Private Key
Updated Apr 13, 2026
A private key is a secret alphanumeric string that lets its holder authorize transactions from a specific cryptocurrency address. It is the cryptographic proof of ownership in a blockchain wallet. Whoever controls the private key controls the funds at the associated address - fully and permanently.
Private keys are not passwords. No one can reset, recover, or change them. They are generated once, mathematically linked to a public address, and remain valid as long as that address exists on the blockchain. If a private key is lost and no backup exists, the funds are gone forever.
Every self-custody wallet - whether it is a mobile app, browser extension, or hardware device - is fundamentally a tool for generating, storing, and using private keys without exposing them.
How a Private Key Works
Blockchain networks rely on asymmetric cryptography, also called public-key cryptography. This system produces two related keys from a single random number:
- a private key that must remain secret
- a public key that can be shared freely
The process works in one direction only:
- A private key is generated from a large random number, typically 256 bits for Bitcoin and Ethereum.
- A public key is mathematically derived from the private key using elliptic curve multiplication.
- A hashing function derives a public address from the public key.
- The address is what other people use to send funds to you.
This relationship is a one-way function. You can derive the public key from the private key, but you cannot reverse the process and recover the private key from a public key or address. That asymmetry is what makes the system secure.
When you send a transaction, your wallet uses the private key to create a digital signature. The network verifies that signature against your public key without ever seeing the private key itself. If the signature is valid, the transaction is accepted. If not, it is rejected. The private key stays inside the wallet - only the signature is shared.
Private Key Formats
A private key is the same underlying number, but wallets may display or store it in different formats.
Raw Hexadecimal
A 64-character string made of numbers 0-9 and letters A-F. This is the raw format. Example: a1b2c3d4e5f6... Most users never see their key in this form.
WIF (Wallet Import Format)
A Base58-encoded version of the raw hex key. It includes information about the network and whether the related public key is compressed. In Bitcoin, WIF keys usually start with 5, K, or L. It is easier to copy than raw hex and is commonly used when importing or exporting keys.
BIP38 Encrypted Key
A private key encrypted with a passphrase. These strings often start with 6P. To use the key, you must enter the passphrase. This adds protection during storage or transport, but it also makes the passphrase critical.
Derived from a Seed Phrase
In most modern wallets, users do not see individual private keys. Instead, the wallet derives them from a seed phrase through a hierarchical deterministic algorithm. One seed phrase can generate a tree of private keys, typically one per address.
Private Key vs Seed Phrase vs Password
| Feature | Private Key | Seed Phrase | Password or PIN |
|---|---|---|---|
| What it controls | One specific address | All addresses in the wallet | Access to the app only |
| Format | 64-character hex or encoded string | 12 to 24 words | User-defined |
| If lost | That address is unrecoverable | The whole wallet is unrecoverable | Usually resettable |
| If stolen | Funds at that address can be taken | All wallet funds can be taken | App access is at risk |
| Recovery | None | None | Usually possible |
| Who should see it | No one | No one | No one |
| Generated by | Wallet software or hardware | Wallet during setup | User |
A private key controls one address. A seed phrase controls all private keys in a wallet. A password or PIN only controls access to the app. It does not directly protect the key if the key is extracted from device storage or memory.
Private Key in Practice
When you open a wallet app and tap "Send", the process feels simple. Under the surface, several things happen.
Imagine you want to send 0.1 ETH to a friend. You enter the amount, paste the address, and confirm. Your wallet builds a transaction object with the sender address, recipient address, amount, and network fee. It then passes that transaction to the private key stored on the device. The key generates a unique digital signature using ECDSA. The signed transaction is broadcast to the network. Nodes verify the signature against the public key. If it checks out, validators include the transaction in a block.
At no point does the private key need to appear outside the wallet. It is used only to produce the signature, and the network only needs that signature.
Now imagine the private key is stored in phone memory while a compromised app is running. Malware scans memory, extracts the key, silently exports it, and an attacker imports it into another wallet. Your funds can disappear before you even notice. The transaction will still be valid and irreversible.
