Understanding the Role of Your Nostr Keys
Public Key vs Private Key
When you generate a Nostr identity, you generate a cryptographic keypair. One is your public key (npub...). It is used to find you and your notes. The other is your private key (nsec...), which you use to interact. Everything you do is an event, which is signed by your private key. This makes all of your actions provably yours. You are solely responsible for protecting your nsec. It is recommended to try Nostr with a test keypair before setting up anything that you want to treat seriously.
Key Creation and Protection
Most Nostr clients will have the option to generate a keypair onsite or in-app. This is convenient for trying Nostr or a client. To make a keypair for longterm use, you might want to visit a site that provides some key security from the start. Your keys are a permanent set of identifiers. They cannot be changed or reset. You own them and it is your responsibility to keep your private key safe.
When you are ready to set up a permanent identity, start in a place that specializes in Nostr key generation. Nstart and Hubstr are great places to start. NOA, Nostr Onboarding App, is multiplatform with a native app, which helps make it easier to share with friends. You can create a vanity npub through various methods as well, like https://www.nostr.rest/ . There are other methods but these are some of the most user friendly ones that I have found. They provide some tools and guidance for creating your keypair in a safe manner. Once you've gone through the process, it is a good idea to write down your nsec and store it off of any devices, in the event you should lose access to your computer or phone.
Using a signer or a browser extension to house your nsec (private key), is the next step to keeping your identity safe. (Find out more on key management below)
Portability of Your Keys
This is where all the magic happens. You can use your keys to sign into any Nostr app. If you sign in with your npub (public key), you will enter in a read-only mode. This is nice for seeing a client's interface before trying it. You can sign in with anyone's npub to see what their social feeds look like, too. You do not need to be concerned with security when using npub sign-in. Your public key, is fully public. Not all Nostr clients support this option, but many do.
Signing in with your nsec unlocks all the features of a client and enables you to interact on the protocol. Everything you do is signed by your nsec and made available by your npub. Using some sort of signer is obviously advised, to keep from exposing your nsec online.
Since all of your actions (aka events) are stored on relays and not by clients, all of your content, messages, or anything else becomes available in any client that supports those event types. Most social stuff, like replies and profile views are available almost everywhere. Not all apps will support everything, but the ones that share a common theme will handle your events in similar manners. (I.e., a marketplace listing made from one app will display across many apps. The comments and replies will, too, so there is no need to manage multiple listings to answer questions or mark something as sold.)
Key Management
This is an evolving field, with many methods of key management being explored. People, businesses, and institutions all have different needs.
- Signing Extensions keep your key in a browser extension, signaling to an app that the valid nsec is present. This sign in method is available on most Nostr apps. These are the most convenient method of key management but they do have their limitations. Using an extension can be cumbersome on mobile devices, and they could still be subject to vulnerabilities within your browser or the signer itself. They also don't allow for multiple users to sign events, like a business or organization might need.
- Key Bunkers enable the storage of key shards encrypted across multiple locations or in one spot. Bunker signing calls the encrypted key shards to decrypt for signing events. A bunker key, often called a bunker string, can be shared with staff or used to keep your key offline. They are revocable and replaceable. The process is currently a a little complicated and client support is somewhat limited. Adoption and improvement of this method is happening quickly, as the need for multi-party access to a profile increases.
- Native Signing Apps, like Amber for Android, make key key storage and signing for mobile a simple process. These apps work to keep your key offline, similarly to a bunker, but it is all stored encrypted on your device. Most Nostr-Android apps and web clients offer support for this method. Development of a similar iOS app is underway.
- Offline Hardware Signers like standalone devices and NFC cards are being explored, tested, by many groups.
This is a very active development space and this section will be updated as needed. Below are some suggestions for Nostr signers:
