Nethereum.KeyStore 5.8.0

Prefix Reserved
.NET 6.0 This package targets .NET 6.0. The package is compatible with this framework or higher. .NET Standard 2.0 This package targets .NET Standard 2.0. The package is compatible with this framework or higher. .NET Framework 4.5.1 This package targets .NET Framework 4.5.1. The package is compatible with this framework or higher. 
dotnet add package Nethereum.KeyStore --version 5.8.0
                    


                    

                
NuGet\Install-Package Nethereum.KeyStore -Version 5.8.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Nethereum.KeyStore" Version="5.8.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Nethereum.KeyStore" Version="5.8.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Nethereum.KeyStore" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Nethereum.KeyStore --version 5.8.0
                    


                    

                
#r "nuget: Nethereum.KeyStore, 5.8.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Nethereum.KeyStore@5.8.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Nethereum.KeyStore&version=5.8.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Nethereum.KeyStore&version=5.8.0
                    


                            Install as a Cake Tool

Nethereum.KeyStore

Password-encrypted private key storage using the Web3 Secret Storage Definition standard.

Overview

Nethereum.KeyStore implements the Web3 Secret Storage Definition for encrypting and storing Ethereum private keys. This is a standard format for encrypted key storage used across the Ethereum ecosystem.

Key Features:

  • AES-128-CTR encryption with password-derived keys
  • Scrypt KDF (memory-hard, ASIC-resistant)
  • PBKDF2 KDF (legacy, faster but less secure)
  • Configurable KDF parameters for performance tuning
  • JSON serialization/deserialization

Use Cases:

  • Encrypted local key storage
  • Wallet file generation
  • Key import/export between applications
  • Performance-tuned encryption for constrained environments (WASM, mobile)

Installation

dotnet add package Nethereum.KeyStore

Dependencies

Nethereum:

  • Nethereum.Hex - Hex encoding/decoding

External:

  • BouncyCastle.Cryptography or Portable.BouncyCastle (conditional) - Cryptographic operations

Quick Start

using Nethereum.KeyStore;
using Nethereum.Signer;
using Nethereum.Hex.HexConvertors.Extensions;

// Generate a new key
var ecKey = EthECKey.GenerateKey();

// Encrypt and generate keystore JSON
var service = new KeyStoreScryptService();
string password = "testPassword";
string json = service.EncryptAndGenerateKeyStoreAsJson(
    password,
    ecKey.GetPrivateKeyAsBytes(),
    ecKey.GetPublicAddress()
);

// Decrypt later
byte[] privateKey = service.DecryptKeyStoreFromJson(password, json);

Usage Examples

Example 1: Generate Key and Create Keystore (Scrypt)

using Nethereum.KeyStore;
using Nethereum.Signer;
using Nethereum.Hex.HexConvertors.Extensions;

var ecKey = EthECKey.GenerateKey();
var keyStoreScryptService = new KeyStoreScryptService();
string password = "testPassword";

// Encrypt and serialize to JSON
string json = keyStoreScryptService.EncryptAndGenerateKeyStoreAsJson(
    password,
    ecKey.GetPrivateKeyAsBytes(),
    ecKey.GetPublicAddress()
);

// Save to file
File.WriteAllText($"keystore-{ecKey.GetPublicAddress()}.json", json);

// Decrypt to verify
byte[] key = keyStoreScryptService.DecryptKeyStoreFromJson(password, json);
Assert.Equal(ecKey.GetPrivateKey(), key.ToHex(true));

Example 2: Custom Scrypt Parameters (Performance Tuning)

using Nethereum.KeyStore;
using Nethereum.KeyStore.Model;
using Nethereum.Signer;
using Nethereum.Hex.HexConvertors.Extensions;

var keyStoreService = new KeyStoreScryptService();

// Lower N for faster encryption (WASM, mobile, testing)
// Default: N=262144, R=1, P=8, Dklen=32
var scryptParams = new ScryptParams { Dklen = 32, N = 32, R = 1, P = 8 };

var ecKey = EthECKey.GenerateKey();
string password = "testPassword";

// Encrypt with custom parameters
var keyStore = keyStoreService.EncryptAndGenerateKeyStore(
    password,
    ecKey.GetPrivateKeyAsBytes(),
    scryptParams.N,
    scryptParams.R,
    scryptParams.P,
    null // salt (null = auto-generate)
);

// Serialize to JSON
string json = keyStoreService.SerializeKeyStoreToJson(keyStore);

// Decrypt
byte[] decryptedKey = keyStoreService.DecryptKeyStoreFromJson(password, json);

