bitcoin-s/website/versioned_docs/version-1.9.5/key-manager/key-manager.md

---
id: version-1.9.5-key-manager
title: Key Manager
original_id: key-manager
---


### Key Manager

The key manager module's goal is to encapsulate all private key interactions with the [wallet](../wallet/wallet.md) project.

As of this writing, there is only one type of `KeyManager` - [`BIP39KeyManager`](/api/org/bitcoins/keymanager/bip39/BIP39KeyManager).

The [`BIP39KeyManager`](/api/org/bitcoins/keymanager/bip39/BIP39KeyManager) stores a [`MnemonicCode`](/api/org/bitcoins/core/crypto/MnemonicCode) on disk which can be decrypted and used as a hot wallet.
 
Over the long run, we want to make it so that the wallet project needs to communicate with the key-manager to access private keys.

This means that ALL SIGNING should be done inside of the key-manager, and private keys should not leave the key manager.

This makes it easier to reason about the security characteristics of our private keys, and a way to provide a uniform interface for alternative key storage systems (hsm, cloud based key storage, etc) to be plugged into the bitcoin-s library.

#### Creating a key manager

The first thing you need create a key manager is some entropy.

A popular way for bitcoin wallet's to represent entropy is [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) which you [can use in bitcoin-s](/api/org/bitcoins/core/crypto/BIP39Seed)

You can generate a `MnemonicCode` in bitcoin-s with the following code

```scala
import org.bitcoins.core.crypto._

//get 256 bits of random entropy
val entropy = MnemonicCode.getEntropy256Bits
// entropy: scodec.bits.BitVector = BitVector(256 bits, 0x242b7c614760fed0890946e5d812c4370c97d9bc1772c5d51844459654c169b4)

val mnemonic = MnemonicCode.fromEntropy(entropy)
// mnemonic: MnemonicCode = Masked(MnemonicCodeImpl)

//you can print that mnemonic seed with this
println(mnemonic.words)
// Vector(category, fossil, blue, mom, avocado, hair, category, churn, total, scene, rain, host, siren, under, utility, unusual, shift, potato, baby, menu, grab, gaze, plug, mimic)
```

Now that we have a `MnemonicCode` that was securely generated, we need to now create `KeyManagerParams` which tells us how to generate
generate specific kinds of addresses for wallets.

`KeyManagerParams` takes 3 parameters:

1. `seedPath` there is where we store the `MnemonicCode` on your file system
2. [`purpose`](/api/org/bitcoins/core/hd/HDPurpose) which represents what type of utxo this `KeyManager` is associated with. The specification for this is in [BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki)
3. [`network`](/api/org/bitcoins/core/config/NetworkParameters) what cryptocurrency network this key manager is associated with


This controls how the root key is defined. The combination of `purpose` and `network` determine how the root `ExtKey` is serialized. For more information on how this works please see [hd-keys](../core/hd-keys.md)

Now we can construct a native segwit key manager for the regtest network!

```scala
//this will create a temp directory with the prefix 'key-manager-example` that will
//have a file in it called "encrypted-bitcoin-s-seed.json"
val seedPath = Files.createTempDirectory("key-manager-example").resolve(WalletStorage.ENCRYPTED_SEED_FILE_NAME)
// seedPath: Path = /tmp/key-manager-example88750085450836374/encrypted-bitcoin-s-seed.json

//let's create a native segwit key manager
val purpose = HDPurposes.SegWit
// purpose: HDPurpose = m/84'

//let's choose regtest as our network
val network = RegTest
// network: RegTest.type = RegTest

val kmParams = KeyManagerParams(seedPath, purpose, network)
// kmParams: KeyManagerParams = KeyManagerParams(/tmp/key-manager-example88750085450836374/encrypted-bitcoin-s-seed.json,m/84',RegTest)

val aesPasswordOpt = Some(AesPassword.fromString("password"))
// aesPasswordOpt: Some[AesPassword] = Some(Masked(AesPassword))

val km = BIP39KeyManager.initializeWithMnemonic(aesPasswordOpt, mnemonic, None, kmParams)
// km: Either[KeyManagerInitializeError, BIP39KeyManager] = Right(org.bitcoins.keymanager.bip39.BIP39KeyManager@77b81113)

val rootXPub = km.right.get.getRootXPub
// rootXPub: ExtPublicKey = vpub5SLqN2bLY4WeYH761QN9Nk21cTj2qxaCDWxEyoyWGry4u9vHijts2drxSUSnaf1G85hZrYqMWWJSq9SiXJ3rQsNzjBFDHgAzLNMHA61dutb

println(rootXPub)
// vpub5SLqN2bLY4WeYH761QN9Nk21cTj2qxaCDWxEyoyWGry4u9vHijts2drxSUSnaf1G85hZrYqMWWJSq9SiXJ3rQsNzjBFDHgAzLNMHA61dutb
```

Which should print something that looks like this

`vpub5SLqN2bLY4WeXxMqwJHJFBEwxSscGB2uDUnsTS3edVjZEwTrQDFDNqoR2xLqARQPabGaXsHSTenTRcqm2EnB9MpuC4vSk3LqSgNmGGZtuq7`

which is a native segwit `ExtPubKey` for the regtest network!

