Decrypting the Private Key

When you request wallet information for a master or transit wallet, the API returns the field:

private_key_encrypted: "BASE64_ENCODED_RSA_payload"

This value is a RSA-encrypted private key, encoded in Base64.

To decrypt it, you must use your own RSA private key — the one that corresponds to the public RSA key previously uploaded in the Dashboard (Project Settings → RSA Key)

The platform never stores your RSA private key, and only you can decrypt the wallet’s private key.

Encryption Details

Algorithm: RSA-OAEP
Hash function: SHA-256
Output: Base64-encoded encrypted payload
Input (before encryption): raw wallet private key (hex string)

Option 1: Online Decrypter (Testing & Debugging)

For quick verification without writing code, you can use our dedicated web tool. This is useful for testing API responses or manually recovering a key.

Open https://rsa-tools.crypto-chief.com/.
Select the Decrypt tool.
Paste the private_key_encrypted string from the API response.
Paste your RSA Private Key (the one generated during setup).
Click Decrypt to view the raw wallet private key.

Option 2: Programmatic Decryption (Integration)

To automate this process in your application, implement RSA decryption using the specifications below.

Convert the Base64 string to binary
Use your RSA private key to decrypt the ciphertext
The result is a raw wallet private key (hex string)

import crypto from "crypto";

const encrypted = "BASE64_PAYLOAD_HERE"; // private_key_encrypted
const privateKey = `
-----BEGIN PRIVATE KEY-----
YOUR_RSA_PRIVATE_KEY_CONTENT
-----END PRIVATE KEY-----
`;

const decrypted = crypto.privateDecrypt(
  {
    key: privateKey,
    padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
    oaepHash: "sha256"
  },
  Buffer.from(encrypted, "base64")
);

console.log("Wallet Private Key:", decrypted.toString());

from base64 import b64decode
from Cryptodome.Cipher import PKCS1_OAEP
from Cryptodome.PublicKey import RSA
from Cryptodome.Hash import SHA256

encrypted = "BASE64_PAYLOAD_HERE"
rsa_key = RSA.import_key(open("private.pem").read())

cipher = PKCS1_OAEP.new(rsa_key, hashAlgo=SHA256)
plaintext = cipher.decrypt(b64decode(encrypted))

print("Wallet Private Key:", plaintext.decode())

package main

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"encoding/base64"
	"encoding/pem"
	"fmt"
)

func main() {
	encrypted := "BASE64_PAYLOAD_HERE"

	block, _ := pem.Decode([]byte(YOUR_RSA_PRIVATE_KEY))
	privateKey, _ := x509.ParsePKCS1PrivateKey(block.Bytes)

	cipherData, _ := base64.StdEncoding.DecodeString(encrypted)

	plaintext, _ := rsa.DecryptOAEP(
		sha256.New(),
		rand.Reader,
		privateKey,
		cipherData,
		nil,
	)

	fmt.Println("Wallet Private Key:", string(plaintext))
}

<?php

// Encrypted payload from API (private_key_encrypted)
$encrypted = 'BASE64_PAYLOAD_HERE';

// Your RSA private key (PEM format)
$privateKeyPem = <<<PEM
-----BEGIN PRIVATE KEY-----
YOUR_RSA_PRIVATE_KEY_CONTENT
-----END PRIVATE KEY-----
PEM;

// Decode Base64
$ciphertext = base64_decode($encrypted);

if ($ciphertext === false) {
    throw new RuntimeException('Failed to base64-decode encrypted payload.');
}

// Load private key
$privateKey = openssl_pkey_get_private($privateKeyPem);

if ($privateKey === false) {
    throw new RuntimeException('Failed to load RSA private key.');
}

// Decrypt using RSA-OAEP + SHA-256
$plaintext = '';
$ok = openssl_private_decrypt(
    $ciphertext,
    $plaintext,
    $privateKey,
    OPENSSL_PKCS1_OAEP_PADDING
);

if (!$ok) {
    throw new RuntimeException('RSA decryption failed: ' . openssl_error_string());
}

// Result: raw wallet private key (usually hex string)
echo "Wallet Private Key: " . $plaintext . PHP_EOL;

Security Notes

The decrypted wallet private key should never be logged, uploaded, or stored in plaintext.
Store it only in a secure enclave, HSM, or isolated encrypted storage.
If your RSA private key is compromised, immediately rotate RSA keys and regenerate affected wallets.

PreviousSigning Requests NextTest Environment

Last updated 2 days ago

hashtagEncryption Details

hashtagOption 1: Online Decrypter (Testing & Debugging)

hashtagOption 2: Programmatic Decryption (Integration)

Encryption Details

Option 1: Online Decrypter (Testing & Debugging)

Option 2: Programmatic Decryption (Integration)