Key Management and Recovery

Your wallet’s private key (derived from a seed phrase) gives control over funds. If someone gets it, they own your assets. If you lose it, access is gone. Strong key management pairs secure creation, offline backups, and a clear recovery plan.

1) Public Keys, Private Keys, and Seed Phrases

• Public address: Shareable; others can send you funds.
• Private key: Secret; proves ownership and signs transactions.
• Seed phrase (BIP-39): 12–24 words that can recreate all your accounts (via hierarchical derivation like BIP-32). Treat it as the master backup.
• Optional passphrase (“25th word”): Adds an extra secret on top of your seed; without it, a stolen seed is incomplete.

2) Generate & Store Keys Safely

• Use a hardware wallet: Generate the seed on the device; never type seeds into a website or take screenshots.
• Offline backups: Write seed on paper or engrave on metal; store in separate, private locations. Avoid cloud notes and email.
• Passphrase discipline: If you enable it, back it up separately from the seed and label it innocuously.
• Label environments: Distinguish mainnet vs. testnet wallets; keep “spend” and “vault” seeds separate.

3) Multisig & Shared Control (for Larger Balances)

• Threshold approvals: Require 2-of-3 or 3-of-5 signers to move funds—resists single-device loss or compromise.
• Geographic separation: Store devices/backup cards in different locations to reduce correlated risk.
• Operational playbook: Define who signs what, how to replace a lost signer, and how emergencies are handled.

4) Recovery Planning that Actually Works

• Test your backups: On a spare device, restore a watch-only wallet or tiny balance to confirm your procedure works—before you need it.
• Document the steps: Write a clear, offline guide for a trusted future you (or heirs) covering devices, PINs, passphrase, derivation paths, and wallet apps used.
• Estate planning: Consider legal mechanisms (instructions in a sealed letter or with an attorney) so assets aren’t lost.
• Custodial fallback (optional): If self-custody is too risky for you, reputable custodians can reduce key-handling burden at the cost of counterparty risk.

5) If a Key is Exposed or a Device is Compromised

1. Move funds immediately to a new wallet with a freshly generated seed (preferably hardware).
2. Revoke risky approvals/permissions on dApps you used.
3. Factory-reset or replace affected devices; update OS, browser, drivers, and wallet firmware before reconnecting.
4. Rotate exchange/email passwords and 2FA; remove SMS 2FA where possible.
5. Document what happened (txids, links) for any reports you may need to file.

Summary

Generate seeds on a hardware wallet, back them up offline (and separately back up the passphrase if used), consider multisig for larger balances, and rehearse your recovery. Clear procedures turn scary moments into simple operations.

What's Next

Next, learn How to Track Transactions to verify transfers, decode token movements, and set alerts across multiple wallets and chains.