Key Management
BlockVault is an HD (Hierarchical Deterministic) wallet — a single mnemonic phrase generates all addresses across every supported blockchain using industry-standard derivation.
1. Mnemonic Generation
- Standard: BIP-39
- Lengths: 12 or 24 words
- Entropy: Cryptographically secure random bytes (
crypto.randomBytes)
The mnemonic is the root of all keys. It is immediately encrypted with AES-256-GCM (see Security) and stored in hardware-backed secure storage.
2. Key Derivation
Standards used
| Standard | Purpose |
|---|---|
| BIP-39 | Mnemonic ↔ Seed conversion |
| BIP-32 | Hierarchical key tree from seed |
| BIP-44 | Multi-account, multi-coin derivation paths |
Derivation flow
Mnemonic (12/24 words)
→ BIP-39 seed (512 bits)
→ BIP-32 master key
→ BIP-44 path: m / purpose' / coin_type' / account' / change / index
→ Child private key (32 bytes)
→ Blockchain-specific address3. Derivation Paths by Blockchain
Each blockchain uses a standardized BIP-44 coin type:
| Blockchain | Coin Type | Derivation Path | Curve | Address Format |
|---|---|---|---|---|
| Bitcoin | 0 | m/44'/0'/0'/0/0 | secp256k1 | P2PKH, P2WPKH, P2SH-P2WPKH |
| Counterparty | 0 | m/44'/0'/0'/0/0 | secp256k1 | P2PKH (same as Bitcoin) |
| Ethereum | 60 | m/44'/60'/0'/0/0 | secp256k1 | EIP-55 checksummed hex |
| Polygon | 60 | m/44'/60'/0'/0/0 | secp256k1 | EIP-55 checksummed hex |
| BSC | 60 | m/44'/60'/0'/0/0 | secp256k1 | EIP-55 checksummed hex |
| Base | 60 | m/44'/60'/0'/0/0 | secp256k1 | EIP-55 checksummed hex |
| Arbitrum | 60 | m/44'/60'/0'/0/0 | secp256k1 | EIP-55 checksummed hex |
| Optimism | 60 | m/44'/60'/0'/0/0 | secp256k1 | EIP-55 checksummed hex |
| Solana | 501 | m/44'/501'/0'/0' | Ed25519 | Base58 public key |
| Cosmos | 118 | m/44'/118'/0'/0/0 | secp256k1 | bech32 (cosmos1...) |
| dYdX | 118 | m/44'/118'/0'/0/0 | secp256k1 | bech32 (dydx1...) |
| Osmosis | 118 | m/44'/118'/0'/0/0 | secp256k1 | bech32 (osmo1...) |
| Noble | 118 | m/44'/118'/0'/0/0 | secp256k1 | bech32 (noble1...) |
All EVM chains share coin type
60and produce the same address from the same mnemonic. Cosmos chains share coin type118but use different bech32 prefixes.
4. Address Generation
Bitcoin (3 address types)
| Type | Format | Example prefix |
|---|---|---|
| P2PKH | Legacy | 1... |
| P2WPKH | Native SegWit (bech32) | bc1q... |
| P2SH-P2WPKH | Wrapped SegWit | 3... |
From the same private key, BlockVault can generate all three formats. The user selects which type to use.
EVM Chains
Private key → ethers.Wallet → EIP-55 checksummed address (0x...).
All EVM chains (Ethereum, Polygon, BSC, Base, Arbitrum, Optimism) produce the same address from the same key.
Solana
Private key (Ed25519) → Public key → Base58 encoding.
Solana uses a different curve (Ed25519) than Bitcoin/EVM (secp256k1), so the same mnemonic produces a completely different address.
Cosmos Chains
Private key (secp256k1) → Public key → RIPEMD160(SHA256(pubkey)) → bech32 encoding with chain-specific prefix.
5. Multi-Wallet Support
BlockVault supports multiple seeds (wallets), each stored as a separate encrypted entry:
SeedEntity
├── id: number
├── name: string ← User-friendly label
├── storageKey: string ← "seed_{id}" key in SecureStorage
└── wallets: WalletEntity[] ← All derived addressesEach WalletEntity records:
WalletEntity
├── address: string ← The derived address
├── type: string ← p2pkh, p2wpkh, legacy, etc.
├── path: string ← Full derivation path used
├── pubkey: string ← Public key
└── seed: SeedEntity ← Parent seed referenceUsers can create additional wallets (seeds) and switch between them. Deleting a seed cascades to all its derived addresses.
6. Private Key Lifecycle
Private keys are never persisted. The lifecycle is:
1. User authenticates (password or biometric)
2. Encrypted mnemonic is decrypted in memory
3. Private key is derived for the specific path needed
4. Transaction is signed
5. Private key and mnemonic are discarded from memoryThis ensures that even if the device storage is compromised, the keys cannot be extracted without the user's password.