Skip to main content

Basics

When you sign up for CoinWave, you receive a 12-word recovery passphrase. This is the only way to recover your account if you lose access. We never store your passphrase. We only store a mathematical fingerprint (hash) of it that lets us verify it’s correct. It can’t be reversed to reveal your actual words.

How are wallets secured

Your wallet private keys are encrypted using two separate secrets that must be combined:
SecretWhere It LivesWho Has It
Server KeyHSM (Hardware Security Module)CoinWave
Client SecretEncrypted in our databaseUnique to you
To decrypt a wallet, both secrets are required. If an attacker steals our database, they get encrypted data that’s useless without the server key. If they somehow breach the HSM, they still need your individual client secret. 
YourWalletKey = Decrypt(ServerKey + Your Client Secret + EncryptedWallet)

Things that happen during signup

  1. You’re shown a 12-word recovery passphrase (save this!)
  2. We hash your passphrase with Argon2id (for verification only)
  3. We generate a random client secret just for you
  4. Your client secret is encrypted with our server key and stored

When you create a wallet

  1. We decrypt your client secret using our server key
  2. Your new wallet’s private key is encrypted using both keys
  3. The encrypted wallet is stored in a separate database

When you try to access your wallet

  1. Your request goes to our private API
  2. We decrypt your client secret
  3. We decrypt your wallet using both keys
  4. The decrypted key is sent to you for signing

Security Layers

HSM

Our server key is stored in a Hardware Security Module (HSM).

Database Separation

We use two separate databases:
  • Primary: Your account info and encrypted client secrets
  • Secondary: Your encrypted wallets (no identifying info)
An attacker would need to breach both to even attempt decryption.

Private Network

Our databases have no public internet access. All requests go through hardened API gateways with rate limiting and monitoring.

Key Rotation

We periodically rotate our server key. When this happens, all client secrets and wallets are automatically re-encrypted with the new key, and old encrypted data is deleted.