User Managed Keys
User managed keys are signing keys where the private key material is held exclusively on a hardware device that you control. Sigvault stores only the extended public key (xpub) and device fingerprint needed to build transactions and derive addresses.
How It Works
Section titled “How It Works”When you register a hardware device with Sigvault:
- The desktop app communicates with your hardware wallet over USB
- The device exports its extended public key (xpub) at a specific derivation path
- Sigvault stores the xpub along with the device’s fingerprint (a unique identifier derived from the master key)
- The private key never leaves the device
From the xpub, Sigvault can:
- Derive all receive and change addresses for the wallet
- Build unsigned transactions (PSBTs)
- Verify signatures after signing
Sigvault cannot sign transactions — that requires the private key, which only exists on your hardware device.
Key Format
Section titled “Key Format”User managed keys are stored in the format:
[fingerprint/derivation/path]xpub.../<0;1>/*For example:
[6fb270de/84'/0'/0']xpub6CUG.../<0;1>/*This encodes:
6fb270de— Device fingerprint84'/0'/0'— BIP84 derivation path (native SegWit)xpub6CUG...— Extended public key at that path<0;1>/*— Multipath notation for receive (0) and change (1) addresses
Supported Devices
Section titled “Supported Devices”Any supported hardware wallet can provide user managed keys:
| Device | Connection | Notes |
|---|---|---|
| BitBox02 | USB HID | Requires multipath descriptor format |
| Ledger | USB HID | Enforces coin type in derivation paths |
| Trezor | USB HID | Standard BIP32 paths |
| Coldcard | USB / SD card | Standard BIP32 paths |
| SeedSigner | QR code | Air-gapped operation |
| Jade | USB serial | Network-aware authentication |
Security Properties
Section titled “Security Properties”- Non-custodial — Sigvault cannot sign on your behalf
- Hardware isolation — Private keys exist only in the secure element of your device
- Verification — Hardware wallets display transaction details on their screen before signing, allowing you to verify independently
- Recovery — Your device’s seed phrase (typically 12 or 24 words) is the ultimate backup. Store it securely offline
When to Use User Managed Keys
Section titled “When to Use User Managed Keys”Use user managed keys when:
- You want full control over your Bitcoin
- You’re setting up personal savings or cold storage
- You need hardware-level security for signing
- You don’t want to trust any third party with signing authority
Compared to System Managed Keys
Section titled “Compared to System Managed Keys”| User Managed | System Managed | |
|---|---|---|
| Key location | Hardware device | Sigvault server |
| Signing | Requires physical device | Automatic |
| Custody | Non-custodial | Custodial |
| Recovery | Device seed phrase | Managed by system |
| Best for | Personal custody | Automated workflows |
For system-managed alternatives, see System Managed Keys.