Security Best Practices for Nostr

Introduction

Your security on Nostr fundamentally differs from traditional social media. There’s no “Forgot Password” button, no account recovery email, and no customer support to help if something goes wrong.

This is both liberating and serious: you have complete ownership and control, but you also have complete responsibility.

This guide covers essential security practices to protect your Nostr identity, maintain operational security, and safely navigate the decentralised protocol.

The Core Security Principle

On Nostr, your private key IS your account. Unlike traditional platforms where your account is database entry controlled by a company:

• Your private key is your identity
• Whoever controls the key controls the identity
• Lost keys = lost identity (permanently)
• Compromised keys = compromised identity (irreversibly)

This fundamental difference means key security is everything.

Critical Security Rules

1. Never Share Your Private Key

Your nsec (private key) should never be shared with anyone, ever. Not even:

• Other Nostr users
• Client developers (legitimate ones will never ask)
• Relay operators
• “Support” personnel (Nostr has no central support)
• Friends or family
• Any website or service

If someone asks for your nsec, it’s a scam.

2. Never Enter Your nsec on Websites

The safest practice is to never paste your private key into web browsers. Instead:

• Use browser extensions (like nos2x, Alby, or Flamingo)
• Use native mobile apps (like Damus or Amethyst)
• Use desktop applications
• Use NIP-07 compatible extensions for web access

Web-based clients that require your nsec can be convenient, but they introduce security risks:

• Browser vulnerabilities
• Clipboard malware
• Phishing sites
• Man-in-the-middle attacks

3. Treat Your Private Key Like Cash

Imagine your private key is £10,000 in cash. You wouldn’t:

• Leave it lying around
• Email it to yourself
• Store it in a text file called “passwords.txt”
• Take photos of it
• Write it on sticky notes
• Store it in cloud services (Google Drive, Dropbox, etc.)

Apply the same mindset to your nsec.

Secure Key Storage Methods

For Beginners: Offline Backup

Physical Backup (Most Secure):

1. Write your nsec on paper (carefully, check for errors)
2. Store in a safe physical location (safe, bank deposit box)
3. Consider making 2-3 copies in different locations
4. Never photograph the paper
5. Use fireproof/waterproof storage if possible

Security Level: ⭐⭐⭐⭐⭐ (Excellent) Convenience: ⭐⭐ (Low - manual entry required) Best For: Long-term identity preservation

For Regular Users: Password Manager

Use a reputable password manager:

Recommended Options:

• 1Password (Paid, excellent security)
• Bitwarden (Open source, self-hostable)
• KeePassXC (Open source, offline)

How to Store:

1. Create a secure note (not a password entry)
2. Label clearly: “Nostr Private Key - DO NOT SHARE”
3. Enable two-factor authentication on the password manager
4. Use a strong master password (6+ words, random)
5. Back up your password manager vault

Security Level: ⭐⭐⭐⭐ (Very Good) Convenience: ⭐⭐⭐⭐ (High - copy/paste available) Best For: Daily use with good security

For Advanced Users: Hardware Keys

For high-security scenarios, consider hardware solutions:

• Hardware wallets that support Nostr (emerging)
• Encrypted USB drives (offline storage)
• Air-gapped computers for key generation

Security Level: ⭐⭐⭐⭐⭐ (Maximum) Convenience: ⭐⭐ (Low - complex setup) Best For: High-value identities, public figures

Browser Extension Security

Browser extensions like nos2x, Alby, and Flamingo provide the best balance of security and convenience for web access.

Why Extensions Are Safer

Instead of pasting your nsec into websites:

1. The extension stores your key securely
2. Websites request signatures from the extension
3. You approve or deny each request
4. Your key never leaves the extension
5. Phishing sites can’t steal your key

Using Extensions Safely

Installation:

• Only install from official browser stores
• Verify the developer and reviews
• Check the number of users (popular = more scrutiny)
• Read the permissions requested

Configuration:

• Set up extension password/PIN
• Review and approve signature requests carefully
• Don’t auto-approve everything
• Periodically review connected sites

Recommended Extensions:

• nos2x: Minimal, focused on signing (Chrome/Firefox)
• Alby: Bitcoin-focused, includes Lightning (Chrome/Firefox)
• Flamingo: Feature-rich, iOS support

Mobile App Security

Mobile apps like Damus (iOS) and Amethyst (Android) provide secure native environments.

Mobile Security Practices

Key Storage:

• Your nsec is stored in the app’s secure storage
• Protected by device encryption
• Requires device unlock to access
• More secure than web browsers

Additional Security:

• Enable device PIN/biometric lock
• Enable app-level biometric authentication (if available)
• Regularly update the app
• Only install apps from official stores
• Review app permissions

Backup Considerations:

• App data might be lost if you delete the app
• Cloud backups might be unencrypted
• Always maintain independent key backups
• Test your backup before relying on it

Operational Security (OPSEC)

Beyond key security, consider your overall privacy and security posture.

