Skip to main content

Overview

Proper key management is critical for maintaining the confidentiality and security of your transactions. This guide covers best practices for generating, storing, and managing encryption keys used with the Solana ZK SDK.

Key Generation

Use Strong Entropy

Always generate keys using the solana-zk-keygen tool, which uses cryptographically secure random number generation: 
solana-zk-keygen new elgamal
Never create keys by manually typing a seed phrase or using predictable sources of randomness.

BIP39 Passphrases

Consider using a BIP39 passphrase for additional security: 
solana-zk-keygen new elgamal
# You will be prompted for an optional passphrase
Benefits of using a passphrase:
  • Adds an extra layer of security beyond the seed phrase
  • Protects against physical theft of the seed phrase
  • Allows plausible deniability (different passphrases generate different keys)
If you use a passphrase, you MUST remember it. Without the passphrase, you cannot recover your keys even with the seed phrase.

Seed Phrase Word Count

Use at least 12 words for your seed phrase. For higher security requirements, use 24 words: 
solana-zk-keygen new elgamal --word-count 24
Word CountEntropy BitsSecurity Level
12 words128 bitsStandard
15 words160 bitsEnhanced
18 words192 bitsHigh
21 words224 bitsVery High
24 words256 bitsMaximum

Secure Storage

Seed Phrase Storage

Your seed phrase is the master key to your encryption keys. Follow these guidelines: DO:
  • Write the seed phrase on paper and store it in a secure location (safe, safety deposit box)
  • Use metal backup devices that are fire and water resistant
  • Consider splitting the seed phrase using Shamir’s Secret Sharing
  • Store backups in multiple geographic locations
  • Use a password manager with strong encryption for digital backups
DON’T:
  • Store seed phrases in plain text files on your computer
  • Take screenshots or photos of seed phrases
  • Store seed phrases in cloud storage without encryption
  • Share seed phrases via email, messaging apps, or any digital communication
  • Store seed phrases near your computer or on the same device

Key File Storage

The JSON key files generated by solana-zk-keygen should be protected: 
# Set restrictive permissions on key files
chmod 600 ~/.config/solana/elgamal.json
chmod 600 ~/.config/solana/aes128.json
Best practices:
  • Store key files on encrypted filesystems
  • Use hardware security modules (HSMs) for high-value applications
  • Never commit key files to version control systems
  • Regularly audit access to directories containing keys
  • Use environment-specific keys (development, staging, production)

Hardware Wallet Integration

For maximum security, consider using hardware wallets:
  • Keys never leave the secure hardware device
  • Resistant to malware and keyloggers
  • Physical confirmation required for transactions

Key Rotation

When to Rotate Keys

Rotate your encryption keys if:
  • You suspect the key has been compromised
  • The key has been used for an extended period (annually for high-security applications)
  • An employee with key access leaves your organization
  • Security vulnerabilities are discovered in key handling procedures

How to Rotate Keys

  1. Generate a new keypair:
solana-zk-keygen new elgamal --outfile ~/.config/solana/elgamal-new.json
  1. Update your application to use the new key
  2. Gradually phase out the old key
  3. Securely delete the old key file:
shred -vfz -n 10 ~/.config/solana/elgamal-old.json
Before deleting old keys, ensure you have backed up the seed phrase and verified you can recover the key if needed for historical data.

Key Recovery

Testing Recovery Procedures

Regularly test your key recovery process: 
# Recover key from seed phrase
solana-zk-keygen recover elgamal --outfile ./test-recovery.json
Verify the recovered key matches the original: 
solana-zk-keygen pubkey elgamal ./test-recovery.json
solana-zk-keygen pubkey elgamal ~/.config/solana/elgamal.json

Recovery Scenarios

Lost key file but have seed phrase: 
solana-zk-keygen recover elgamal
# Enter your seed phrase and passphrase when prompted
Forgotten BIP39 passphrase: Unfortunately, without the passphrase, you cannot recover your keys. This emphasizes the importance of securely storing both the seed phrase AND passphrase. Corrupted key file: If your key file is corrupted but you have the seed phrase, use the recover command to regenerate it.

Multi-Signature and Access Control

Organizational Key Management

For teams and organizations:
  • Implement multi-signature schemes where multiple parties must approve key usage
  • Use role-based access control (RBAC) for key access
  • Maintain an audit log of key usage and access
  • Implement separation of duties (different people generate, store, and use keys)

Key Escrow

Consider key escrow for business continuity:
  • Store encrypted key backups with a trusted third party
  • Use multi-party computation (MPC) to split key control
  • Document key recovery procedures in your disaster recovery plan

Operational Security

Environment Isolation

Use separate keys for different environments: 
# Development keys
solana-zk-keygen new elgamal --outfile ~/.config/solana/dev-elgamal.json

# Production keys
solana-zk-keygen new elgamal --outfile ~/.config/solana/prod-elgamal.json

Access Monitoring

Monitor and log access to key files: 
# Linux audit example
auditctl -w ~/.config/solana/elgamal.json -p rwa -k elgamal-access

Secure Key Generation Environment

Generate keys on a secure, air-gapped machine when possible:
  • Use a clean operating system installation
  • Disconnect from the internet
  • Verify the integrity of the solana-zk-keygen binary
  • Transfer keys to operational systems using encrypted, authenticated channels

Compliance Considerations

Regulatory Requirements

Depending on your jurisdiction and use case, you may need to:
  • Maintain key usage audit trails
  • Implement key management policies (NIST, ISO 27001)
  • Support key recovery for legal or regulatory purposes
  • Comply with data residency requirements for key storage

Documentation

Maintain documentation for:
  • Key generation procedures
  • Key storage locations and access controls
  • Key rotation schedules
  • Recovery procedures
  • Incident response plans for key compromise

Emergency Procedures

Key Compromise Response

If you suspect a key has been compromised:
  1. Immediately stop using the compromised key
  2. Generate a new keypair
  3. Update all systems to use the new key
  4. Investigate the scope of the compromise
  5. Notify affected parties if required
  6. Review and improve security procedures

Secure Key Deletion

When permanently deleting keys: 
# Securely overwrite and delete
shred -vfz -n 10 ~/.config/solana/elgamal.json

# For SSDs, ensure TRIM is enabled or use disk encryption
Standard file deletion is not sufficient for sensitive key material. Use secure deletion tools appropriate for your storage medium.

Checklist

Use this checklist to ensure proper key management:
  • Keys generated using solana-zk-keygen with strong entropy
  • Seed phrases backed up in multiple secure locations
  • Key files have restrictive file permissions (600 or stricter)
  • BIP39 passphrase documented and stored securely (if used)
  • Key recovery procedures tested and documented
  • Separate keys used for development and production environments
  • Key rotation schedule established and followed
  • Access to keys monitored and logged
  • Incident response plan prepared for key compromise
  • Compliance requirements documented and met

Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us