Share articles to

Academy Beginners Tutorial Article
Bitcoin Ethereum Security

Cryptocurrency wallets and keys — an introduction to digital asset custody and security

2021.06.04 Rick Delaney

A primer on digital currency wallets, public and private keys, and crypto security best practices

Cryptocurrencies enable a level of financial freedom not possible with typical electronic payment methods. Without reliance on central authorities, blockchain networks like Bitcoin and Ethereum allow users to take custody of their own assets and transact globally without requiring a trusted broker or third party’s permission. 

With this level of freedom, however, comes additional responsibility. Blockchain networks are designed in such a way that all transactions are final and irreversible. As a result, any mistakes, such as sending your assets to the wrong address or losing sensitive data could be very costly. Additionally, there’s no one to complain to should you fall victim to malware or a scam and lose money as a result. Therefore, it’s important to understand how to store cryptocurrency securely before you start trading and investing.

In this article, we introduce the concept of cryptocurrency wallets. Rather than jumping right in and explaining the different types of storage solutions available, this primer aims to provide you with foundational knowledge, preparing you to understand subsequent content on the topic better.

The public and private keys at the heart of all available crypto wallet solutions serve as the focus of this introduction to cryptocurrency storage. We explain what each of these keys does and how they relate to one another. Additionally, we stress the importance of a private key and share best practices as well as tips to help protect it. 

Table of contents

What is a cryptocurrency wallet?

A basic cryptocurrency wallet is little more than a pair of cryptographic keys (i.e., one public and one private). Cryptography, responsible for the “crypto” in cryptocurrency, refers to the process of securing data using encryption algorithms, making it virtually impossible for third parties to retrieve that data without decryption keys. We’ll explain what cryptographic keys are and the difference between the two types used by most cryptocurrencies in more detail below. For now, however, just think of these keys as very large, unique numbers that are linked using highly complex cryptography.

There is a private key, which is used to authorize the spending of any cryptocurrency associated with it. From this private key, a public key is derived. The public key — or, as is more often the case, the addresses created using the public key — serve as a user identifier to the rest of the network. 

As the names suggest, the private key must be kept secret at all times. In the simplest wallets, the private key is the only detail another person needs to spend the cryptocurrency available on its corresponding public address. 

Meanwhile, the public key is much less sensitive, so you don’t need to guard it quite as carefully. That said, there are some reasons why you might want to keep the public key reasonably private. We discuss these later in this article.    

Before we go deeper into public and private keys, however, let’s first address a common misconception with cryptocurrency wallets. 

In the physical world, a wallet stores units of currency. For example, when you go to the bank and withdraw funds, you probably put your banknotes immediately into your wallet along with your bank card. The wallet stores the money directly.

The term cryptocurrency wallet, therefore, suggests that crypto assets are actually stored in your digital wallet. However, your BTC, ETH or any other digital currency only exists as entries in a distributed database. There are no actual coins to store.

When you spend BTC, for example, nothing moves around the network. Instead, you use a cryptographic key — your private key — to instruct the network to associate the spent BTC with a new pair of keys. Whoever has the private key corresponding to the public key you sent your BTC to can later spend the BTC by repeating the process of creating and signing a new transaction.

Although, strictly speaking, the wallet is the key pair, cryptocurrency users often use the term to refer to a specific solution designed to manage their public and private keys. Examples include:

  • Software wallets
  • Hardware wallets
  • Custodial wallets
  • Brain wallets 
  • Paper wallets 

Each of these key-managing solutions has different security and user-convenience trade-offs. For example, a software wallet is generally much less secure than a hardware wallet, but more convenient for those making regular transactions. 

The fact that it’s your keys and not your cryptocurrencies that are stored in whatever cryptocurrency-storage solution you choose is important. It means that you — or anyone else with access to specific wallet details — can restore the wallet to another device.  

