Private keys

Private key management is a crucial aspect of blockchain security, ensuring that transactions are securely signed and verified. Blockchain transactions require private keys for authentication, ownership verification, and signing, and the associated blockchain address must have sufficient funds to cover transaction fees (gas costs).

Depending on risk, compliance requirements, and scale, SettleMint supports multiple approaches:

• Accessible ECDSA P-256: Straightforward software-based storage.
• Hierarchical Deterministic (HD) ECDSA P-256: Generate multiple child keys from a master seed for structured backups.
• Hardware Security Modules (HSMs): Tamper-resistant devices ensuring maximum security for enterprise or regulated use cases. Each approach integrates with the Transaction Signer, guaranteeing seamless and secure execution of on-chain operations.

---

Importance of private key management

Private keys are essential for:

• Digitally signing transactions before they are broadcast to the blockchain.
• Generating public addresses for receiving assets.
• Ensuring ownership of blockchain-based assets.
• Providing security through cryptographic encryption.

Improper handling of private keys can lead to unauthorized access, irreversible loss of funds, and compromised blockchain operations.

---

Key management approaches

SettleMint supports multiple key storage and generation options to balance security, usability, and compliance.

1. Externally generated private keys

Users can create and manage their private keys outside of SettleMint and import them when needed. Common options include:

• MetaMask – A popular Ethereum-based wallet.
• Ledger/Trezor – Secure hardware wallets for private key storage.
• OpenSSL & CLI Tools – For manually generating and managing key pairs.
• Cloud-Based Key Vaults – Secure solutions like AWS KMS, Azure Key Vault, and GCP KMS.

2. Private key management in settlemint

SettleMint provides built-in private key generation and storage, allowing users to:

• Generate ECDSA P-256, (HD) ECDSA P-256, and HSM private keys within the platform.
• Manage multiple keys for different blockchain networks.
• Securely sign transactions without exposing private keys externally.

3. Custom key material: mnemonic & derivation path

For advanced users, SettleMint allows the use of custom key material, including:

• Mnemonics – A 12/24-word recovery phrase that generates a Hierarchical Deterministic (HD) Wallet.
• Derivation Paths – Structured key generation paths, such as:
  • m/44'/60'/0'/0/0 (Ethereum Standard)
  • m/44'/0'/0'/0/0 (Bitcoin Standard)

Using HD ECDSA P-256, users can derive multiple child keys from a master seed, allowing structured backups and better key management.

---

Signing transactions in settlemint

SettleMint integrates a signing proxy that ensures secure transaction execution.

• Captures eth_sendTransaction calls made via JSON-RPC endpoints.
• Uses the appropriate private key from the key management section.
• Signs the transaction before sending it to the blockchain node.

This setup allows seamless integration with external blockchain development tools, such as:

• JSON-RPC API – Direct node interactions (Ethereum JSON-RPC).
• Hardhat Framework – Remote transaction signing (Hardhat Configuration).

---

Security considerations

1. Software-based private key storage

• Keys are stored in software memory for easy access.
• Suitable for low-risk applications but vulnerable to potential attacks.

2. Hierarchical deterministic (hd) key management

• Generates multiple child keys from a single mnemonic seed.
• Ensures structured key backups and recovery.

3. Hardware security modules (hsms)

• Uses tamper-resistant hardware devices for strong security.
• Preferred for enterprise-grade and regulated environments.

---

Best practices for private key security

• Use Secure Backups – Store keys in encrypted, air-gapped storage solutions.
• Enable Multi-Factor Authentication (MFA) – Adds an extra layer of protection.
• Restrict Access via IAM Policies – Implement role-based security controls.
• Rotate Keys Regularly – Minimizes risk associated with long-term key exposure.
• Monitor Transactions – Set up alerts for unauthorized activity.

---

Additional resources

• Ethereum JSON-RPC API
• Hardhat JSON-RPC Signing Guide
• MetaMask Private Key Management
• Ledger Hardware Wallets
• AWS Key Management Service

---

You can sign transactions with private keys you created outside SettleMint with e.g. MetaMask or other wallet solutions. SettleMint however provides an option to create and manage private keys within the platform.

When you deploy a blockchain node it contains a signing proxy that captures the eth_sendTransaction call, uses the appropriate key from the private key section to sign it, and sends it onwards to the blockchain node. You can use this proxy directly via the nodes JSON-RPC endpoints (https://eth.wiki/json-rpc/API) and via tools like Hardhat (https://hardhat.org/config/#json-rpc-based-networks) configured to use the "remote" default option for signing.

Create a private key

Manage private keys

Fund the private key

For networks that require gas to perform a transaction, your private key should contain enough funds to cover the gas price.

1. Click the private key in the overview to see detailed information
2. Open the Balances tab
3. Click Fund
4. Scan the QR code with your wallet/exchange to fund the key