# Private Key Management Defi App integrates [**Turnkey**](https://github.com/tkhq) via Dynamic’s Account Abstraction infrastructure to provide secure, passkey-authenticated wallet management. Private keys are protected using **secure enclaves and AWS Nitro Enclaves**, ensuring high security without local storage. ## **Storage & Security Mechanism** #### **Turnkey-Managed Private Keys via Secure Enclaves** * **Passkeys replace traditional passwords** and are tied to a user's biometric authentication (TouchID, FaceID) or hardware security module. **Passkeys sync across devices** via keychains (iCloud, Google Password Manager, 1Password), allowing users to sign transactions securely from any device. * **Private keys are never directly stored** on the user's device. Instead, they are protected using **secure enclaves** (e.g., iOS Secure Enclave, Android’s Trusted Execution Environment). * Wallet objects and verified credentials include **Turnkey-specific metadata** for authentication: * `turnkeySubOrganizationId` * `turnkeyPrivateKeyId` * `turnkeyHDWalletId` * `turnkeyUserId` * **Session Security Flags**: * `isAuthenticatorAttached`: Ensures wallet meets **biometric authentication security**. * `isSessionKeyCompatible`: Determines whether **session-based keys** can be used securely. ## Security & Compliance ### **Key Protection & Encryption** Private keys are never stored in plaintext—they are encrypted and only decrypted inside tamper-proof secure enclaves. AWS Nitro Enclaves and Trusted Execution Environments (TEEs) ensure all cryptographic operations happen in isolated, auditable environments. **No raw private key access** is needed at any point, reducing phishing and attack risks. Passkeys replace passwords, using biometric authentication (FaceID, TouchID) or hardware security modules for frictionless, secure access. ### **Backup & Recovery** * Passkeys sync across devices via keychain providers like iCloud, Google Password Manager, and 1Password, enabling seamless recovery. * Encrypted private key ciphertext is stored in disaster recovery databases, ensuring fault tolerance without compromising security. ### **Regulatory & Security Standards** * EIP-4361 (Sign-In with Ethereum) & BIP-32/39 compliance for wallet authentication and hierarchical deterministic wallets. * Non-custodial architecture—only the end user can authorize key usage, reinforcing full user control over their funds. * Turnkey follows industry-standard cryptographic practices, but explicit FIPS-140-2 certification is not publicly confirmed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.defi.app/knowledge-base/wallets/private-key-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.