The chosen key-managing service — for example, Ledger or Electrum — just provides a user-friendly interface to communicate with the network. Therefore, if you created a wallet using Ledger’s products and the company went out of business, you could use your private key to access your funds by restoring the wallet into Electrum or any other wallet software. 

Cryptographic keys explained

The cryptographic keys that comprise your wallet will look like a string of completely random characters, including both letters and numbers. If you use a hardware or software wallet, they will generate your key pair for you. Other methods may require the user to create their key pair themselves. However, owing to the technical complexity of the process, we do not recommend that novice or even intermediate users attempt to generate their own key pairs. 

Although the public and private keys contain alphanumeric characters, they’re actually just enormous numbers. For convenience, they’re represented in a number system that will be unfamiliar to those without prior programming experience. 

The number system we’re all familiar with is known as the decimal system. You can represent any number decimally using combinations of numbers ranging from 0 to 9. 

The number system used in cryptocurrencies is called hexadecimal and includes both numbers and letters. With additional characters available, large numbers can be expressed in the hexadecimal format using fewer characters than generated by the decimal system.

However, you don’t need to know much about hexadecimal numbers to store your cryptocurrency securely. Understanding that the private key that protects your holdings is an inconceivably large number (and thus is nearly impossible to “guess”) can reassure you about the security of your funds when properly stored. 

Private keys explained

The private key is the single most important piece of information from your wallet. In a very basic cryptocurrency storage setup, it serves as a sort of master password that controls any cryptocurrency sent to its associated public key. Without additional protection, if someone manages to get hold of your private key, they can transfer the entire contents of the wallet to a new address. Because chargebacks are impossible with blockchain-based cryptocurrencies, your holdings would be unrecoverable. 

You might be wondering what’s to stop someone from just guessing your private key and stealing your money. After all, the private key is only a number, and a powerful computer can guess many thousands of large numbers every second.

In Bitcoin and many other cryptocurrencies, the private key can be almost any number between 1 and 2^256 — i.e. 2 multiplied by itself 256 times. Thus, there are more than 115 quattuorvigintillion combinations of potential private keys. Expressed another way, that’s 115 followed by 75 zeroes. 

As long-time cryptocurrency educator Andreas Antonopolous explains in a handy video presentation on the topic of private key generation, there are fewer atoms in the known universe than potential Bitcoin private keys. Therefore, guessing one or generating the same key as another network user is as good as impossible. 

When a user — or, more likely, their wallet software — wants to spend some of the cryptocurrency previously sent to their wallet’s public address, they create a transaction and sign it using their private key. This digital signature authorizes the transaction to the network. Without a valid signature, the network will reject the transaction. 

Mnemonic phrases 

Even though hexadecimal numbers can be expressed in fewer characters than decimal numbers, private keys are not very user-friendly in their raw form. The average human just isn’t used to dealing with a string of 64 seemingly random characters. For this reason, many modern digital currency wallet solutions provide users with a mnemonic phrase instead of a private key. 

A mnemonic phrase — or seed phrase — is a unique list of 12 or 24 common words. Although they look even less like numbers than the hexadecimal private key, this combination of words is just another way of representing exactly the same number as your private key. 

The words are selected from a specific wordlist containing 2,048 words. The number of potential 12-word combinations exceeds the number of possible private keys. Therefore, every private key can be represented by a different seed phrase. 

As an additional safety mechanism, the first four characters of each of the words are unique. For example, “access” is the only word on the list that begins with “acce.” This reduces the chances of making a mistake when recording a private key. Additionally, smudged ink or sloppy handwriting is less likely to have devastating consequences, if you plan to hold your crypto in your own wallet for many years. 

Private key security

When you set up a new cryptocurrency storage solution, your number one priority should be to make a copy of your private key or mnemonic phrase. Given the importance of this single detail, many examples of wallet software prompt you to reenter the phrase/key before they allow you to use the wallet. 

Some of the most significant threats to private keys and potential solutions to them include:

  • Other people — consider storing your private keys in a secret location or a safe deposit box.
  • Malware/online threats — consider using a cold storage solution (i.e., a device that has never been connected to the internet) and always observe online security best practices. For example, never store your private keys as a text file on an online device. 
  • Fire and water — consider engraving private keys on a steel plate or laminate your backup. 
  • Natural disaster — a second private key backup in a distinct but secure geographical location can prevent private key loss during catastrophes hitting an entire region. 
  • Yourself — simply losing your private key or making a mistake when recording it is one of the biggest threats to your holdings. Don’t overcomplicate your storage setup.

How seriously you take private key security is up to you. In many cases, it makes sense to base this on the value of your cryptocurrency holdings. If you have high-value holdings, you may take additional steps to secure your private key. Meanwhile, a carefully handwritten record of the seed phrase kept in a secret drawer may be enough protection for smaller investors. 

Just remember, the value of your holdings may significantly increase in the future. Cryptocurrency history is full of stories of people who didn’t look after a private key because their holdings were not worth much at the time. Years later, the value of these lost coins is, in some cases, in the hundreds of millions of dollars. 

The 25th seed word

Some modern cryptocurrency wallet solutions introduce an additional layer of security by encrypting the wallet’s data using a user-selected passphrase. You might see this referred to as an optional passphrase or the “25th seed word.”

Wallets that offer this feature are undoubtedly more secure than those that do not. If an attacker does get your entire seed phrase, there is nothing they can do with it without the additional word you chose.

However, you should think carefully before adding an optional word and should choose something sensible if you do decide to. Contrary to the password-creation advice you’ve received in the past, a simple passphrase will provide ample protection from both would-be attackers and, perhaps more importantly, yourself. 

The problem is that, unlike your email service provider or online bank, there is no central authority to issue you a new passphrase should you forget whatever you set. Without your passphrase, you will be permanently locked out of your wallet. 

If someone did get your list of seed words, they would need to brute force the wallet (i.e., spam it with every possible passphrase combination). Providing you still have a copy of your seed words, you’ll likely have enough time to move your holdings to a new key pair before the attacker guesses your passphrase. On the other hand, if you manage to forget an extremely complicated passphrase, you can consider your cryptocurrency lost forever.   

Public keys explained

The public key corresponding to your private key does not need the same level of protection. The network uses it to verify the digital signature you create with your private key when making a transaction. As mentioned in the start, because of the complex cryptography used, it is straightforward for a computer to verify that a public key corresponds to the private key that created a digital signature. However, it is all but impossible to work out the private key from the public key. 

In Bitcoin’s early days, public keys were often used as receiving addresses. However, this represents a privacy leak, as blockchain forensics firms could use an active user’s transaction data to help link wallets with individuals

To reduce the effectiveness of companies like Chainalysis, many modern cryptocurrency storage solutions use a cryptographic process known as hashing to create multiple receiving addresses for a single public key. By avoiding using the same address twice, users enjoy a greater degree of privacy than if they simply used their raw public key for all incoming transactions. 

Creating a cryptographic key pair 

Now that you know all about how cryptocurrency wallets work, as well as the purpose of public and private keys, you should be in a much better position to secure your own digital asset holdings. Fortunately, the various wallet service providers automatically generate a key pair on the behalf of users. 

However, given the range of different options available and the trade-offs associated with them, the subject deserves its own guide. In a separate article, we examine the different cryptocurrency storage solutions — hot and cold wallets — and provide guidance as to when it might be optimal to choose one over the others.  

Finally, don’t worry if any of this information appears overwhelming or overly complicated. As a user, you do not need to understand every last detail of how encryption and cryptographic keys work. Most of the technical aspects are handled by modern software and hardware wallets.

That said, if you’re interested in really understanding how this stuff works, this introduction to the topic of cryptocurrency wallets should serve as a solid foundation for future learning. 

Not a part of the OKX community yet? Sign up to get started.

Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.