Risks and Common Misconceptions
Storing Private Keys on Connected Devices
A private key stored in a browser extension, mobile app, or desktop wallet lives on an internet-connected device. Malware, phishing, compromised apps, and operating system vulnerabilities can expose it without visible warning.
How to reduce the risk: Use a hardware wallet for meaningful holdings. Hardware wallets generate and store private keys inside a secure chip that cannot be read by ordinary software.
Importing Keys into Unverified Software
Some websites and tools claim they can "check", "verify", or "import" a private key. The moment you enter a private key into a malicious or careless service, that service can take your funds.
How to reduce the risk: Never enter a private key into any site, app, or tool unless you deliberately chose it for the sole purpose of importing the key into a trusted wallet.
Keeping Unencrypted Backups
A private key written in a notes app, saved in a text file, pasted into an email, or stored on a sticky note can be exposed easily. Digital copies are especially dangerous because they can be copied, synced, or stolen remotely.
How to reduce the risk: If you keep a physical backup, protect it the same way you would protect a seed phrase - offline, physically secure, and ideally on durable material.
Reusing Addresses
Many wallets generate a fresh address and derived private key for privacy whenever you receive funds. Reusing one address does not directly reveal the key, but it links your full transaction history to one public identifier.
How to reduce the risk: Use wallets that support hierarchical deterministic address generation and rotate addresses when privacy matters.
Common Misconceptions
"My private key is safe in a hardware wallet even if I type it somewhere."
No. If you display or enter the private key outside the secure device, it is no longer protected by the hardware wallet model.
"I can recover my private key if I forget it."
No. There is no reset or recovery process for a private key. Not from a wallet provider, not from the blockchain, and not from anyone else.
"My wallet password protects my private key."
Only partially. A password protects the encrypted wallet file or app access. If the key is extracted from memory while the wallet is unlocked, the password does not help.
"Changing wallet apps changes my private key."
No. The same address and private key exist independently of the app. Switching apps does not undo prior exposure.
Tangem's Approach to Private Key Security
The security of a private key depends mainly on whether it can be extracted from where it is stored. Software wallets, no matter how well designed, expose a key to device memory at some point during transaction signing.
Tangem is designed to remove that exposure window. The private key is generated inside the card's secure chip during setup and never leaves the chip - not to the mobile app, not to Tangem's servers, and not to any connected device. The chip signs transactions internally and returns only the signature.
That means the private key participates in the signing process without ever being exposed outside the secure element. For users who want more direct control or cross-wallet compatibility, Tangem also supports optional seed phrase generation in line with BIP39.
Frequently Asked Questions
What does a private key look like?
In raw form, a private key is a 64-character hexadecimal string using letters A-F and digits 0-9. In Bitcoin WIF format, it appears as a shorter Base58 string that often starts with 5, K, or L. Most users never see it directly because modern wallets manage keys behind the seed phrase.
Can two wallets have the same private key?
In theory, yes. In practice, the probability is so small that it is treated as impossible. A 256-bit key space is so large that accidental duplication is effectively unrealistic.
What happens if I lose my private key?
The funds remain visible on the blockchain, but no one can move them. Without the private key - or the seed phrase that can regenerate it - no valid signature can be created. The funds become permanently inaccessible.
Is it safe to share my public key?
Yes. A public key and the public address derived from it are meant to be shared. They let others send you funds and allow the network to verify signatures. Sharing them does not expose the private key.
Can blockchain transactions be reversed if my private key is stolen?
No. Blockchain transactions are generally irreversible. If someone uses your private key to move funds, there is no chargeback and no central authority that can undo the transfer.
Why do some wallets never show my private key?
Modern HD wallets derive private keys on demand from the seed phrase. Users normally back up the seed phrase rather than each individual key. This is more practical and less error-prone.
What is the relationship between a private key and a wallet address?
A wallet address is derived from the private key through one-way mathematical steps: first a public key is produced, then the address is generated from that public key. You can go from private key to address, but not the other way around.
How is a private key different from an API key or password?
An API key or password can usually be reset, revoked, or reissued by a service provider. A private key cannot. It is not a login credential - it is direct cryptographic control over funds on a decentralized network.
Related Terms
- Public Key
- Digital Signature
- Non-Custodial Wallet
- Public Address