Generating A Keypair With Nostr

6 minute read

The intention of this article to talk about key pairs and authentication, and how to generate a key pair to use nostr Notes and Other Things Over Relays.

nostr uses public key authentication or PKI, which is a departure from what you may be used to when logging in to a website or application. Authentication is done based off of what we call a key pair, or a public and private key. To further complicate things, you can login to a nostr client using just a public key (also called a pubkey or npub), without a password. If you do this, you will get a read only experience, you won’t be able to post, or read private DM messages.

You can think of the public key like your username, that you can share freely so your friends can add you. You can also use someone else’s public key to see their feed as they see it, you just can’t post as them without their private key.

The private key you can think of like your password, except it can’t be reset – so if your private key is ever compromised you should consider it gone forever. This means you need to guard the private key at all costs. A private key is needed to post to nostr, and read private DMs.

Most new users coming in to nostr aren’t aware or explained any of this, so you rely on the nostr client application to generate your key pair for you, and this is very dangerous because if the app developer is malicious or the app you’re using is compromised, they can covertly record this private key they’ve assigned to you.

As a result, it is my recommendation you generate a key pair locally on the command-line on your personal computer’s terminal or console, instead of trusting the nostr client. You can do this by running:

  $ openssl rand -hex 32

The above command will generate a private key for you. The public key can be mathematically derived from entering this newly generated private key into the nostr client application. While you can trust the nostr client to derive your public key from your private key, you shouldn’t enter a private key into a client directly, ever. Instead, use a browser plugin like nos2x or Alby to send the private key to the application for you. Once you enter your private key into this plugin, it can securely send your private key on to the application. These plugins will also derive your public key from the private key, so you can use them to enter the private and/or public key into the application for you.

While openssl should be included with your operating system, you can also use noscl to generate keys and sign messages:

# Generate a new private key:
$ noscl key-gen
seed: crowd coconut donate calm position chuckle update friend ball gospel sudden answer bitter dinosaur wise express jaguar file praise pact defy system struggle offer
private key: 5a860fa953c9162611f2e2813ee0526370664534412f31611a4a89149c6bbc9d

# Set the new private key in noscl for usage
$ noscl setprivate 5a860fa953c9162611f2e2813ee0526370664534412f31611a4a89149c6bbc9d

# Derive the public key from your private key so you can share with others: 
$ noscl public

One further thing to note from a privacy perspective, is that the people you follow, and the list of your DMs can be read by anyone with your public key (which they need to be able to add you). This is an issue that still needs to be resolved with the protocol, but it’s important for you to know. For example, not only can I add you with your public key, but I can also login to a client with your public key to see who you’re following or who you’ve been DMing with – but I can’t read the DMs themselves, for that I would need your private key.

The other unique property that is unique to nostr over traditional social media, is I could create a key pair and curate a topical follow list. For example, I could add all of the bitcoiners I know, or people with certain political beliefs, and share that public key, and anyone with that public key would now be able to login and read the exact same feed. Said another way, you can login with a public key to a nostr client and you would see the same feed as that user – with the exception that you need the private key to be able to post as that user or read their private messages. While this creates some privacy challenges, it also creates some opportunities not seen before with traditional username/password social media platforms.

While technically you have generated hex based keys you can now use, they look very similar, so you could accidentally share your private key. To solve for this there’s a new NIP-19 standard (also called bech32) that isn’t technically in the core protocol, but most clients accept, that makes things more readable so you’re less prone to accidentally using a private key when you meant to use a public one, as they prefix the keys with npub and nsec respectically (and note, for notes). You can use key-convertr to convert your keys to bech32 on the command line. If you have a NIP-19 compliant key pair, you know that npub* keys can be shared, and nsec* keys should never be shared.

If you want to dive into the weeds a little further, you can now interact with nostr directly without an app, on the command-line using nostril, although I recommend just trying all of the various nostr clients and find the one that works the best for your needs and your operating system. Note that each nostr client may do many different things and have different features on the nostr protocol, so if you’re enjoying your nostr client, be sure to include the name of the nostr client you’re using and don’t just refer to it as a problem or enjoyment with nostr in general, unless that’s what you’re experiencing :D

As your public key respresents you, you may want to go through the extra effort of generating a vanity public key, and you can do this with rana, allowing you to generate a hex word prefix. Note that if you’re looking for a vanity npub prefix, your options are limited to 023456789acdefghjklmnpqrstuvwxyz and every extra letter you add will take a lot more processing power – which could take days, weeks, or longer.

If you want to experiment anonymously before creating your own key pair, here’s one of mine, with an npub1nerd prefix:

npub1nerdg3r7aq2sqvwpup3wdf72sc8wuhzsneqdjvfjdft0j0dxjg5qhqkdl4
nsec14g7d8awgv4e45z0u8k6p7jl7wpk8xhvqt42qvfquwvhkv59xsctqrmq5gd

If you want to get really fancy, or NIP-05 verified, (think of it like the blue check mark on Twitter) on your website create a .well-known/nostr.json with your username and pubkey, and then add that to your profile in your nostr client. For example, I created https://krisconstable.com/.well-known/nostr.json with this:

{
  "names": {
    "cqwww": "af30bf9b7c8843a1f323699a8320a879dfee4b17512696fec39969db284af14a"
  }
}

and then in my nostr profile in my favourite client I added cqwww@krisconstable.com (so it would look for userid cqwww in nostr.json on krisconstable.com domain name). You also buy a NIP-05 id at https://nostrplebs.com/ instead of DIY.

Finally, you can have all of this done for you, and get a custom for-you t-shirt done for you over at nostrich.team!

See you on nostr, feel free to add me: af30bf9b7c8843a1f323699a8320a879dfee4b17512696fec39969db284af14a

Leave a comment