Fireblocks Vault is a BIP32-compatible Hierarchical Deterministic (HD) Wallet. If you’re not familiar with the concept of HD wallets and BIP32, start here.
Derivation paths
Fireblocks uses the following non-hardened BIP44 variant of derivation paths:
m / 44 / coin_type / account / change / address_index
- coin_type - value is based on SLIP-44 standard.*
- account - value is the ID of the vault account. Account IDs are sequential and start with index 0.
- change - is always set to 0.
- address_index - is a sequential index starting from 0, where the permanent address of a wallet has index 0, and all other generated addresses (known in the UI as deposit addresses) start with index 1 and go up.
For example, an ETH wallet under the vault account with ID 0 has an HD derivation path of m/44/60/0/0/0.
*For BSC wallets, the derivation is based on the ETH constant in the SLIP-44 standard.
You can download the derivations paths of all wallets and addresses from your Console by selecting Export Vault Balances & Addresses at the top of your Vault account page, as seen below.
Using BIP32 tools, these derivation paths, combined with the Extended Private Key or the Extended Public Key, can derive a wallet's private key and public key/set of addresses, respectively.
Info
The BIP32 standard uses 32-bit integers for the vault account index and deposit address index within a vault account meaning you can create an approximate total of 2,147,483,647 vault accounts within a single Fireblocks workspace.
Fireblocks supports multiple deposit addresses for UTXO blockchains only. See the deposit addresses article for more details. The BIP32 standard uses 32-bit integers, meaning you can have another 2,147,483,647 addresses per UTXO asset wallet in a single vault account.
Extracting the extended public key and extended private key of a Fireblocks Vault
Fireblocks supports two signing algorithms, ECDSA and EdDSA. Each of them has different pairs of extended public keys and private keys. ECDSA is used for signing transactions for most blockchains while the EdDSA is used for signing transactions for Algorand, Cardano, Polkadot, Solana, and Stellar blockchains.
The extended public keys for both ECDSA and EdDSA are available under the General tab on the Admin Settings page.
Their respective extended private keys are never held as one piece because they are secured with Fireblocks MPC technology. They can be reconstructed as part of the offline backup and recovery process of the Vault.
ECDSA uses xpub and xprv keys, respectively. Note that for EdDSA keys, Fireblocks uses proprietary formats marked as fpub and fprv. For an additional explanation, read the section below.
What are fprv & fpub?
Fireblocks MPC technology highly secures the private keys of customer vault accounts by having private key shards distributed between multiple co-signers and devices. The Fireblocks utilization of MPC for EdDSA requires a non-standard method of key generation and signing and therefore cannot be imported into other non-Fireblocks wallets.
Fireblocks' proprietary EdDSA private and public key pairs are prefixed with a special string (fprv and fpub, respectively) to distinguish them from the standard extended private key form.
See how to generate and sign a transaction using your fprv here.
If you would like to reconstruct a wallet address from the fpub, you can download the offline recovery utility. Then, run the following Python code from within the root directory of utility, where account is the vault account ID that contains the wallet address:
from utils import xlm_helpers
xlm_helpers.xpub_to_address(xpub = "YOUR_FPUB", account = 0)