What You Share

Remember that Nostr is public by default:

• All posts are public (unless encrypted)
• Your follows/followers are public
• Relay choices might reveal location/interests
• Zap amounts are publicly visible
• Profile information is permanent

Privacy Practices:

• Don’t share identifying information unnecessarily
• Use pseudonyms rather than real names (if privacy-focused)
• Be aware of metadata (time zones, language patterns)
• Consider what your interests/follows reveal

Metadata Awareness

Even encrypted messages reveal metadata:

• Who you message (visible on relays)
• When you message (timestamps)
• How often you message
• Which relays you use

For high-privacy scenarios, consider:

• Using multiple identities for different purposes
• Varying your relay selection
• Being aware of time-based patterns
• Understanding IP address exposure to relays

Network Security

Relay Connections:

• Relays can see your IP address
• Consider VPN/Tor for privacy-critical use
• Choose trusted relays for sensitive operations
• Diversify relay operators (geographic, political)

VPN Considerations:

• Hides your IP from relays
• Adds latency to connections
• Choose reputable, privacy-focused VPNs
• Understand VPN provider’s logging policies

Tor Usage:

• Maximum anonymity
• Significantly slower
• Some relays block Tor exits
• Required for highest threat models

Common Threats and Mitigations

Phishing Attacks

Threat: Fake websites or clients that steal your private key.

How It Works:

1. Scammer creates fake version of popular client
2. You enter your nsec into the fake client
3. Your key is sent to the attacker
4. They control your identity

Protection:

• Always verify URLs (check for https, spelling)
• Bookmark legitimate clients
• Use browser extensions instead of web clients
• Never enter nsec in suspicious sites
• Verify app developers before installing

Clipboard Malware

Threat: Malware that monitors your clipboard for private keys.

How It Works:

1. Malware monitors clipboard
2. You copy your nsec
3. Malware steals the key from clipboard
4. Your identity is compromised

Protection:

• Use password managers with auto-type
• Clear clipboard after sensitive copies
• Use browser extensions (never copy/paste)
• Keep operating system updated
• Use reputable antivirus software

Social Engineering

Threat: Attackers trick you into revealing your private key.

Common Tactics:

• “Support” messages asking for your key
• “Verification” requests
• “Account migration” scams
• Fake NIP-05 verification services

Protection:

• Remember: legitimate services never ask for nsec
• Verify sender identities (check NIP-05)
• Be skeptical of urgent requests
• When in doubt, ask the community
• Trust your instincts

Man-in-the-Middle Attacks

Threat: Attacker intercepts communication between you and relays.

How It Works:

1. Attacker positions between you and relay
2. They intercept your messages
3. They can read content (if not encrypted)
4. They might modify messages

Protection:

• Use wss:// (secure WebSocket) relays
• Verify TLS certificates
• Use VPN on untrusted networks
• Avoid public WiFi for sensitive operations
• Signatures prevent message tampering

Client Security Recommendations

Different clients offer different security trade-offs.

Most Secure Options

For Web Access:

1. Browser extension + web client (nos2x + Snort)
2. Desktop apps (native security)
3. Web clients (only with extension, never paste nsec)

For Mobile:

1. Damus (iOS - native app, secure storage)
2. Amethyst (Android - native app, secure storage)
3. Other native apps (better than mobile web)

Red Flags in Clients

Be cautious of clients that:

• Request your nsec via copy/paste
• Don’t support browser extensions
• Have no GitHub repository (closed source)
• Have few users or reviews
• Request unusual permissions
• Lack NIP-07 support (browser signing)

Evaluating New Clients

Before using a new client:

1. Research the developer

   • GitHub activity
   • Community reputation
   • Other projects

2. Check the code

   • Is it open source?
   • Has it been audited?
   • Recent updates?

3. Review permissions

   • Mobile: what device access?
   • Web: what browser permissions?
   • Extensions: what data access?

4. Start conservatively

   • Test with a disposable identity first
   • Use browser extensions if possible
   • Don’t store significant value (Lightning) initially

Account Recovery (Impossible)

This is crucial to understand: there is no account recovery on Nostr.