You can always change the `network` or `purpose` to support different things. You do _not_ need to initialize the key manager
again after initializing it once. You can use the same `mnemonic` for different networks, which you control `KeyManagerParams`.

```scala
//let's create a nested segwit key manager for mainnet
val mainnetKmParams = KeyManagerParams(seedPath, HDPurposes.SegWit, MainNet)
// mainnetKmParams: KeyManagerParams = KeyManagerParams(/tmp/key-manager-example88750085450836374/encrypted-bitcoin-s-seed.json,m/84',MainNet)

//we do not need to all `initializeWithMnemonic()` again as we have saved the seed to dis
val mainnetKeyManager = BIP39KeyManager.fromMnemonic(mnemonic, mainnetKmParams, None, Instant.now, false)
// mainnetKeyManager: BIP39KeyManager = org.bitcoins.keymanager.bip39.BIP39KeyManager@17ba186e

val mainnetXpub = mainnetKeyManager.getRootXPub
// mainnetXpub: ExtPublicKey = zpub6jftahH18ngZwTsZLqWeD6Q2JLJpcSYBsy387PZ3ntUb7ZBCjNZ7WtVWXJH8aHcwkeAnrTDbM9ieNHtyQ5hubp7QCY2udKSwRGbriPDfErj

println(mainnetXpub)
// zpub6jftahH18ngZwTsZLqWeD6Q2JLJpcSYBsy387PZ3ntUb7ZBCjNZ7WtVWXJH8aHcwkeAnrTDbM9ieNHtyQ5hubp7QCY2udKSwRGbriPDfErj
```

Which gives us something that looks like this

`zpub6jftahH18ngZw98KGjRo5XcxeKTQ2eztsvskb1dC9XF5TLimQquTs6Ry7nBBA425D9joXmfgJJCexmJ1u2SELJZJfRi95gcnXadLpZzYb5c`

which is a p2sh wrapped segwit `ExtPubKey` for the bitcoin main network!

#### Creating a key manager from existing mnemonic

To create a `KeyManager` from existing mnemonic you need to specify the `seedPath` and then construct the `KeyManagerParams` that you would like.

Finally you call `KeyManager.fromParams()` that reads the mnemonic from disk and create's the key manager
1.9.5 of the website (#4812) 2022-10-03 10:24:12 -05:00			`---`
			`id: version-1.9.5-key-manager`
			`title: Key Manager`
			`original_id: key-manager`
			`---`


			`### Key Manager`

			`The key manager module's goal is to encapsulate all private key interactions with the [wallet](../wallet/wallet.md) project.`

			As of this writing, there is only one type of `KeyManager` - [`BIP39KeyManager`](/api/org/bitcoins/keymanager/bip39/BIP39KeyManager).

			The [`BIP39KeyManager`](/api/org/bitcoins/keymanager/bip39/BIP39KeyManager) stores a [`MnemonicCode`](/api/org/bitcoins/core/crypto/MnemonicCode) on disk which can be decrypted and used as a hot wallet.

			`Over the long run, we want to make it so that the wallet project needs to communicate with the key-manager to access private keys.`

			`This means that ALL SIGNING should be done inside of the key-manager, and private keys should not leave the key manager.`

			`This makes it easier to reason about the security characteristics of our private keys, and a way to provide a uniform interface for alternative key storage systems (hsm, cloud based key storage, etc) to be plugged into the bitcoin-s library.`

			`#### Creating a key manager`

			`The first thing you need create a key manager is some entropy.`

			`A popular way for bitcoin wallet's to represent entropy is [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) which you [can use in bitcoin-s](/api/org/bitcoins/core/crypto/BIP39Seed)`

			You can generate a `MnemonicCode` in bitcoin-s with the following code

			```scala
			`import org.bitcoins.core.crypto._`

			`//get 256 bits of random entropy`
			`val entropy = MnemonicCode.getEntropy256Bits`
			`// entropy: scodec.bits.BitVector = BitVector(256 bits, 0x242b7c614760fed0890946e5d812c4370c97d9bc1772c5d51844459654c169b4)`

			`val mnemonic = MnemonicCode.fromEntropy(entropy)`
			`// mnemonic: MnemonicCode = Masked(MnemonicCodeImpl)`

			`//you can print that mnemonic seed with this`
			`println(mnemonic.words)`
			`// Vector(category, fossil, blue, mom, avocado, hair, category, churn, total, scene, rain, host, siren, under, utility, unusual, shift, potato, baby, menu, grab, gaze, plug, mimic)`
			```

			Now that we have a `MnemonicCode` that was securely generated, we need to now create `KeyManagerParams` which tells us how to generate
			`generate specific kinds of addresses for wallets.`

			`KeyManagerParams` takes 3 parameters:

			1. `seedPath` there is where we store the `MnemonicCode` on your file system
			2. [`purpose`](/api/org/bitcoins/core/hd/HDPurpose) which represents what type of utxo this `KeyManager` is associated with. The specification for this is in [BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki)
			3. [`network`](/api/org/bitcoins/core/config/NetworkParameters) what cryptocurrency network this key manager is associated with


