Private Key

How private keys work

The cryptographic foundation:

• Private key — randomly generated 256-bit number (for most cryptocurrencies).
• Public key — derived mathematically from the private key using elliptic curve cryptography.
• Wallet address — derived from the public key.
• Signing — private key creates cryptographic signatures proving ownership.
• Verification — anyone can verify signatures using the public key, without revealing the private key.

The math is one-way: public key from private key is easy; the reverse is computationally infeasible.

Why private keys are foundational

The core property:

• Anyone with the private key can sign transactions and spend funds at the corresponding address.
• No one without the private key can.
• No central authority can recover or override this.
• Cryptographic guarantees are mathematical, not policy-based.

This is what makes self-custody possible — and what makes mistakes catastrophic.

How private keys are typically stored

Different formats:

• Raw 256-bit number — rarely shown directly to users.
• Hexadecimal representation — 64 hex characters.
• WIF (Wallet Import Format) — Bitcoin-specific encoding.
• Mnemonic phrase — 12 or 24 words encoding the seed used to derive keys.

Modern wallets typically show users the mnemonic phrase rather than raw keys, since it's more user-friendly.

Hierarchical deterministic wallets

A standard pattern (BIP-32):

• Single seed generates a tree of private keys.
• One mnemonic phrase can recover unlimited derived addresses.
• Different paths generate different keys.
• Standardized derivation ensures wallet compatibility.

This is why a single seed phrase backs up an entire wallet rather than just one address.

Storage best practices

How to protect private keys:

• Never enter into websites unless you trust them completely.
• Use hardware wallets for meaningful balances — keys never leave the device.
• Never digitize seed phrases (no photos, cloud documents, password managers).
• Multiple physical backups in different locations.
• Test recovery before storing significant funds.
• Multisig setups for higher-value holdings.

These practices have real operational cost but provide strong security.

Common ways keys are compromised

Several patterns:

• Phishing — fake sites capture seed phrases.
• Malware — keylogging, clipboard hijacking, screen recording.
• Compromised devices — stolen phones with weak security.
• Cloud backup — seed phrase stored in cloud accounts that get breached.
• Coercion — physical threat to extract keys.
• Insider threat — wallet provider compromised.

Most retail crypto losses come through these vectors rather than cryptographic breaks.

Private keys vs. wallets

A useful distinction:

• Wallet — software or hardware that manages keys and signs transactions.
• Keys — the actual cryptographic objects.
• Address — public identifier derived from keys.

A wallet doesn't "hold" funds; it holds keys. Funds are recorded on the blockchain at addresses; keys authorize spending.

Recovery and inheritance

Key losses produce permanent fund loss. Recovery options:

• Mnemonic phrase backup — restore wallet on new device.
• Multisig — distributed keys mean lost individual keys don't lose funds.
• Social recovery (account abstraction) — pre-configured guardians can recover access.
• Inheritance planning — ensuring heirs can access funds when needed.

Without these, lost keys mean permanently lost funds.

What individuals should know

For most crypto holders:

• Keys are the most security-critical part of self-custody.
• Use hardware wallets for meaningful balances.
• Backup seed phrases physically in multiple locations.
• Plan for inheritance — your beneficiaries need access.
• Don't share keys with anyone, ever.

The basic principle: private keys are the difference between owning crypto and having access to it. Anyone with the keys controls the funds; no one without the keys does. Operating safely with this responsibility is the central skill of self-custody crypto.