How to manage keys for Nostr

- Nostr Product Development
  Focused engineering support for teams building Nostr-native products, tools, and protocol-aware user experiences.
- Bitcoin Product Development
  Specialist engineering for Bitcoin-native and Bitcoin-aligned products with stronger ownership, payments, and digital sovereignty models.
- About
  Learn more about Threenine, our direction, and why we build in this space.
- Blog
  Articles, News and Insights

In Nostr, key management is not an advanced topic. It is the core topic.

Your private key is what proves your identity. If somebody else gets it, they can act as you. If you lose it without a backup, there is no normal recovery flow.

That is the trade-off. More control, less babysitting from a platform.

If you need the wider protocol context first, read What is Nostr? and How to get started with Nostr.

What Nostr keys actually are

A Nostr identity is based on a cryptographic key pair:

a public key, which identifies you
a private key, which signs events as you

In NIP-19 format, you will commonly see:

npub... for a public key
nsec... for a private key

The public key is meant to be shared.

The private key is not.

Why key management matters more on Nostr

On a normal social platform, the provider controls account recovery. On Nostr, there is no central recovery authority.

That means you are responsible for:

secure storage
secure backup
safe signing habits
migration if the key is compromised

That sounds harsh, but it is also what makes Nostr more self-sovereign than account systems built around email resets and phone-number recovery.

NIP-19 and human-readable key formats

NIP-19 defines Bech32-based encodings for common Nostr identifiers.

Common examples include:

npub , public key
nsec , private key
note , note/event id
nprofile , profile reference
nevent , event reference

These formats are easier for humans to handle than raw hex strings, but the underlying secrecy rule still applies: nsec must stay secret.

Best practices for managing Nostr keys

1. Back up the private key immediately

As soon as a key is created or imported, back it up.

Do not tell yourself you will do it later. Later is where people get wrecked.

2. Keep at least one offline backup

A strong baseline is to keep a backup offline in a place you physically control.

Examples:

a written copy stored securely
an engraved or stamped backup for durability
encrypted offline storage you actually know how to recover from

3. Use a trusted password manager as a secondary backup

A good password manager can be a reasonable encrypted backup location, provided the password manager itself is secured well.

That means:

strong master password
MFA where available
not relying on it as the only backup

4. Use a signer instead of pasting raw keys into sites

If you are using Nostr on the web, use a signer such as a NIP-07 browser extension rather than pasting your nsec into websites.

That reduces one of the dumbest and most common risks in the ecosystem.

If you need the background, read What is a NIP-07 signer?.

5. Use separate keys when the use cases are genuinely different

You do not need one single Nostr identity for every purpose.

Separate keys can make sense for:

personal use
public professional identity
experimental or disposable activity
high-risk versus low-risk usage

This limits blast radius if one key or environment is compromised.

6. Test recovery before you need recovery

A backup you have never tested is just a story you are telling yourself.

Verify that you can actually recover the key on a clean device or in a controlled test flow.

What to avoid

Do not store your `nsec` in plain text cloud notes

That includes:

random notes apps
unencrypted documents
screenshots in photo libraries
email drafts
chat messages to yourself

Do not reuse a key casually across every context

The more places the key appears, the more ways it can leak.

Do not assume decentralization replaces operational security

Nostr can remove some central points of failure. It does not save you from bad habits.

Hardware and advanced approaches

For users who want stronger security, there are more advanced patterns.

These can include:

hardware-backed signing where supported
remote signers such as bunker-style setups
carefully separated online and offline environments
deterministic key-derivation strategies for advanced operators

The important thing is not to cargo-cult advanced setups you do not understand. A simple backup plan that you can actually maintain beats an elaborate setup you will screw up.

stop using it for new trusted activity
create a new key pair
move your public-facing identity where practical
notify important contacts if needed
update profiles, signer setups, and related services

There is no magic revoke button that fixes everything. The realistic response is migration.

Key management for teams or businesses

Once multiple people are involved, the problem changes.

A business should not casually run critical identity or payment activity from one raw key sitting in one person’s browser.

For more serious operations, you start thinking about:

role separation
approval policies
shared custody or delegated control patterns
auditability
hardware-backed signing where appropriate

That is a different maturity level than personal key storage, and it should be treated that way.

Conclusion

Managing Nostr keys well is mostly about discipline, not hype.

The basics are simple:

back up the key
keep the backup secure
use a signer where possible
separate identities when it makes sense
test recovery before disaster forces the issue

If you do that, you are already ahead of a depressing number of people.