Tatum
Tatum
Welcome to Tatum 👋
Introduction
Your First App
Tatum's Architecture
Supported Blockchains
Testnet vs Mainnet
Rate Limits
API Reference
API Reference
Changelog
Architecture
Terminology
Building Blocks
Private Key Management
Guides
Blockchain
Ledger and Off-chain
Tutorials
How to build a custodial wallet
How to build a non-custodial wallet
How to build a crypto exchange
How to securely store private keys
Powered by GitBook

Private Key Management

Your private keys are your most valuable possessions in the blockchain space. Private keys are what hold information as to how much cryptocurrency you have and what you can spend. If you lose your private keys or they are compromised, you will never be able to get your currencies back. The most important part of working with cryptocurrencies and blockchains is the secure management of your private keys.

There are 4 options for how Tatum handles private keys to blockchain addresses:

  • sending private keys/mnemonic seeds to the Tatum API directly - This is not recommended in the production environment, and it should be used in a testnet only. Tatum never stores any private keys or mnemonic seeds.

  • using the Tatum library to create wallets and sign transactions locally on a backend - JavaScript or Java​

  • using the Tatum KMS, an external tool to securely generate and store private keys and use them to sign transactions locally. This is the safest and recommended way of working with private keys. The Tatum KMS should be installed in the Deny-From-All environment to meet the highest security standards. It is possible to store private keys locally or using AWS HSM or Azure HSM. The Tatum KMS only communicates with the Tatum API to fetch the list of the pending transactions to sign. After successfully signing and broadcasting transactions to the blockchain, it marks the pending transaction as complete and adds the final broadcasted transaction ID. It supports the 4 eye control mechanism, where pending transactions are controlled in Tatum and the customer system.

  • using the Tatum Middleware docker to serve as a proxy and local signature tool. All API calls are invoked against theTatum Middleware, and those with private keys are processed locally. No sensitive information is passed on to Tatum.

Previous
Off-chain
Next - Guides
Blockchain
Last updated 2 weeks ago