Steem Private and Public Keys Demystified

public-private-keys

One of the cryptic aspects of Steem is the user keys. Private, public, owner, password, posting, active, memo, cryptography. All these words can be very confusing for newbies. Don't be discouraged, it's not as complicated as it sounds. Let's start with a quick explanation of what public-key cryptography (or asymmetrical cryptography) is. I won't go into too much details, I will try to keep things as easy as possible to understand. You can check this link for a nice and detailed explanation. Or, google your way for some hardcore mathematical explanations.

In a nutshell, you have a pair of keys, one private and one public.

Public-key-crypto-1

You use your private key to encrypt and sign a message. The ENcrypted message can then be DEcrypted using the public key while confirming that the message was authenticly signed by you. The reverse process is possible too, but with a beautiful twist. Someone else may use your public key to encrypt a message and send it to you, but that message can ONLY be decrypted using your private key. Thus, anyone intercepting the encrypted message cannot do anything with it because they don't have your private key. The whole purpose of this system: authentication. That's why it's very important to keep your private key secure, while you can safely share your public key with everyone.


What does that have to do with Steem?

Steem uses this asymmetrical cryptography to secure and authenticate every transaction: upvote, memo, transfer, post, etc. Everytime you do any of those activities, you're actually signing them with your private key. Then, the system validates your transactions by using your public key. Authenticated transactions are added to the blockchain, while non-authenticated ones are rejected. It makes sense, doesn't it? Imagine someone trying to impersonate you to drain your precious wallet. If they don't have your private key to sign the transaction, then they won't be able to surprise you when you wake up in the morning!


The different Steem keys

There is a Steemit FAQ section that underlines the usage of each key.

Owner key - The owner key is only meant for use when necessary. It is the most powerful key because it can change any key of an account, including the owner key. Ideally it is meant to be stored offline, and only used to recover a compromised account. It's the most important key. Keep it safe and don't use it to login unless you really have to. Use the Posting key to login to your account.

Active key - The active key is meant for more sensitive tasks such as transferring funds, power up/down transactions, converting Steem Dollars, voting for witnesses, updating profile details and avatar, and placing a market order.

Posting key - The posting key allows accounts to post, comment, edit, vote, resteem, and follow or mute other accounts. Most users should be logging into Steemit every day with the posting key. You are more likely to have your password or key compromised the more you use it so a limited posting key exists to restrict the damage that a compromised account key would cause.

Memo key - Currently the memo key is not used.

A quick tip to distinguish between the Steem keys:

Owner key starts with: P5
Private keys start with: 5
Public keys all start with: STM

How to retrieve the private and public keys?

  • Log in with your password, this allows you to reveal all the private keys.
  • Go to your Wallet, Permissions, and click on "Show Private Key" or "Login to Show". Notice that by default, the public keys are shown. Also, there is no button to show the private owner key,it's and extra security measure.
permissions

  • To reveal the Active Private Key, press "Show Private Key" and you will get this pop up box. Paste your password in it and press Login.
keys-getactivekey

  • After you retrieved your keys, SAVE them somewhere secure.
  • Log out and log in again, but this time use the posting private key, as recommended in the FAQ.

What if the keys are compromised?

It may happen that you accidentally paste one of your private keys in a public channel or in a chat. You should immediately reset your keys. You can do that by going to your Wallet, Password, and generate a new one. SAVE it. You don't need to worry about generating the other keys (Posting, Active, Memo) because they will be automatically derived from the new owner key. Then, redo the steps I explained earlier to retrieve the new private keys and save them.

resetpassword


Conclusion

  • Never share your private keys with anyone.
  • Public keys are safe to share.
  • Keep your keys secure.