What Is a Private Key?
A private key is a random value made up of 64 hexadecimal characters. It is the sole credential that proves ownership of assets on the blockchain and authorizes transactions. Anyone who holds your private key has complete control over your on-chain assets — with no exceptions and no appeals process.
Why Is a Private Key So Important?
The core design of blockchain is trustless: you do not need permission from a bank, an exchange, or any institution to move assets. The technical foundation that makes this possible is asymmetric cryptography and the private key mechanism.
When you initiate an on-chain transfer, the wallet software uses your private key to digitally sign the transaction data. Every node in the network can verify the authenticity of that signature using the corresponding public key, but cannot reverse-engineer the private key from the signature or the public key. This mechanism enables decentralized asset ownership.
Understanding the underlying logic of Ethereum accounts can help you see the role of private keys in the overall system.
Core Mechanics and Key Concepts
Key pair: A private key and a public key are a mathematically related pair. The private key is a randomly generated 256-bit large integer. The public key is derived from the private key via the elliptic curve algorithm (ECDSA; Ethereum uses the secp256k1 curve). The wallet address is a truncated hash of the public key.
Derivation is one-directional:
Private Key → Public Key → Address
You can share your address and public key openly, but the private key must remain strictly confidential.
Relationship between private key and seed phrase: Most modern wallets use a seed phrase as a seed and derive a series of private keys via an HD wallet (BIP32/BIP44 standard). The seed phrase is the "parent" of private keys — a single seed phrase can generate and manage private keys for multiple accounts across multiple chains.
Raw private key: Some older wallets or tools export the private key directly (typically a 64-character hexadecimal string prefixed with 0x), which only controls the single corresponding address. OneKey supports importing existing accounts via a raw private key.
Signing process: Every on-chain transaction requires the private key to participate in signing. Signing only occurs at the moment of signing — the private key itself never leaves the local device. OneKey hardware wallets isolate the signing process inside an offline chip, so internet-connected devices never see the raw private key.
Refer to the Ethereum wallet guide for more detail on wallet types and key management.
User Scenarios
Scenario 1: Secure signing with a hardware wallet You use a OneKey hardware wallet to confirm a DeFi transaction. The hardware device completes the private key signing inside its secure chip. The signed result is sent to the connected app; the private key itself never touches the internet, effectively preventing remote attacks.
Scenario 2: Migrating an old account You have the raw private key of an Ethereum address and want to access it in OneKey App. Select "Import Wallet" → "Private Key," paste the private key, and you can immediately view and manage the assets at that address.
Scenario 3: Managing DeFi approvals When you authorize a DeFi protocol to access your wallet, you are not sharing your private key — you are signing an on-chain authorization instruction. You can revoke any approvals you no longer need at any time using tools like Revoke.cash to reduce your risk exposure.
How to Get Started in OneKey App
- Download OneKey App and complete the initial setup.
- When creating a new wallet, the app generates the private key locally on the device. You will only see the corresponding seed phrase for backup purposes.
- To import an existing address, select "Import Wallet" → "Private Key" and enter the hexadecimal private key string.
- In the account details view, you can see the address, balance, and transaction history. All signing operations are completed locally.
- When using a OneKey hardware wallet, both key generation and signing take place on the offline device, raising the security level further.
Risks and Precautions
- A private key equals ownership: Anyone who obtains your private key has full control over assets at the corresponding address. On-chain transfers are irreversible.
- Never enter your private key on any online platform: This includes websites, messaging tools, and "security check" tools. OWASP's phishing documentation details common social engineering attack methods.
- Do not screenshot or photograph your private key: Images may be automatically synced to the cloud, creating a disclosure risk.
- Do not store your private key in email or cloud storage: Encrypted local storage or physical media (paper, metal plate) are safer choices.
- Beware "private key verification" scams: Any claim that you must provide your private key to "unlock your account" or "claim a reward" is a scam, without exception.
- Regularly review on-chain approvals: Even when your private key is secure, excessive contract approvals can still put assets at risk. Use Revoke.cash periodically to clean up approvals.
Frequently Asked Questions
Q: Is a private key the same as a password? A: No. A wallet app's password or PIN is local access protection and does not affect on-chain assets. A private key is the core credential that controls a blockchain address. The two operate at completely different levels.
Q: Can I change my private key? A: Once a private key is generated, it is permanently bound to the corresponding address and cannot be changed. If you suspect your private key has been compromised, create a new wallet address immediately and transfer your assets to it.
Q: What is the difference between an exchange holding your private key and self-custody? A: When you use a centralized exchange, what you hold is an IOU from the exchange — the private key is held by the exchange. Self-custody means you personally hold the private key and have complete control over your assets, but you also bear full security responsibility.
Q: Where is the private key inside a hardware wallet? A: Inside the device's Secure Element chip, never exported to any internet-connected device. It only participates in computation inside the chip at the moment of signing.
Protect Your Assets Now
Private key security is the first line of defense for protecting crypto assets. Visit the OneKey website to learn about the security design of the hardware wallet and app, or download OneKey App to begin your self-custody journey. Controlling your private key means truly owning your assets.



