Key Management
Generate, import, export, and encrypt private keys with Platform CLI
Platform CLI stores keys in ~/.platform/keys/ with AES-256-GCM encryption enabled by default. Keys are encrypted using Argon2id key derivation with a user-provided password.
Generating Keys
Create a new random secp256k1 key:
# Generate an encrypted key (default, prompts for password)
platform keys generate --name mykey
# Generate an unencrypted key (unsafe, not recommended)
platform keys generate --name mykey --encrypt=falseOutput:
Key generated successfully!
Name: mykey
P-Chain: P-fuji1abc123...
EVM: 0xdef456...
Encrypted: true
Default: yes
WARNING: Back up your key! Use 'platform keys export' to view the private key.Importing Keys
Import an existing private key:
# Import and encrypt (default)
platform keys import --name mykey --private-key "PrivateKey-..."
# Import with hidden input prompt (encrypted by default)
platform keys import --name mykey
# Import without encryption (unsafe)
platform keys import --name mykey --encrypt=falseAccepted key formats:
- CB58:
PrivateKey-ewoq...(Avalanche standard) - Hex:
0x56289e99...(Ethereum-style)
Listing Keys
# Basic listing
platform keys list
# Include addresses
platform keys list --show-addressesOutput:
NAME ENCRYPTED DEFAULT P-CHAIN EVM CREATED
mykey yes * P-fuji1abc123... 0xdef456... 2026-01-15
testkey no P-fuji1xyz789... 0xabc123... 2026-01-10
Total: 2 key(s)Exporting Keys
Export a private key to a file (recommended) or stdout:
# Export to file with secure permissions (0600)
platform keys export --name mykey --output-file ./mykey.txt
# Export in hex format to file
platform keys export --name mykey --format hex --output-file ./mykey.hex
# Export to stdout (requires explicit opt-in)
platform keys export --name mykey --unsafe-stdoutIf the key is encrypted, you'll be prompted for the password. Set PLATFORM_CLI_KEY_PASSWORD to skip the prompt in scripts.
Deleting Keys
# Delete with confirmation prompt
platform keys delete --name mykey
# Delete without confirmation
platform keys delete --name mykey --forceDeletion is irreversible. Ensure you have a backup first.
Default Key
Set a default key to avoid specifying --key-name on every command:
# Set default
platform keys default --name mykey
# Show current default
platform keys defaultBuilt-in Test Key: ewoq
Platform CLI includes the well-known ewoq test key for local development:
platform wallet address --key-name ewoqThe ewoq key is pre-funded on local networks. Platform CLI blocks its use on mainnet for safety.
Ledger Hardware Wallet
Build with Ledger support and use the --ledger flag:
go build -tags ledger -o platform .
# Use Ledger for any command
platform wallet address --ledger
platform transfer send --to P-fuji1... --amount 10 --ledger
# Use a different address index
platform wallet balance --ledger --ledger-index 1Security Best Practices
- Keys are encrypted by default - only use
--encrypt=falsefor throwaway test keys - Use strong passwords (minimum 8 characters required)
- Back up keys immediately after generation
- Use environment variables (
AVALANCHE_PRIVATE_KEY,PLATFORM_CLI_KEY_PASSWORD) for CI/CD - Consider Ledger for high-value mainnet operations
Next Steps
Is this guide helpful?