This is a guide to exporting your wallet or private key from Turnkey. For more information about the security of this flow, check out Enclave secure channels.
Export a wallet (Turnkey activity)
--export-bundle-output
flag (required) is the desired output file path for the “encrypted bundle” that will be returned by Turnkey. This bundle contains the encrypted key material.Decrypt the bundle
--export-bundle-input
flag (required) is the filepath for the “encrypted bundle” (from the previous step) that will be decrypted.--plaintext-output
flag (optional) is a filepath for the decrypted plaintext to be written to.--signer-quorum-key
flag (optional) is the public key of Turnkey’s signer enclave. This is a static value.--encryption-key-name
flag (optional) is a local encryption key. This is required for import and export using the CLI. A new one can be generated using turnkey generate encryption-key
. See turnkey generate --help
for more details.Export a private key (Turnkey activity)
--export-bundle-output
flag (required) is the desired output file path for the “encrypted bundle” that will be returned by Turnkey. This bundle contains the encrypted key material.Decrypt the bundle
--export-bundle-input
flag (required) is the file path for the “encrypted bundle” (from the previous step) that will be decrypted.--plaintext-output
flag (optional) is a filepath for the decrypted plaintext to be written to.--signer-quorum-key
flag (optional) is the public key of Turnkey’s signer enclave. This is a static value.--solana-address
flag (optional) is the solana address corresponding to the private key you’re exporting. This will export the private key in a format compatible with most solana wallets (e.g. phantom). If unset, the resulting private key will be plain hex.--encryption-key-name
flag (optional) is a local encryption key. This is required for import and export using the CLI. A new one can be generated using turnkey generate encryption-key
. See turnkey generate --help
for more details.Export a wallet account (Turnkey activity)
--export-bundle-output
flag (required) is the desired output file path for the “encrypted bundle” that will be returned by Turnkey. This bundle contains the encrypted key material.Decrypt the bundle
--export-bundle-input
flag (required) is the file path for the “encrypted bundle” (from the previous step) that will be decrypted.--plaintext-output
flag (optional) is a filepath for the decrypted plaintext to be written to.--signer-quorum-key
flag (optional) is the public key of Turnkey’s signer enclave. This is a static value.--solana-address
flag (optional) is the solana address corresponding to the private key you’re exporting. This will export the private key in a format compatible with most solana wallets (e.g. phantom). If unset, the resulting private key will be plain hex.--encryption-key-name
flag (optional) is a local encryption key. This is required for import and export using the CLI. A new one can be generated using turnkey generate encryption-key
. See turnkey generate --help
for more details.export.turnkey.com
meant to be embedded as an iframe element (see the code here). This ensures the mnemonics are encrypted to keys that the user has access to, but that your organization does not (because they live in the iframe, on a separate domain).@turnkey/iframe-stamper
@turnkey/iframe-stamper
to insert a new iframe element:EXPORT_WALLET
activity with the wallet ID and the iframe public
key in the parameters.EXPORT_WALLET_ACCOUNT
activity and the injectKeyExportBundle
method from the @turnkey/iframe-stamper
. You can pass an optional keyFormat
parameter to injectKeyExportBundle()
that will apply either hexadecimal or Solana-specific formatting to the private key that is exported in the iframe. The default key format is HEXADECIMAL
, which is used by MetaMask, MyEtherWallet, Phantom, Ledger, and Trezor for Ethereum keys. For Solana keys, you will need to pass the SOLANA
key format.
EXPORT_PRIVATE_KEY
activity and the injectKeyExportBundle
method from the @turnkey/iframe-stamper
. You can pass an optional keyFormat
parameter to injectKeyExportBundle()
that will apply either hexadecimal or Solana-specific formatting to the private key that is exported in the iframe. The default key format is HEXADECIMAL
, which is used by MetaMask, MyEtherWallet, Phantom, Ledger, and Trezor for Ethereum keys. For Solana keys, you will need to pass the SOLANA
key format.
Initialize a new Turnkey client
Generate a new P256 Keypair — this will serve as the target that Turnkey will encrypt key material to
Call export (Turnkey activity)
Decrypt encrypted bundle
Initialize a new Turnkey client
Generate a new P256 Keypair — this will serve as the target that Turnkey will encrypt key material to
Call export (Turnkey activity)
Decrypt encrypted bundle
Initialize a new Turnkey client
Generate a new P256 Keypair — this will serve as the target that Turnkey will encrypt key material to
Call export (Turnkey activity)
Decrypt encrypted bundle
Initialize Turnkey client
Generate a new P256 Keypair — this will serve as the target that Turnkey will encrypt key material to
Save the private key in Local Storage
Call export (Turnkey activity)
exportWallet
activity:Decrypt encrypted bundle
Remove embedded key from Local Storage. This is recommended because (1) this key doesn't have to be persistent in the first place, and (2) reduces the risk of pattern detection.
Initialize Turnkey client
Generate a new P256 Keypair — this will serve as the target that Turnkey will encrypt key material to
Save the private key in Local Storage
Call export (Turnkey activity)
Decrypt encrypted bundle
Remove embedded key from Local Storage. This is recommended because (1) this key doesn't have to be persistent in the first place, and (2) reduces the risk of pattern detection.
Initialize Turnkey client
Generate a new P256 Keypair — this will serve as the target that Turnkey will encrypt key material to
Save the private key in Local Storage
Call export (Turnkey activity)
exportWalletAccount
activity:Decrypt encrypted bundle
Remove embedded key from Local Storage. This is recommended because (1) this key doesn't have to be persistent in the first place, and (2) reduces the risk of pattern detection.
index
. Creating a wallet account with an index specified could lead to unexpected behavior when exporting and importing into another wallet.
When importing into a multichain wallet such as Phantom, see this guide on matching private keys across Solana, Ethereum, and Polygon.
When exporting, if you export with the hexadecimal
format, you can easily convert to base58 (Phantom-compatible) with a script like the following: