Private keys

Private key management is a crucial aspect of blockchain security, ensuring that transactions are securely signed and verified. Blockchain transactions require private keys for authentication, ownership verification, and signing, and the associated blockchain address must have sufficient funds to cover transaction fees (gas costs).

Depending on risk, compliance requirements, and scale, SettleMint supports multiple approaches:

Accessible ECDSA P-256: Straightforward software-based storage.
Hierarchical Deterministic (HD) ECDSA P-256: Generate multiple child keys from a master seed for structured backups.
Hardware Security Modules (HSMs): Tamper-resistant devices ensuring maximum security for enterprise or regulated use cases. Each approach integrates with the Transaction Signer, guaranteeing seamless and secure execution of on-chain operations.

Importance of private key management

Private keys are essential for:

Digitally signing transactions before they are broadcast to the blockchain.
Generating public addresses for receiving assets.
Ensuring ownership of blockchain-based assets.
Providing security through cryptographic encryption.

Improper handling of private keys can lead to unauthorized access, irreversible loss of funds, and compromised blockchain operations.

Key management approaches

SettleMint supports multiple key storage and generation options to balance security, usability, and compliance.

1. Externally generated private keys

Users can create and manage their private keys outside of SettleMint and import them when needed. Common options include:

MetaMask – A popular Ethereum-based wallet.
Ledger/Trezor – Secure hardware wallets for private key storage.
OpenSSL & CLI Tools – For manually generating and managing key pairs.
Cloud-Based Key Vaults – Secure solutions like AWS KMS, Azure Key Vault, and GCP KMS.

2. Private key management in settlemint

SettleMint provides built-in private key generation and storage, allowing users to:

Generate ECDSA P-256, (HD) ECDSA P-256, and HSM private keys within the platform.
Manage multiple keys for different blockchain networks.
Securely sign transactions without exposing private keys externally.

3. Custom key material: mnemonic & derivation path

For advanced users, SettleMint allows the use of custom key material, including:

Mnemonics – A 12/24-word recovery phrase that generates a Hierarchical Deterministic (HD) Wallet.
Derivation Paths – Structured key generation paths, such as:
- m/44'/60'/0'/0/0 (Ethereum Standard)
- m/44'/0'/0'/0/0 (Bitcoin Standard)

Using HD ECDSA P-256, users can derive multiple child keys from a master seed, allowing structured backups and better key management.

Signing transactions in settlemint

SettleMint integrates a signing proxy that ensures secure transaction execution.

Captures eth_sendTransaction calls made via JSON-RPC endpoints.
Uses the appropriate private key from the key management section.
Signs the transaction before sending it to the blockchain node.

This setup allows seamless integration with external blockchain development tools, such as:

JSON-RPC API – Direct node interactions (Ethereum JSON-RPC).
Hardhat Framework – Remote transaction signing (Hardhat Configuration).

Security considerations

1. Software-based private key storage

Keys are stored in software memory for easy access.
Suitable for low-risk applications but vulnerable to potential attacks.

2. Hierarchical deterministic (hd) key management

Generates multiple child keys from a single mnemonic seed.
Ensures structured key backups and recovery.

3. Hardware security modules (hsms)

Uses tamper-resistant hardware devices for strong security.
Preferred for enterprise-grade and regulated environments.

Storage Method	Security Level	Best Use Case
Software (ECDSA)	Medium	Low-risk applications, fast access needs.
HD Wallets	High	Structured backups, multi-account setups.
HSM	Very High	Enterprise, regulatory compliance.

Best practices for private key security

Use Secure Backups – Store keys in encrypted, air-gapped storage solutions.
Enable Multi-Factor Authentication (MFA) – Adds an extra layer of protection.
Restrict Access via IAM Policies – Implement role-based security controls.
Rotate Keys Regularly – Minimizes risk associated with long-term key exposure.
Monitor Transactions – Set up alerts for unauthorized activity.

Additional resources

You can sign transactions with private keys you created outside SettleMint with e.g. MetaMask or other wallet solutions. SettleMint however provides an option to create and manage private keys within the platform.

When you deploy a blockchain node it contains a signing proxy that captures the eth_sendTransaction call, uses the appropriate key from the private key section to sign it, and sends it onwards to the blockchain node. You can use this proxy directly via the nodes JSON-RPC endpoints (https://eth.wiki/json-rpc/API) and via tools like Hardhat (https://hardhat.org/config/#json-rpc-based-networks) configured to use the "remote" default option for signing.

Create a private key

Navigate to your application, click Private keys in the left navigation, and then click Create a private key. This opens a form.

Follow these steps to create the private key:

Choose a private key type:
- Accessible ECDSA P256: Standard Ethereum-style private keys with exposed mnemonic
- HD ECDSA P256: Hierarchical Deterministic keys for advanced key management
- HSM ECDSA P256: Hardware Security Module protected keys for maximum security
Choose a name for your private key
Select the nodes on which you want the key to be active
Click Confirm to create the key

# Create Accessible ECDSA P256 key
settlemint platform create private-key accessible-ecdsa-p256 my-key \
  --application my-app \
  --blockchain-node node-123

# Create HD ECDSA P256 key
settlemint platform create private-key hd-ecdsa-p256 my-key \
  --application my-app

# Create HSM ECDSA P256 key
settlemint platform create private-key hsm-ecdsa-p256 my-key \
  --application my-app

import { createSettleMintClient } from '@settlemint/sdk-js';

const client = createSettleMintClient({
  accessToken: 'your_access_token',
  instance: 'https://console.settlemint.com'
});

// Create private key
const createKey = async () => {
  const result = await client.privateKey.create({
    name: "my-key",
    applicationUniqueName: "my-app",
    privateKeyType: "ACCESSIBLE_ECDSA_P256", // or "HD_ECDSA_P256" or "HSM_ECDSA_P256"
    blockchainNodeUniqueNames: ["node-123"] // optional
  });
  console.log('Private key created:', result);
};

Manage private keys

Navigate to your application's Private keys section
Click on a private key to:
- View details and status
- Manage node associations
- Check balances
- Fund the key

# List all private keys
settlemint platform list private-keys --application <app-name>

# View specific key details
settlemint platform read private-key <private-key-unique-name>

# Restart a private key
settlemint platform restart private-key <private-key-unique-name>

// List private keys
const listKeys = async () => {
  const keys = await client.privateKey.list("your-app-name");
};

// Get key details
const getKey = async () => {
  const key = await client.privateKey.read("key-unique-name");
};

// Restart key
const restartKey = async () => {
  await client.privateKey.restart("key-unique-name");
};

Fund the private key

For networks that require gas to perform a transaction, your private key should contain enough funds to cover the gas price.

Click the private key in the overview to see detailed information
Open the Balances tab
Click Fund
Scan the QR code with your wallet/exchange to fund the key

Ensure your private key has sufficient funds before attempting transactions on networks that require gas fees.

Private keys

On this page