Nostr Key Management: Complete Guide

Introduction

On Nostr, your keys are your identity. Understanding key management isn’t optional—it’s fundamental to using the protocol safely and effectively.

This guide provides comprehensive coverage of Nostr key management: from initial generation through daily usage, backup strategies, and recovery planning (or lack thereof).

Understanding Nostr Keys

What Are Cryptographic Keys?

Nostr uses public-key cryptography (specifically, the secp256k1 elliptic curve, the same as Bitcoin).

The Basics:

Key Pair: Two mathematically related keys generated together
Public Key: Safe to share, identifies you
Private Key: Secret, proves you are you

The Relationship:

Private Key + Message = Digital Signature
Public Key + Signature + Message = Verification

Anyone can verify a message was signed by your private key using your public key, but they cannot forge signatures without your private key.

Your Nostr Key Pair

When you generate a Nostr identity, you create:

Private Key:

64 hexadecimal characters (256 bits)
Example hex: 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d
Example nsec1 (Bech32): nsec180cvv83m27afv2pzhd97pl3aw5lu729x0cmnj7zv0edxcnjle67q23pczl

Public Key:

Also 64 hex characters
Derived mathematically from private key
Example hex: 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d
Example npub1 (Bech32): npub180cvv83m27afv2pzhd97pl3aw5lu729x0cmnj7zv0edxcnjle67q23pczl

Key Format Types

Nostr keys exist in different formats for different purposes:

1. Hexadecimal (Raw Format)

Format: 64 hexadecimal characters (0-9, a-f) Private: 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d Public: 7e7e9c42dcb1674c1f8f3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e3e

Use Cases:

Developer tools
API integrations
Low-level protocol work

Advantages: Compact, universal Disadvantages: No error checking, not user-friendly

2. Bech32 Format (Preferred)

Format: Human-readable prefix + encoded data + checksum

Private Key (nsec1…):

nsec180cvv83m27afv2pzhd97pl3aw5lu729x0cmnj7zv0edxcnjle67q23pczl

Public Key (npub1…):

npub180cvv83m27afv2pzhd97pl3aw5lu729x0cmnj7zv0edxcnjle67q23pczl

Advantages:

Error detection (typos caught before use)
Clear type identification (nsec = secret, npub = public)
Safer for users
Copyable as one string

Why It Matters: The prefix tells you immediately whether you’re looking at a public or private key, reducing accidents.

3. NIP-19 Extended Formats

For sharing events, profiles, or notes with additional context:

Note ID: note1... (points to specific post) Event ID: nevent1... (event with relay hints) Profile: nprofile1... (profile with relay hints)

These are beyond basic key management but useful for sharing content.

Generating Your Keys Securely

Where Keys Come From

Client-Side Generation: All legitimate Nostr clients generate keys on your device. Your private key should never be generated by a server or website.

The Process:

You click “Generate Keys” in a client
Client uses cryptographic random number generator
Private key created (256 bits of randomness)
Public key derived mathematically
Both displayed to you immediately
Keys never sent anywhere

Choosing Generation Method

Option 1: Mobile App (Recommended for Beginners)

Best Choices:

Damus (iOS)
Amethyst (Android)

Why This Works Well:

Native secure storage
Device encryption
Biometric protection available
Simpler backup process
Protected by phone security

Process:

Install official app from app store
Open app
Select “Create Account”
Keys generated on-device
Immediately back up (write down nsec)

Option 2: Browser Extension (Recommended for Web Users)

Best Choices:

nos2x
Alby
Flamingo

Why This Works Well:

Keys stay in extension (never exposed to websites)
Signature requests require approval
Better security than web clients
Works across all web clients

Process:

Install extension from official store
Create new keys in extension
Extension stores privately
Immediately back up (export and save securely)

Option 3: Offline Generation (Maximum Security)

For Advanced Users or High-Value Identities:

Method:

Use an air-gapped computer (never connected to internet)
Generate keys using trusted tool (e.g., command-line key generator)
Write down both keys on paper
Clear computer memory
Only import public key online

Tools for Offline Generation:

nak command-line tool (by fiatjaf)
Custom scripts (if you trust your own code)
Hardware wallets (emerging support)

Security Level: Maximum (private key never touches internet) Complexity: High (requires technical knowledge)

What NOT to Do

Never:

❌ Use online key generators (websites)
❌ Let someone else generate keys for you
❌ Use predictable passphrases to generate keys
❌ Trust “key recovery” services (scams)
❌ Generate keys on shared/public computers

Storing Your Private Key

Your private key storage strategy is the most important security decision you’ll make.

