CCipherBack to Docs
Docs/Getting Started/Understanding Your Keys
Getting Started

Understanding Your Keys

Learn how Cipher uses cryptographic keys to protect your messages and secure your assets.

The Key Hierarchy

Your 12-word seed phrase is the root of all your keys in Cipher. From this single source, the app derives multiple specialized keys for different purposes:

Seed Phrase (12 words)
    │
    ├── Identity Key (Ed25519)
    │   └── Signs your profile and prekeys
    │
    ├── Signed Prekey (X25519)
    │   └── Medium-term key for sessions
    │
    ├── One-Time Prekeys (X25519)
    │   └── Ephemeral keys for forward secrecy
    │
    └── Wallet Keys
        ├── Ethereum (secp256k1)
        ├── Bitcoin (secp256k1)
        └── TKS (ed25519)

Key Types Explained

Identity Key (Ed25519)

Your long-term identity. This key signs your profile information and other keys. It's how other users verify it's really you. Never changes unless you create a new account.

Signed Prekey (X25519)

A medium-term key that rotates periodically (every 30 days by default). Used in the X3DH key agreement when establishing new sessions. Signed by your identity key for authenticity.

One-Time Prekeys (X25519)

Ephemeral keys uploaded to the network. Each one is used once when someone initiates a conversation with you, then discarded. Provides forward secrecy.

Wallet Keys

Derived using BIP-44 paths for each supported blockchain. These keys sign transactions and prove ownership of your assets. Each chain may use different cryptographic curves.

How Forward Secrecy Works

Cipher implements "forward secrecy" using the Double Ratchet algorithm. Here's what that means:

  1. Each message uses a unique key derived from the conversation's ratcheting state
  2. Keys are immediately deleted after encrypting/decrypting a message
  3. Past messages stay secure even if your current keys are compromised
  4. Future messages become secure again after a few message exchanges (post-compromise security)

This means that even if an attacker somehow obtains your current session keys, they cannot decrypt old messages—those keys no longer exist.

Self-Custody: You Hold the Keys

Unlike traditional apps where the company controls your account:

  • Your keys never leave your device (except encrypted backups you control)
  • Cipher cannot read your messages because we don't have your keys
  • Cipher cannot freeze your wallet because we don't control it
  • No one can reset your password because there is no password—only your seed phrase

This is true self-custody. With great power comes great responsibility: if you lose your seed phrase, no one can help you recover your account.

Key Storage Security

On your device, keys are stored in secure enclaves when available:

  • iOS: Secure Enclave via Keychain
  • Android: StrongBox or TEE-backed Keystore
  • Desktop: OS-specific secure storage with optional hardware key support

Even if someone accesses your device's filesystem, they cannot extract your keys without breaking the secure hardware.

What If My Device Is Lost or Stolen?

If you lose your device:

  1. Your keys are protected by device encryption and biometrics
  2. Recover on a new device using your seed phrase
  3. Past messages stored only on your old device are lost (unless you have encrypted backups)
  4. Wallet funds are safe and accessible from your new device immediately

For maximum security, enable remote wipe on your device and ensure you have your seed phrase stored safely offline.

Creating Your AccountYour First Message