Example 3: Decrypt Existing Keystore (Scrypt)

using Nethereum.KeyStore;
using Nethereum.Hex.HexConvertors.Extensions;

var scryptKeyStoreJson = @"{
    ""crypto"" : {
        ""cipher"" : ""aes-128-ctr"",
        ""cipherparams"" : {
            ""iv"" : ""83dbcc02d8ccb40e466191a123791e0e""
        },
        ""ciphertext"" : ""d172bf743a674da9cdad04534d56926ef8358534d458fffccd4e6ad2fbde479c"",
        ""kdf"" : ""scrypt"",
        ""kdfparams"" : {
            ""dklen"" : 32,
            ""n"" : 262144,
            ""r"" : 1,
            ""p"" : 8,
            ""salt"" : ""ab0c7876052600dd703518d6fc3fe8984592145b591fc8fb5c6d43190334ba19""
        },
        ""mac"" : ""2103ac29920d71da29f15d75b4a16dbe95cfd7ff8faea1056c33131d846e3097""
    },
    ""id"" : ""3198bc9c-6672-5ab3-d995-4942343ae5b6"",
    ""version"" : 3
}";

string password = "testpassword";
var keyStoreScryptService = new KeyStoreScryptService();

// Deserialize and decrypt
var keyStore = keyStoreScryptService.DeserializeKeyStoreFromJson(scryptKeyStoreJson);
byte[] privateKey = keyStoreScryptService.DecryptKeyStore(password, keyStore);

Console.WriteLine($"Private Key: {privateKey.ToHex()}");
// Output: 7a28b5ba57c53603b0b07b56bba752f7784bf506fa95edc395f5cf6c7514fe9d

Example 4: PBKDF2 Keystore (Legacy)

using Nethereum.KeyStore;
using Nethereum.Signer;
using Nethereum.Hex.HexConvertors.Extensions;

var ecKey = EthECKey.GenerateKey();
var keyStorePbkdf2Service = new KeyStorePbkdf2Service();
string password = "testPassword";

// Encrypt with PBKDF2 (faster but less secure than Scrypt)
string json = keyStorePbkdf2Service.EncryptAndGenerateKeyStoreAsJson(
    password,
    ecKey.GetPrivateKeyAsBytes(),
    ecKey.GetPublicAddress()
);

// Decrypt
byte[] key = keyStorePbkdf2Service.DecryptKeyStoreFromJson(password, json);
Assert.Equal(ecKey.GetPrivateKey(), key.ToHex(true));

Example 5: Detect KDF Type

using Nethereum.KeyStore;

string keystoreJson = File.ReadAllText("wallet.json");
var keyStoreKdfChecker = new KeyStoreKdfChecker();

var kdfType = keyStoreKdfChecker.GetKeyStoreKdfType(keystoreJson);

if (kdfType == KeyStoreKdfChecker.KdfType.scrypt)
{
    var service = new KeyStoreScryptService();
    byte[] privateKey = service.DecryptKeyStoreFromJson(password, keystoreJson);
}
else if (kdfType == KeyStoreKdfChecker.KdfType.pbkdf2)
{
    var service = new KeyStorePbkdf2Service();
    byte[] privateKey = service.DecryptKeyStoreFromJson(password, keystoreJson);
}

Example 6: Default Keystore Service

using Nethereum.KeyStore;
using Nethereum.Signer;
using Nethereum.Hex.HexConvertors.Extensions;

var ecKey = EthECKey.GenerateKey();
var keyStoreService = new KeyStoreService();
string password = "testPassword";

// Uses default Scrypt parameters
string json = keyStoreService.EncryptAndGenerateDefaultKeyStoreAsJson(
    password,
    ecKey.GetPrivateKeyAsBytes(),
    ecKey.GetPublicAddress()
);

byte[] key = keyStoreService.DecryptKeyStoreFromJson(password, json);
Assert.Equal(ecKey.GetPrivateKey(), key.ToHex(true));

API Reference

KeyStoreScryptService

Scrypt-based keystore encryption (recommended).

public class KeyStoreScryptService
{
    // Encrypt and generate JSON (default parameters)
    public string EncryptAndGenerateKeyStoreAsJson(string password, byte[] privateKey, string address);

    // Encrypt with custom Scrypt parameters
    public KeyStore<ScryptParams> EncryptAndGenerateKeyStore(
        string password,
        byte[] privateKey,
        int n, int r, int p,
        byte[] salt = null
    );

    // Serialize keystore to JSON
    public string SerializeKeyStoreToJson(KeyStore<ScryptParams> keyStore);

    // Deserialize JSON to keystore
    public KeyStore<ScryptParams> DeserializeKeyStoreFromJson(string json);

    // Decrypt from JSON
    public byte[] DecryptKeyStoreFromJson(string password, string json);

    // Decrypt from keystore object
    public byte[] DecryptKeyStore(string password, KeyStore<ScryptParams> keyStore);
}

Default Scrypt Parameters:

