Go to the app

Private Key Management

Encryption & Key Management

Defi App integrates Turnkey via Dynamic’s Account Abstraction infrastructure to provide secure, passkey-authenticated wallet management.

Private keys are protected using secure enclaves and AWS Nitro Enclaves, ensuring high security without local storage.

Storage & Security Mechanism

Turnkey-Managed Private Keys via Secure Enclaves

  • Passkeys replace traditional passwords and are tied to a user's biometric authentication (TouchID, FaceID) or hardware security module. Passkeys sync across devices via keychains (iCloud, Google Password Manager, 1Password), allowing users to sign transactions securely from any device.

  • Private keys are never directly stored on the user's device. Instead, they are protected using secure enclaves (e.g., iOS Secure Enclave, Android’s Trusted Execution Environment).

  • Wallet objects and verified credentials include Turnkey-specific metadata for authentication:

    • turnkeySubOrganizationId

    • turnkeyPrivateKeyId

    • turnkeyHDWalletId

    • turnkeyUserId

  • Session Security Flags:

    • isAuthenticatorAttached: Ensures wallet meets biometric authentication security.

    • isSessionKeyCompatible: Determines whether session-based keys can be used securely.

Security & Compliance

Key Protection & Encryption

Private keys are never stored in plaintext—they are encrypted and only decrypted inside tamper-proof secure enclaves. AWS Nitro Enclaves and Trusted Execution Environments (TEEs) ensure all cryptographic operations happen in isolated, auditable environments.

No raw private key access is needed at any point, reducing phishing and attack risks.

Passkeys replace passwords, using biometric authentication (FaceID, TouchID) or hardware security modules for frictionless, secure access.

Backup & Recovery

  • Passkeys sync across devices via keychain providers like iCloud, Google Password Manager, and 1Password, enabling seamless recovery.

  • Encrypted private key ciphertext is stored in disaster recovery databases, ensuring fault tolerance without compromising security.

Regulatory & Security Standards

  • EIP-4361 (Sign-In with Ethereum) & BIP-32/39 compliance for wallet authentication and hierarchical deterministic wallets.

  • Non-custodial architecture—only the end user can authorize key usage, reinforcing full user control over their funds.

  • Turnkey follows industry-standard cryptographic practices, but explicit FIPS-140-2 certification is not publicly confirmed.

Last updated

Was this helpful?