What You Cannot Do

• Reset password (there is no password)
• Recover forgotten keys
• Prove ownership without the private key
• Contact support (there is no central authority)
• Use email recovery
• Use phone number verification

What This Means

Before you lose your key:

1. Back up your private key securely
2. Test your backup
3. Store backups in multiple secure locations
4. Consider physical + digital backups
5. Tell trusted family about backup location (for inheritance)

If you lose your key:

1. Your identity is permanently lost
2. You must create a new identity
3. You lose all your followers
4. You lose your post history
5. You cannot transfer your NIP-05 verification
6. You cannot recover Lightning funds tied to that key

Prevention is the only solution.

Creating a Secure Backup Strategy

The 3-2-1 Rule (Adapted for Nostr)

3 copies of your private key:

• Original (in password manager or extension)
• Backup 1 (physical paper, secure location)
• Backup 2 (encrypted digital backup, different location)

2 different formats:

• Physical (paper, metal plate)
• Digital (password manager, encrypted file)

1 off-site backup:

• Different physical location
• Bank deposit box, trusted family member, second home

Testing Your Backup

Don’t wait until you need it:

1. Create a test identity
2. Back up the key using your system
3. Delete the original
4. Attempt to restore from backup
5. Verify you can access the identity

Do this at least once to ensure your backup process works.

Advanced Security Practices

Multiple Identities

Consider using different identities for different purposes:

• Main identity: Public presence, verified
• Private identity: Personal connections, family
• Experimental identity: Testing new clients/features
• Disposable identities: Temporary use

This compartmentalization limits damage if one key is compromised.

Air-Gapped Key Generation

For maximum security, generate keys offline:

1. Use an offline computer (never connected to internet)
2. Generate key pair
3. Write down keys
4. Clear computer memory
5. Only use public key online

The private key never touches an internet-connected device.

Regular Security Audits

Periodically review:

• Where is your nsec stored?
• Who has access to those locations?
• Are your backups still secure?
• Have you changed your master passwords recently?
• Are your devices updated?
• Do you still trust the clients you use?

UK-Specific Security Considerations

Legal Context

The UK’s Online Safety Act 2023 doesn’t affect Nostr’s core security, but be aware:

• Relays might be subject to UK law if hosted in UK
• Your identity and content are globally distributed
• No UK authority can force relay operators to reveal your identity (they don’t have it)
• Your IP address might be visible to relay operators

GDPR and Privacy

Nostr operates outside traditional data protection frameworks:

• No “data controller” (it’s decentralized)
• No account deletion (content persists on relays)
• Public posts are permanent
• Consider pseudonymity for privacy compliance

Emergency Procedures

If You Suspect Key Compromise

1. Immediately post a warning from a trusted secondary identity
2. Notify contacts through other channels
3. Create a new identity with new keys
4. Announce the new identity (once secure)
5. Never use compromised keys again

If You Lose Your Key

1. Accept the loss (no recovery possible)
2. Generate new keys (completely fresh start)
3. Announce new identity via other channels
4. Rebuild your network (manual re-following)
5. Update any NIP-05 verification

Security Checklist

Use this checklist to verify your security posture:

Key Storage:

• Private key never shared with anyone
• Physical backup exists in secure location
• Digital backup in password manager
• Backup has been tested successfully
• Multiple backup copies in different locations
• Family/trusted person knows backup location (for inheritance)

Daily Operations:

• Using browser extension for web access (not copy/paste)
• Mobile apps from official stores only
• Device security enabled (PIN/biometric)
• Clients are up-to-date
• Only connecting to trusted relays

Operational Security:

• Aware of what information you’re sharing publicly
• Using VPN if privacy-critical
• Different identities for different purposes (if needed)
• Regular security reviews scheduled

Client Security:

• Clients are reputable and reviewed
• Browser extensions installed from official sources
• Permissions reviewed and understood
• Auto-approve disabled (manual signature review)

Conclusion

Security on Nostr is fundamentally about key custody. Unlike traditional platforms where security is outsourced to a company, you are entirely responsible for protecting your identity.

The good news: With proper practices, Nostr can be extremely secure. Your identity cannot be banned, censored, or taken away by any authority.

The reality: This requires vigilance and responsibility. There’s no safety net, no account recovery, no customer support.

Start with the basics:

1. Never share your private key
2. Back up securely (test your backups)
3. Use browser extensions for web access
4. Keep devices updated and secure
5. Be aware of what you share publicly

As you become more comfortable, adopt advanced practices like multiple identities, VPN usage, and hardware security.

Your keys, your identity, your responsibility.

Further Resources

• Key Management Guide - Deep dive into protecting your Nostr keys
• Privacy on Nostr - Advanced privacy techniques
• Getting Started Guide - Security basics for beginners
• NIP-07 Specification - Browser extension signing protocol

Remember: The Nostr community is here to help with questions, but never share your private key, even with well-meaning community members. Stay secure! 🔒