Try   HackMD

Polkadot Key Derivation Paths

All paths as per subkey standard.

Overview

Mnemonic (BIP32) -> Seed -> Root-Secret (/Root-Public) -> Derive to account keys

Root-Public key should be shown in UI as an SS58 with a prefix index of 1 (BareSr25519) or 3 (BareEd25519) - depending on crypto used.

Root-Secret should never be shown or exported from UI (only the mnemonic, if needed).

Derivations should be based on networks:

  • //polkadot -> Polkadot top-level and primary full-security key. This key and others derived under this should be shown using SS58 with a 0 (Polkadot) prefix and with a Polkadot identicon.
  • //kusama -> Kusama top-level and primary high-security key. This key and others derived under this should be shown using SS58 with a 2 (Kusama) prefix and with a Polkadot identicon.
  • Generally //<network_id> for the top-level key for any given network, where <network_id> is exactly the id field in the network's chain spec.

Other standard paths for more sophisticated wallets:

  • //<network>//0, //<network>//1, : Secondary full-security keys.
  • //<network>//hot: Primary partial-security key. On Polkadot Vault, this could coventionally be exported for use on a hot device such as a desktop. If compromised it does not compromise the Vault, but if lost it can be recovered from the Vault. Apps which expect internet connectivity and store the key locally might have a initialization option which is to scan a Vault hot key.
  • //<network>//pub: Primary public account. Any secondary paths from here can be soft derived in order to create a provable connection between the public keys. Wallets may choose to associate this with some on-chain identity.
Last changed by 
Polkadot Ideas
0
706
Published on HackMD