Skip to main content
Private keys are the foundation of security on Hive. This guide covers how to generate, derive, and manage keys safely.

Key Types Overview

Hive accounts have four key types, each with different permissions:
Key TypePermission LevelUse Cases
OwnerHighestChange passwords, recover account, update authority
ActiveHighTransfers, power up/down, witness votes, proposals
PostingMediumPost, comment, vote, follow, reblog
MemoSpecialEncrypt/decrypt private messages
Never use your owner key for daily operations. Store it securely offline and only use it for account recovery or key changes.

Generating Random Keys

Create a new cryptographically secure random key:
1

Generate a random key

Key generation may take up to 250ms due to entropy collection for cryptographic security.
2

Get the public key

3

Store safely

Deriving Keys from Username and Password

Hive uses a deterministic key derivation scheme. You can generate the same keys from a username, password, and role:
Key derivation formula:
This is the same derivation used by Hive wallets. If you have your master password, you can always recover your keys.

Creating Keys from a Seed

Generate deterministic keys from a seed string or bytes:
The seed is hashed with SHA256 to produce the private key. The same seed always produces the same key.

Loading Existing Keys

Import keys from WIF (Wallet Import Format) strings:

Working with Public Keys

Derive public keys from private keys:

Secure Key Storage

Environment Variables

Store keys in environment variables:

Encrypted Storage

For production applications, use encrypted key storage:

Key Security Best Practices

Never commit private keys to version control. Add .env and key files to .gitignore.
Never log private keys. Use the inspect() method for safe logging.
Use the minimum required key authority. Use posting keys for social actions, active keys for financial operations.
Rotate keys periodically. Update your active and posting keys every few months for security.
Use hardware wallets for owner keys and large amounts. Keep owner keys completely offline.

Signing Messages

Sign arbitrary 32-byte hashes:

Shared Secrets (ECDH)

Compute shared secrets for memo encryption:
Shared secrets are used internally by the Memo class for encrypted messages. See the Memo Encryption guide for details.

Key Validation

Validate key format on import:

Complete Key Management Example

Next Steps