N = 262144  // CPU/memory cost (2^18)
R = 1       // Block size
P = 8       // Parallelization
Dklen = 32  // Derived key length

KeyStorePbkdf2Service

PBKDF2-based keystore encryption (legacy).

public class KeyStorePbkdf2Service
{
    // Same methods as KeyStoreScryptService but using PBKDF2
    public string EncryptAndGenerateKeyStoreAsJson(string password, byte[] privateKey, string address);
    public KeyStore<Pbkdf2Params> DeserializeKeyStoreFromJson(string json);
    public byte[] DecryptKeyStoreFromJson(string password, string json);
    public byte[] DecryptKeyStore(string password, KeyStore<Pbkdf2Params> keyStore);
}

KeyStoreService

Unified service with default encryption.

public class KeyStoreService
{
    // Encrypt with default Scrypt parameters
    public string EncryptAndGenerateDefaultKeyStoreAsJson(string password, byte[] privateKey, string address);

    // Decrypt (auto-detects KDF type)
    public byte[] DecryptKeyStoreFromJson(string password, string json);
}

KeyStoreKdfChecker

Detect KDF type from JSON.

public class KeyStoreKdfChecker
{
    public enum KdfType { scrypt, pbkdf2 }

    public KdfType GetKeyStoreKdfType(string json);
    public bool IsScryptKdf(string json);
    public bool IsPbkdf2Kdf(string json);
}

Model Classes

public class ScryptParams
{
    public int Dklen { get; set; }  // Derived key length (32)
    public int N { get; set; }      // CPU/memory cost (262144)
    public int R { get; set; }      // Block size (1)
    public int P { get; set; }      // Parallelization (8)
    public string Salt { get; set; } // Random salt (hex)
}

public class Pbkdf2Params
{
    public int Dklen { get; set; }  // Derived key length (32)
    public int C { get; set; }      // Iteration count (262144)
    public string Prf { get; set; } // PRF algorithm (hmac-sha256)
    public string Salt { get; set; } // Random salt (hex)
}

public class KeyStore<TKdfParams>
{
    public CryptoInfo<TKdfParams> Crypto { get; set; }
    public string Id { get; set; }      // UUID
    public int Version { get; set; }    // Always 3
    public string Address { get; set; } // Ethereum address (optional)
}

Scrypt Parameter Tuning

Default Parameters (Desktop/Server)

N = 262144  // 2^18 - Strong security, ~100ms encryption
R = 1
P = 8

Use for: Desktop applications, servers, production wallets

Low-Cost Parameters (WASM/Mobile/Testing)

N = 32      // 2^5 - Fast encryption, weaker security
R = 1
P = 8

Use for: Browser WASM, mobile apps, development/testing

High-Security Parameters

N = 1048576  // 2^20 - Very strong security, ~3s encryption
R = 8
P = 1

Use for: Cold storage, high-value accounts, paranoid security

Parameter Effects

Parameter Effect Security Impact Performance Impact
N CPU/memory cost Exponential Exponential
R Block size Linear Linear
P Parallelization Linear Linear (if parallel)

N dominates: Doubling N doubles time and memory. N=262144 uses ~256MB RAM.

Web3 Secret Storage Format

Keystore JSON structure:

{
  "crypto": {
    "cipher": "aes-128-ctr",
    "cipherparams": { "iv": "..." },
    "ciphertext": "...",
    "kdf": "scrypt",
    "kdfparams": {
      "dklen": 32,
      "n": 262144,
      "r": 1,
      "p": 8,
      "salt": "..."
    },
    "mac": "..."
  },
  "id": "3198bc9c-6672-5ab3-d995-4942343ae5b6",
  "version": 3
}

Fields:

  • cipher: Always aes-128-ctr
  • ciphertext: Encrypted private key
  • kdf: scrypt or pbkdf2
  • kdfparams: KDF configuration
  • mac: HMAC for integrity verification
  • version: Always 3

Important Notes

Scrypt vs PBKDF2

Feature Scrypt PBKDF2
Security Memory-hard, ASIC-resistant CPU-only, ASIC-vulnerable
Speed Slower (~100ms default) Faster (~50ms)
Recommendation Use this Legacy only

Use Scrypt unless you need compatibility with very old systems.