Storage Principles

The Balancing Act:

Too accessible: Risk of theft, malware, compromise
Too secure: Risk of loss, inability to access, permanent lockout

The Goal: Maximize security while maintaining necessary access.

Storage Options Compared

Method	Security	Accessibility	Best For
Password Manager	⭐⭐⭐⭐	⭐⭐⭐⭐⭐	Daily use
Physical Paper	⭐⭐⭐⭐⭐	⭐⭐	Long-term backup
Encrypted USB	⭐⭐⭐⭐	⭐⭐⭐	Secure portable access
Browser Extension	⭐⭐⭐⭐	⭐⭐⭐⭐⭐	Web access
Mobile App	⭐⭐⭐⭐	⭐⭐⭐⭐⭐	Mobile access
Hardware Wallet	⭐⭐⭐⭐⭐	⭐⭐	Maximum security
Plain Text File	⭐	⭐⭐⭐⭐⭐	NEVER
Cloud Storage	⭐⭐	⭐⭐⭐⭐⭐	Avoid

Method 1: Password Manager (Recommended)

Modern password managers provide excellent security and accessibility balance.

Recommended Password Managers

1Password (Paid):

Industry-leading security
End-to-end encryption
Secret Key (additional security layer)
Emergency access features
Family sharing (careful with sensitive keys)

Bitwarden (Freemium):

Open source
Self-hosting option
Strong encryption
Two-factor authentication
Free tier available

KeePassXC (Free, Offline):

Completely offline
Open source
Local database file
No cloud sync (you control backups)
Maximum control

How to Store in Password Manager

Step-by-Step:

Create Secure Note (not a password entry)
- Item type: “Secure Note”
- Title: “Nostr Identity - DO NOT SHARE”

Add Key Details:

Nostr Private Key (NEVER SHARE)
nsec: nsec1...your...key...here

Public Key (safe to share)
npub: npub1...your...key...here

Created: 2025-01-19
Used for: [describe identity purpose]

Add Tags/Categories:
- Tag: “Nostr”, “Cryptocurrency”, “Critical”
- Folder: “Identities” or “Critical Keys”
Enable Additional Security:
- Require master password to view
- Don’t store in browser
- Enable clipboard auto-clear
Backup Password Manager:
- Export encrypted vault (store securely)
- Write down emergency kit
- Store in separate physical location

Method 2: Physical Backup

Physical backups are your insurance policy against digital loss.

Paper Backup (Basic)

Materials:

Acid-free paper (archival quality)
Permanent ink pen (archival)
Fireproof/waterproof container

Process:

Write clearly and legibly
Write your nsec in full
Verify every character (one mistake = lost key)
Consider writing twice and comparing
Store in safe, bank deposit box, or fireproof safe

Format to Write:

NOSTR PRIVATE KEY - NEVER SHARE
Created: January 19, 2025

nsec1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Public Key (npub1xxxxxxxxx...)

Purpose: [Main identity / Testing / etc.]

To restore: Import this nsec into any Nostr client

Metal Backup (Advanced)

For maximum durability:

Products:

Crypto Steel (metal plates with letters)
Blockplate (punch letters into metal)
Steel plates (stamp or engrave)

Advantages:

Fire resistant (up to 1,000°C+)
Waterproof
Corrosion resistant
Centuries-long durability

Disadvantages:

Cost (£50-150)
Less convenient to update
Requires tools

Redundancy Strategy

The 3-2-1 Rule for Nostr Keys:

3 copies total:

1 in password manager (daily use)
1 paper backup (home safe)
1 paper backup (offsite location)

2 different media types:

Digital (password manager, encrypted USB)
Physical (paper, metal)

1 copy offsite:

Bank deposit box
Trusted family member’s secure location
Second home/office

Method 3: Browser Extensions

Extensions like nos2x, Alby, and Flamingo securely store your key for web access.

How It Works:

Import your private key once
Extension stores it locally (browser storage)
Web clients request signatures
You approve each request
Your key never leaves the extension

Additional Security:

Set extension password/PIN
Review each signature request
Don’t auto-approve
Regularly review authorized sites

Backup Consideration: Extension data can be lost if you uninstall or clear browser data. Maintain independent backups.

