Decrypting the Private Key
When you request wallet information for a master or transit wallet, the API returns the field:
private_key_encrypted: "BASE64_ENCODED_RSA_payload"This value is a RSA-encrypted private key, encoded in Base64.
To decrypt it, you must use your own RSA private key — the one that corresponds to the public RSA key previously uploaded via:
POST /rsa/upload
The platform never stores your RSA private key, and only you can decrypt the wallet’s private key.
Encryption Details
Algorithm: RSA-OAEP
Hash function: SHA-256
Output: Base64-encoded encrypted payload
Input (before encryption): raw wallet private key (hex string)
How to Decrypt (General Flow)
Convert the Base64 string to binary
Use your RSA private key to decrypt the ciphertext
The result is a raw wallet private key (hex string)
import crypto from "crypto";
const encrypted = "BASE64_PAYLOAD_HERE"; // private_key_encrypted
const privateKey = `
-----BEGIN PRIVATE KEY-----
YOUR_RSA_PRIVATE_KEY_CONTENT
-----END PRIVATE KEY-----
`;
const decrypted = crypto.privateDecrypt(
{
key: privateKey,
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: "sha256"
},
Buffer.from(encrypted, "base64")
);
console.log("Wallet Private Key:", decrypted.toString());
from base64 import b64decode
from Cryptodome.Cipher import PKCS1_OAEP
from Cryptodome.PublicKey import RSA
from Cryptodome.Hash import SHA256
encrypted = "BASE64_PAYLOAD_HERE"
rsa_key = RSA.import_key(open("private.pem").read())
cipher = PKCS1_OAEP.new(rsa_key, hashAlgo=SHA256)
plaintext = cipher.decrypt(b64decode(encrypted))
print("Wallet Private Key:", plaintext.decode())
package main
import (
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"fmt"
)
func main() {
encrypted := "BASE64_PAYLOAD_HERE"
block, _ := pem.Decode([]byte(YOUR_RSA_PRIVATE_KEY))
privateKey, _ := x509.ParsePKCS1PrivateKey(block.Bytes)
cipherData, _ := base64.StdEncoding.DecodeString(encrypted)
plaintext, _ := rsa.DecryptOAEP(
sha256.New(),
rand.Reader,
privateKey,
cipherData,
nil,
)
fmt.Println("Wallet Private Key:", string(plaintext))
}
<?php
// Encrypted payload from API (private_key_encrypted)
$encrypted = 'BASE64_PAYLOAD_HERE';
// Your RSA private key (PEM format)
$privateKeyPem = <<<PEM
-----BEGIN PRIVATE KEY-----
YOUR_RSA_PRIVATE_KEY_CONTENT
-----END PRIVATE KEY-----
PEM;
// Decode Base64
$ciphertext = base64_decode($encrypted);
if ($ciphertext === false) {
throw new RuntimeException('Failed to base64-decode encrypted payload.');
}
// Load private key
$privateKey = openssl_pkey_get_private($privateKeyPem);
if ($privateKey === false) {
throw new RuntimeException('Failed to load RSA private key.');
}
// Decrypt using RSA-OAEP + SHA-256
$plaintext = '';
$ok = openssl_private_decrypt(
$ciphertext,
$plaintext,
$privateKey,
OPENSSL_PKCS1_OAEP_PADDING
);
if (!$ok) {
throw new RuntimeException('RSA decryption failed: ' . openssl_error_string());
}
// Result: raw wallet private key (usually hex string)
echo "Wallet Private Key: " . $plaintext . PHP_EOL;
Security Notes
The decrypted wallet private key should never be logged, uploaded, or stored in plaintext.
Store it only in a secure enclave, HSM, or isolated encrypted storage.
If your RSA private key is compromised, immediately rotate RSA keys and regenerate affected wallets.
Last updated