Private Keys and Who Holds Them

what is a wallet private key in blockchains? on a blockchain, a “wallet” isn’t really a file or an app it's an account on the network identified by a public address (for example, 0x1234…) behind that address, there is a secret number called a private key the public address is like your email address you can share it with others so they can send funds the private key is more like a powerful, unguessable password combined with a stamp it lets you create valid signatures that the network accepts as authorization to move funds from that address who holds the private keys, where and how? with primevault, there are two different kinds of keys to think about the private keys that actually move funds on chain the approver device keys that your team uses to approve actions they are kept in different places and used for different purposes a) private keys (the ones that control the wallet) these are the keys that correspond to your on chain wallet addresses in primevault these keys are generated inside secure hardware environments (trusted execution environments, or tees) they are never exported in plaintext , written to disk, or shown to any human the key is split across multiple tees using mpc (multi party computation), so no single machine ever has the full key when a transaction needs to be signed your policies and approvals are checked by the secure policy engine running inside the enclave(s) only if the rules pass does the mpc group produce a signature the signature is returned; the underlying private key never leaves the enclaves so the answer to “who holds the blockchain private keys?” in our model is “they live inside attested enclaves and mpc nodes, bound to your workspace and policies no individual person, including primevault staff, ever sees or exports those keys in plaintext ” you retain effective control because your entity owns the workspace and vaults, your team defines the policies, your approvers' devices are the only way to satisfy those policies b) approver device keys (the ones your team holds) separately, each human approver also has their own keypair on their phone when a user is onboarded, the primevault mobile app creates a keypair on the device , inside the phone’s secure hardware (secure enclave / android keystore) the private part of that key never leaves the device the public part is registered with primevault so the system knows which approvals are valid when that user approves a transfer, policy change, or automation they see the request on their phone their device signs the approval the platform verifies that the approval came from a registered device and then lets the enclave/mpc proceed with the actual on chain signature