File Naming Convention

Standard naming convention used across Ethereum tools:

UTC--<created_at UTC ISO8601>--<address hex>

Example:

UTC--2024-01-15T10-30-45.123Z--0x12890d2cce102216644c59dae5baed380d84830c

Security Considerations

  1. Password strength is critical - No KDF can protect weak passwords
  2. N parameter tradeoff - Higher N = more secure but slower
  3. Salt is auto-generated - Uses cryptographically secure random bytes
  4. MAC prevents tampering - Detects modified ciphertext
  5. AES-128-CTR - Standard encryption mode, secure when properly implemented

Used By

  • Nethereum.Accounts - Account management with keystore loading

Dependencies

  • Nethereum.Hex - Hex encoding/decoding

Additional Resources

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 is compatible.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net451 is compatible.  net452 was computed.  net46 was computed.  net461 is compatible.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (14)

Showing the top 5 NuGet packages that depend on Nethereum.KeyStore:

Package Downloads
Nethereum.Web3

Nethereum.Web3 Ethereum Web3 Class Library to interact via RPC with an Ethereum client, for example geth. Including contract interaction, deployment, transaction, encoding / decoding and event filters
Nethereum.Accounts

Nethereum.Accounts Ethereum Accounts and Transaction Managers Class Library
Nethereum

Package Description
AElf.Client

This is a C# client library, used to communicate with the AElf API.
AElf.OS

Main module for the OS layer.

GitHub repositories (2)

Showing the top 2 popular GitHub repositories that depend on Nethereum.KeyStore:

Repository Stars
AElfProject/AElf
An AI-enhanced cloud-native layer-1 blockchain network. 
biheBlockChain/MyLinkToken
开源链克口袋,玩客币钱包
Version Downloads Last Updated
5.8.0 869 1/6/2026
5.0.0 295,206 5/28/2025
4.29.0 202,181 2/10/2025
4.28.0 71,395 1/7/2025
4.27.1 12,492 12/24/2024
4.27.0 1,678 12/24/2024
4.26.0 98,633 10/1/2024
4.25.0 22,782 9/19/2024
4.21.4 96,688 8/9/2024
4.21.3 11,567 7/22/2024
4.21.2 69,368 6/26/2024
4.21.1 2,696 6/26/2024
4.21.0 10,399 6/18/2024
4.20.0 316,070 3/28/2024
4.19.0 74,031 2/16/2024
4.18.0 271,037 11/21/2023
4.17.1 77,062 9/28/2023
4.17.0 16,546 9/27/2023
4.16.0 117,356 8/14/2023
4.15.2 123,526 7/11/2023
4.15.1 3,474 7/11/2023
4.15.0 4,019 7/11/2023
4.14.0 189,203 3/19/2023
4.13.0 132,840 2/18/2023
4.12.0 267,867 12/9/2022
4.11.0 173,117 10/27/2022
4.9.0 111,938 9/27/2022
4.8.0 178,770 8/24/2022
4.7.0 151,034 7/20/2022
4.6.1 132,413 6/18/2022
4.6.0 9,104 6/16/2022
4.5.0 468,614 5/13/2022
4.4.1 104,954 4/27/2022
4.4.0 12,663 4/27/2022
4.3.0 63,365 4/12/2022
4.2.0 174,464 2/18/2022
4.1.1 487,135 11/4/2021
4.1.0 28,955 10/15/2021
4.0.5 138,025 8/12/2021
4.0.4 7,152 8/10/2021
4.0.3 7,125 8/8/2021
4.0.2 6,251 8/5/2021
4.0.1 11,929 7/28/2021
4.0.0 17,232 7/26/2021
3.8.0 408,858 7/3/2020
3.7.1 128,130 2/13/2020
3.7.0 10,202 2/13/2020
3.6.0 33,578 1/27/2020
3.5.0 40,827 12/31/2019
3.4.0 185,014 7/29/2019
3.3.0 95,457 4/23/2019
3.2.0 44,520 4/8/2019
3.1.2 23,299 3/13/2019
3.1.1 6,192 3/12/2019
3.1.0 26,947 3/12/2019
3.0.0 37,426 11/28/2018
3.0.0-rc3 6,175 10/25/2018
3.0.0-rc2 3,952 10/24/2018
3.0.0-rc1 9,346 7/25/2018
2.5.1 105,700 6/5/2018
2.5.0 6,461 6/4/2018
2.4.0 52,822 3/11/2018
2.3.1 8,085 3/7/2018
2.3.0 6,481 3/6/2018
2.2.3 18,941 12/16/2017
2.2.2 6,198 12/16/2017
2.2.0 6,518 12/8/2017
2.1.0 11,824 10/23/2017
2.0.1 6,167 10/4/2017
2.0.0 6,751 9/26/2017
2.0.0-rc7 4,474 8/17/2017
2.0.0-rc6-2 4,158 7/29/2017
2.0.0-rc6.1 1,039 7/26/2017
2.0.0-rc5 3,130 6/19/2017
2.0.0-rc4 4,114 6/6/2017
2.0.0-rc3 3,849 4/11/2017
2.0.0-rc2-fix 3,252 4/6/2017
2.0.0-rc2 2,078 4/5/2017
2.0.0-rc1 4,060 2/8/2017
1.0.3 2,961 2/3/2017
1.0.2 2,475 1/31/2017
1.0.1 2,641 12/10/2016
1.0.0 2,611 11/28/2016