Expand description
Minimal offline Bitcoin key generator for cold storage.
Generates a secp256k1 private key from OS-provided cryptographic randomness and derives the corresponding WIF, compressed public key, and native SegWit (Bech32) address. Designed for air-gapped key ceremonies.
§Library usage
The public API is four functions and one type:
| Function | Input | Output |
|---|---|---|
generate | — | Result<PrivateKey, Error> |
encode_wif | &PrivateKey | String (starts with K or L, 52 chars) |
derive_pubkey | &PrivateKey | [u8; 33] (compressed public key) |
derive_address | &[u8; 33] | String (Bech32 address, starts with bc1q) |
// 1. Generate a private key from OS randomness
let key = btc_keygen::generate()?;
// 2. Encode as WIF (for wallet import)
let wif = btc_keygen::encode_wif(&key);
// 3. Derive the compressed public key
let pubkey = btc_keygen::derive_pubkey(&key);
// 4. Derive the Bitcoin address
let address = btc_keygen::derive_address(&pubkey);PrivateKey zeroizes its bytes when dropped — you do not need to
clear it manually.
§Security
- Entropy comes from the OS CSPRNG via
getrandom. - Private key bytes are zeroized in memory when
PrivateKeyis dropped. - No networking code — the crate cannot leak secrets over the network.
- Elliptic curve operations use Bitcoin Core’s
libsecp256k1.
Structs§
- Error
- Error returned when key generation fails.
- Private
Key - A validated secp256k1 private key that zeroizes its bytes on drop.
Functions§
- derive_
address - Derives a native SegWit (P2WPKH) Bech32 address from a compressed public key.
- derive_
pubkey - Derives the compressed public key (33 bytes) from a private key.
- encode_
wif - Encodes a private key as a Wallet Import Format (WIF) string.
- generate
- Generates a new Bitcoin private key using OS-provided cryptographic randomness.