted digital storage: Software-based wallets securely store private keys using encryption, typically protected by a password or PIN to prevent unauthorized access.

What are private keys used for?

  • Signing transactions: Every blockchain transaction must be signed with a private key to prove authenticity.
  • Decrypting messages: Some blockchain-based messaging applications (e.g., Status, Session, or Nostr) use private keys for end-to-end encryption, ensuring only the intended recipient can decrypt the message.
  • Identity and ownership verification: Private keys serve as cryptographic proof of ownership and can be used for authentication in decentralized applications (dApps).

Risks that owners of private keys face

  • Phishing attacks: Nefarious actors use myriad techniques to trick users into revealing their private keys.
  • Malware and keyloggers: Malicious software, acquired through phishing attacks or other means, can record a user’s activity and steal their private keys.
  • Loss of keys: If a private key is lost and no backup is available, access to the assets secured by that private key is permanently lost.

Note: For more detailed guidance on avoiding scams and safeguarding private keys, refer to this two-part series of articles:

Best practices for private key management

  • Never share the private key: No legitimate service will ever ask for it.
  • Use hardware wallets: These offer strong security and significantly reduce the risk of online theft.
  • Backup the seed phrase: Store it in a secure, offline location in a non-digital format.
  • Use a multi-signature wallet: Multi-sigs require multiple signatures to execute a transaction, adding an extra layer of security.

Example of an Ethereum private key

c9b1f3a992bc63eaa4deab0a18f67ad6488f42b68db35cc6b79b31dfbe63d3f3

This private key generates a corresponding public key, which is then hashed to create an Ethereum wallet address. While anyone can send ETH to the address, only the private key holder can sign and authorize transactions.

Related Terms

No items found.
Cyfrin Updraft
Learn smart contract development, how to write secure smart contracts, and scalable protocols from world's leading experts.
Join Cyfrin Updraft for free
Paper plane icon
Weekly newsletter
Carefully crafted, short smart contract security tips and news freshly delivered every week.

Read about our

privacy policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Share this blog post