			This controls how the root key is defined. The combination of `purpose` and `network` determine how the root `ExtKey` is serialized. For more information on how this works please see [hd-keys](../core/hd-keys.md)

			`Now we can construct a native segwit key manager for the regtest network!`

			```scala
			//this will create a temp directory with the prefix 'key-manager-example` that will
			`//have a file in it called "encrypted-bitcoin-s-seed.json"`
			`val seedPath = Files.createTempDirectory("key-manager-example").resolve(WalletStorage.ENCRYPTED_SEED_FILE_NAME)`
			`// seedPath: Path = /tmp/key-manager-example88750085450836374/encrypted-bitcoin-s-seed.json`

			`//let's create a native segwit key manager`
			`val purpose = HDPurposes.SegWit`
			`// purpose: HDPurpose = m/84'`

			`//let's choose regtest as our network`
			`val network = RegTest`
			`// network: RegTest.type = RegTest`

			`val kmParams = KeyManagerParams(seedPath, purpose, network)`
			`// kmParams: KeyManagerParams = KeyManagerParams(/tmp/key-manager-example88750085450836374/encrypted-bitcoin-s-seed.json,m/84',RegTest)`

			`val aesPasswordOpt = Some(AesPassword.fromString("password"))`
			`// aesPasswordOpt: Some[AesPassword] = Some(Masked(AesPassword))`

			`val km = BIP39KeyManager.initializeWithMnemonic(aesPasswordOpt, mnemonic, None, kmParams)`
			`// km: Either[KeyManagerInitializeError, BIP39KeyManager] = Right(org.bitcoins.keymanager.bip39.BIP39KeyManager@77b81113)`

			`val rootXPub = km.right.get.getRootXPub`
			`// rootXPub: ExtPublicKey = vpub5SLqN2bLY4WeYH761QN9Nk21cTj2qxaCDWxEyoyWGry4u9vHijts2drxSUSnaf1G85hZrYqMWWJSq9SiXJ3rQsNzjBFDHgAzLNMHA61dutb`

			`println(rootXPub)`
			`// vpub5SLqN2bLY4WeYH761QN9Nk21cTj2qxaCDWxEyoyWGry4u9vHijts2drxSUSnaf1G85hZrYqMWWJSq9SiXJ3rQsNzjBFDHgAzLNMHA61dutb`
			```

			`Which should print something that looks like this`

			`vpub5SLqN2bLY4WeXxMqwJHJFBEwxSscGB2uDUnsTS3edVjZEwTrQDFDNqoR2xLqARQPabGaXsHSTenTRcqm2EnB9MpuC4vSk3LqSgNmGGZtuq7`

			which is a native segwit `ExtPubKey` for the regtest network!

			You can always change the `network` or `purpose` to support different things. You do _not_ need to initialize the key manager
			again after initializing it once. You can use the same `mnemonic` for different networks, which you control `KeyManagerParams`.

			```scala
			`//let's create a nested segwit key manager for mainnet`
			`val mainnetKmParams = KeyManagerParams(seedPath, HDPurposes.SegWit, MainNet)`
			`// mainnetKmParams: KeyManagerParams = KeyManagerParams(/tmp/key-manager-example88750085450836374/encrypted-bitcoin-s-seed.json,m/84',MainNet)`

			//we do not need to all `initializeWithMnemonic()` again as we have saved the seed to dis
			`val mainnetKeyManager = BIP39KeyManager.fromMnemonic(mnemonic, mainnetKmParams, None, Instant.now, false)`
			`// mainnetKeyManager: BIP39KeyManager = org.bitcoins.keymanager.bip39.BIP39KeyManager@17ba186e`

			`val mainnetXpub = mainnetKeyManager.getRootXPub`
			`// mainnetXpub: ExtPublicKey = zpub6jftahH18ngZwTsZLqWeD6Q2JLJpcSYBsy387PZ3ntUb7ZBCjNZ7WtVWXJH8aHcwkeAnrTDbM9ieNHtyQ5hubp7QCY2udKSwRGbriPDfErj`

			`println(mainnetXpub)`
			`// zpub6jftahH18ngZwTsZLqWeD6Q2JLJpcSYBsy387PZ3ntUb7ZBCjNZ7WtVWXJH8aHcwkeAnrTDbM9ieNHtyQ5hubp7QCY2udKSwRGbriPDfErj`
			```

			`Which gives us something that looks like this`

			`zpub6jftahH18ngZw98KGjRo5XcxeKTQ2eztsvskb1dC9XF5TLimQquTs6Ry7nBBA425D9joXmfgJJCexmJ1u2SELJZJfRi95gcnXadLpZzYb5c`

			which is a p2sh wrapped segwit `ExtPubKey` for the bitcoin main network!

			`#### Creating a key manager from existing mnemonic`

			To create a `KeyManager` from existing mnemonic you need to specify the `seedPath` and then construct the `KeyManagerParams` that you would like.

			Finally you call `KeyManager.fromParams()` that reads the mnemonic from disk and create's the key manager