Method 4: Hardware Wallets (Emerging)

Hardware wallet support for Nostr is emerging.

How It Would Work:

Private key stored on hardware device
Signing happens on-device
Key never exposed to computer
Similar to Bitcoin hardware wallets

Status (2025): Early development, not widely available

Future Promise: Maximum security with reasonable convenience

Backup Strategies

Backups aren’t optional—they’re mandatory. There’s no password reset.

When to Back Up

Immediately:

The moment you generate keys
Before using the identity for anything important
Before storing any value (Lightning funds)

Don’t wait. Keys can be lost to:

Device failure
App uninstall
Browser data clearing
Accidental deletion
Hardware damage

Testing Your Backup

Critical Step: Verify your backup works BEFORE you depend on it.

Test Process:

Create test identity
- Generate new keys
- Note down the npub
Back up using your system
- Follow your backup procedure
- Create the same backups you plan to use for real
Delete the original
- Remove from client
- Clear from extension/app
Restore from backup
- Use your backup to import keys
- Attempt to sign a message
Verify restoration
- Check npub matches original
- Successfully sign and post

If this test fails, your backup procedure is broken. Fix it before trusting it with your real identity.

Backup Mistakes to Avoid

Common Errors:

Typos in manual transcription
- Write carefully
- Verify character-by-character
- Consider writing twice and comparing
Storing backups insecurely
- Don’t store in cloud without encryption
- Don’t photograph and save to phone
- Don’t email to yourself
Not testing backups
- Always verify backups work
- Test before depending on them
Single point of failure
- Don’t keep all backups in one location
- Diversify storage locations
Forgetting about backups
- Document backup locations
- Tell trusted person where backups are (for inheritance)

Daily Key Usage

Using Keys with Clients

Different client types handle keys differently.

Mobile Apps

Damus (iOS):

Keys stored in iOS secure enclave
Protected by device encryption
Biometric authentication available
Backup via manual key export

Amethyst (Android):

Keys stored in Android KeyStore
Device encryption protection
Biometric authentication available
Manual backup required

Best Practices:

Enable app-level authentication
Keep device PIN/password strong
Regular app updates
Don’t root/jailbreak device (reduces security)

Web Clients with Extensions

Recommended Flow:

Install browser extension (nos2x, Alby, Flamingo)
Import key into extension
Use any web client (Snort, Iris, Nostrudel)
Client requests signatures from extension
You approve each request

Advantages:

Key never exposed to websites
Works with all web clients
Signature approval control
Phishing protection

Desktop Apps

Native desktop apps (if available) provide similar security to mobile apps:

Local key storage
OS-level encryption
No web browser vulnerabilities

Signature Management

Every time you post, like, or interact on Nostr, you’re creating a signed message.

Understanding Signatures:

Your client uses your private key to sign events
Signature proves you created the event
Relays and other users verify signatures using your public key
Invalid signatures are rejected

Signature Requests (Browser Extensions):

When using extensions, you’ll see signature requests:

Sign Event?
Kind: 1 (Short Text Note)
Content: "Hello Nostr!"
Relays: wss://relay.damus.io, wss://relay.nostr.band

[Approve] [Deny]

Best Practices:

Review what you’re signing
Verify the content looks correct
Check the event kind (1 = note, 4 = DM, etc.)
Don’t auto-approve everything
Be cautious of unexpected requests

Multiple Identities

Many advanced users maintain multiple Nostr identities.

Why Multiple Identities?

Use Cases:

Compartmentalization:
- Main verified identity (public figure)
- Anonymous identity (controversial opinions)
- Testing identity (experimenting with clients)
Privacy:
- Separate work and personal
- Protect real identity for sensitive topics
- Different personas for different communities
Security:
- High-security identity (minimal use, ultra-secure storage)
- Daily-use identity (more convenient, acceptable risk)
- Disposable identities (temporary use)
Professional:
- Business identity (NIP-05 verified, professional)
- Personal identity (casual, friends)

Managing Multiple Identities

Organization Tips:

Clear Labeling:

Password Manager Entries:
- "Nostr - Main Identity (verified)"
- "Nostr - Anonymous (@pseudonym)"
- "Nostr - Testing"

Document Purpose:
- Note what each identity is for
- When to use which identity
- Which clients/relays to use
Security Tiers:
- Tier 1: Maximum security (main verified identity)
- Tier 2: Standard security (personal use)
- Tier 3: Minimal security (disposable, testing)

Identity Switching:

Most clients support multiple accounts
Browser extensions can store multiple keys
Switch based on context

Key Rotation and Migration

Unlike traditional platforms, Nostr doesn’t support key rotation.

