Skip to main content

Fireblocks Vault HD derivation paths

  • Updated

Fireblocks Vault is a BIP32-compatible Hierarchical Deterministic (HD) Wallet. If you’re not familiar with the concept of HD wallets and BIP32, start here.

Derivation paths

Fireblocks uses the following non-hardened BIP44 variant of derivation paths:

m / 44 / coin_type / account / change / address_index
  • coin_type - value is based on SLIP-44 standard.*
  • account - value is the ID of the vault account.  Account IDs are sequential and start with index 0.
  • change - is always set to 0.
  • address_index - is a sequential index starting from 0, where the permanent address of a wallet has index 0, and all other generated addresses (known in the UI as deposit addresses) start with index 1 and go up.

For example, an ETH wallet under the vault account with ID 0 has an HD derivation path of m/44/60/0/0/0.

*For BSC wallets, the derivation is based on the ETH constant in the SLIP-44 standard.

You can download the derivations paths of all wallets and addresses from your Console by selecting Export Vault Balances & Addresses at the top of your Vault account page, as seen below. For more information, see Exporting data from Fireblocks.

mceclip1.png

Using BIP32 tools, these derivation paths, combined with the Extended Private Key or the Extended Public Key, can derive a wallet's private key and public key/set of addresses, respectively.

Extracting the extended public key and extended private key of a Fireblocks Vault

Fireblocks supports two signing algorithms, ECDSA and EdDSA. Each of them has different pairs of extended public keys and private keys. ECDSA is used for signing transactions for most blockchains while the EdDSA is used for signing transactions for Algorand, Cardano, Polkadot, Solana, and Stellar blockchains.

The extended public keys for both ECDSA and EdDSA are available under the General tab on the Admin Settings page.

mceclip2.png

Their respective extended private keys are never held as one piece because they are secured with Fireblocks MPC technology. They can be reconstructed as part of the offline recovery and takeover process of the Vault.

ECDSA uses xpub and xprv keys, respectively.  Note that for EdDSA keys, Fireblocks uses proprietary formats marked as fpub and fprv. For an additional explanation, read the section below.

What are fprv & fpub?

Fireblocks MPC technology highly secures the private keys of customer vault accounts by having private key shards distributed between multiple co-signers and devices. The Fireblocks utilization of MPC for EdDSA requires a non-standard method of key generation and signing and therefore cannot be imported into other non-Fireblocks wallets.

Fireblocks' proprietary EdDSA private and public key pairs are prefixed with a special string (fprv and fpub, respectively) to distinguish them from the standard extended private key form.

See how to generate and sign a transaction using your fprv here.

If you would like to reconstruct a wallet address from the fpub, you can download the offline recovery utility. Then, run the following Python code from within the root directory of utility, where account is the vault account ID that contains the wallet address:

from utils import xlm_helpers
xlm_helpers.xpub_to_address(xpub = "YOUR_FPUB", account = 0)
Was this article helpful?
7 out of 7 found this helpful

Related Articles