Skip to main content
This guide walks through importing existing private keys into Dfns from another custody provider.
We recommend creating new wallets and transferring funds instead of importing keys. See when to import vs create new for guidance on whether key import is the right approach for your situation.

Prerequisites

  • Existing organization with key import enabled (contact your account team)
  • Service account with Signers:ListSigners, Keys:Import, and Wallets:Create permissions
  • Private keys exported from your current provider

Planning your migration

Before importing keys, plan your approach:

Supported key formats

FormatDescriptionUse case
Raw hex32-byte hex-encoded private keyIndividual wallet keys
BIP-39 seed phrase12 or 24 word mnemonicMaster seeds
BIP-32 xprvExtended private keyHD wallet roots

Import process

See how import works for details on how the SDK secures your keys during import.
1

Get your existing private key

Extract the private key from your current custody provider in one of the supported formats. See below for examples.
2

Split, encrypt and transmit

Use the SDK import example to split your key into encrypted shares client-side and send the encrypted shares to Dfns. The complete private key never leaves your machine.
3

Create wallets

Create wallets on specific networks using the imported key. You can create wallets on all compatible networks using the same key so that they share the same address. Note that creating the first wallet with a new key can only be done via API, using the Create Wallet endpoint. For the next wallets you can use the API or the dashboard.
4

Verify

Confirm the wallet address matches your source. Consider a small test transaction before production use.
See the SDK import example for a complete working implementation.

Provider-specific instructions

Fireblocks uses HD (hierarchical deterministic) wallets with a master key from which individual wallet keys are derived. You can import the master key into Dfns and then create derived wallets using the same derivation paths.Fireblocks key structureFireblocks follows BIP-44 derivation paths:
m/44'/coinType'/account'/0/0
Where coinType is the asset identifier (0 for Bitcoin, 60 for Ethereum) and account is the vault account ID.Export and import process
1

Obtain your Recovery Kit

Request your Recovery Kit from Fireblocks. This encrypted backup contains your workspace keys.
2

Run the Recovery Utility

On an airgapped machine, use the Fireblocks Recovery Utility to decrypt the kit. This produces your extended keys:
  • ECDSA keys (secp256k1): standard xprv format
  • EdDSA keys (ed25519): Fireblocks-specific format
3

Import master key to Dfns

Use the HD wallet import example to import your master key and create derived wallets with the appropriate paths.
For EdDSA keys (ed25519), you must set secretScalar: true when importing. See the example code for reference.
4

Verify addresses

After importing, verify that the derived wallet addresses match your Fireblocks wallet addresses.
Import operations should be performed on a secure, isolated machine. Handle private keys with extreme care and securely delete any temporary files after import.