The Reality

You Cannot:

Change your private key
“Update” your keys
Rotate to new keys (while keeping identity)

Your public key IS your identity. Changing it means creating a new identity.

When to Create New Identity

Valid Reasons:

Key compromise (proven or suspected)
Moving from test to permanent identity
Changing security model (moving to hardware wallet)
Intentional fresh start

Process:

Generate new key pair
Announce migration from old identity
Manually rebuild network (re-follow people)
Update NIP-05 verification
Never use old keys again (if compromised)

Reality: Migration is manual and lossy. Prevention is far better than recovery.

Emergency Procedures

If You Lose Your Private Key

Immediate Reality: Your identity is permanently lost.

There is no recovery:

No “forgot password”
No email recovery
No support team
No backdoor

Your Options:

Accept the loss
Create new identity with new keys
Announce new identity through other channels
Manually rebuild your network

Lesson: This is why backup is non-negotiable.

If Your Key Is Compromised

Immediate Actions:

Stop using compromised key immediately
Assess the damage:
- What information was exposed?
- What did the attacker post?
- Were DMs compromised?

Post warning (if still possible):

⚠️ SECURITY ALERT ⚠️
This account may be compromised.
Migrating to new identity: npub1...
Verify via [other channel]

Create new identity:
- Generate completely new keys
- Follow secure generation practices
- Implement lessons learned
Announce through side channels:
- Twitter/X
- Website
- Email contacts
- Other social media
Rebuild network:
- Import follow list if backed up
- Manually re-follow
- Re-verify with NIP-05

Prevention Is Everything: Once compromised, the damage is permanent.

Advanced Topics

Hierarchical Deterministic Keys (Future)

What It Could Enable:

Generate multiple identities from one seed
Backup one seed phrase instead of many keys
Similar to Bitcoin HD wallets

Current Status: Not yet implemented in Nostr Future Potential: Would simplify multi-identity management

Delegation (NIP-26)

Concept: Authorize another key to post on your behalf (with restrictions).

Use Cases:

Bot accounts posting for you
Temporary delegation (vacation)
Multi-device signing (phone delegated to post)

How It Works:

You sign a delegation certificate
Delegate can post on your behalf
Posts clearly marked as delegated
Time-limited and revocable

Status: Specified but limited client support

Hardware Wallet Integration

Future Vision:

Nostr keys stored on hardware wallet
Signing requests sent to device
Approve on hardware (button press)
Maximum security with usability

Current Status: Emerging, experimental

Conclusion

Nostr key management comes down to understanding one principle: your keys, your responsibility.

No one else:

Can recover your keys if lost
Will protect your keys if you don’t
Can help if you make a mistake

This isn’t a limitation—it’s the foundation of true digital ownership. You control your identity completely because you control the cryptographic keys.

The Path Forward:

Generate keys securely (trusted client, on your device)
Back up immediately (multiple copies, tested)
Store safely (password manager + physical backup)
Use carefully (browser extensions, native apps)
Never share (not ever, not anyone)

With proper key management, Nostr offers unprecedented digital sovereignty. Your identity cannot be banned, censored, or taken away.

Your keys. Your identity. Your freedom.

Quick Reference Checklist

At Key Generation:

Generated on trusted device
Immediately backed up (physical)
Immediately backed up (password manager)
Backup tested successfully
Never shared private key

For Daily Use:

Using browser extension (not copy/paste)
Mobile app from official source
Keys not stored in plain text anywhere
Regular security reviews scheduled

For Long-Term Security:

Multiple backup copies exist
Backups in different physical locations
Trusted person knows backup location
Regular backup verification
Estate planning considers key inheritance

Further Resources

Security Best Practices - Comprehensive Nostr security guide
Getting Started - Beginner’s introduction
Privacy on Nostr - Advanced privacy techniques
NIP-19 - Bech32 key encoding specification
NIP-26 - Delegated event signing

Remember: The security of Nostr starts and ends with your private key. Protect it like it’s irreplaceable—because it is. 🔑