Skip to main content

Signing & Key Management

Ethereum accounts are derived from cryptographic key pairs. Your identity is a private key, and you prove ownership by signing data with it. This section covers every way Nethereum can store, manage, and use signing keys — from in-memory keys to cloud HSMs.

How Ethereum Accounts Work

Private Key (32 bytes)
    → Public Key (64 bytes, via ECDSA)
        → Address (20 bytes, via Keccak-256)

EOA vs Smart Account

  • Externally Owned Account (EOA) — controlled by a private key
  • Smart Contract Account — controlled by code (ERC-4337 account abstraction)
  • Delegated EOA — an EOA that temporarily runs a smart contract's code via EIP-7702

Nethereum Account Types

Account (Private Key)

The most common type. Signs transactions locally before sending:

using Nethereum.Web3;
using Nethereum.Web3.Accounts;

var privateKey = "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80";
var account = new Account(privateKey, chainId: 1);
var web3 = new Web3(account, "https://your-rpc-url");

Creating a New Account

var ecKey = EthECKey.GenerateKey();
var privateKey = ecKey.GetPrivateKeyAsBytes().ToHex();
var account = new Account(privateKey, chainId: 1);

HD Wallet Derivation

Derive multiple accounts from a mnemonic phrase:

var wallet = new Wallet("rapid squeeze excess salute ...", null);
var account0 = wallet.GetAccount(0, chainId: 1);
var account1 = wallet.GetAccount(1, chainId: 1);

ExternalAccount (Hardware Wallets, KMS, Browser Wallets)

For situations where the private key is not directly available — signing is delegated to an external device or service:

var externalAccount = new ExternalAccount(myExternalSigner, chainId: 1);
await externalAccount.InitialiseAsync();
var web3 = new Web3(externalAccount, "https://your-rpc-url");

Once initialised, ExternalAccount works identically to Account with Web3 — you call the same web3.Eth methods, and signing is handled transparently.

Account Type Comparison

FeatureAccountExternalAccount
Private key locationIn-memoryExternal device/service
SigningLocal, immediateDelegated via IEthExternalSigner
Use caseServers, scripts, automationHardware wallets, KMS, browser
SecurityKey in process memoryKey never exposed

Choosing a Key Storage Method

MethodPackageSecurity LevelBest For
In-memory keyNethereum.Web3Low — key in process memoryScripts, testing, automation
Keystore filesNethereum.KeyStoreMedium — encrypted at rest, password-protectedDesktop apps, CLI wallets
HD WalletsNethereum.HDWalletMedium — one seed backs up many accountsMulti-account wallets, recovery
Hardware walletsNethereum.Signer.Ledger, .TrezorHigh — key never leaves deviceEnd-user wallets, high-value accounts
Cloud KMSNethereum.Signer.AWSKeyManagement, .AzureKeyVaultVery High — FIPS 140-2 HSMsProduction servers, institutional custody

Rule of thumb: Use the simplest option that meets your security requirements. For testing, an in-memory key is fine. For production with real funds, consider hardware wallets or cloud KMS.

Guides

Keys & Signing

GuideWhat You'll Learn
Keys & AccountsGenerate EC keys, create accounts, and understand Account vs ExternalAccount
Message SigningSign and verify messages with personal_sign (wallet authentication, SIWE)
EIP-712 Typed Data SigningSign structured typed data for permits, meta-transactions, and off-chain approvals

Key Storage & Derivation

GuideWhat You'll Learn
KeyStore FilesEncrypt private keys to password-protected JSON files (Scrypt/PBKDF2)
HD WalletsDerive multiple accounts from a single mnemonic phrase (BIP-39/BIP-32)

External Signers

GuideWhat You'll Learn
Hardware WalletsSign transactions with Ledger and Trezor — private key never leaves the device
Cloud KMSSign with AWS KMS or Azure Key Vault HSMs — enterprise-grade key management

Next Steps

Reading in order: Keys & AccountsMessage SigningEIP-712 SigningKeyStore FilesHD WalletsHardware WalletsCloud KMS.

Jump to what you need: Start with Keys & Accounts if you're new to Ethereum keys. For off-chain signatures, go to EIP-712. For key storage, start with KeyStore Files.