Overview
DynamicEvmWalletClient::export_private_key returns the wallet’s raw 32-byte EVM private key as 0x-prefixed hex. The MPC export ceremony returns an xpriv; the SDK then derives the final private key at the wallet’s BIP-44 path.
Once exported, the raw private key bypasses MPC — any holder of the key can sign without your server’s involvement. Treat it as a one-way operation. Only use it for migration or disaster recovery, and rotate / abandon the wallet afterward.
Prerequisites
Export the Key
use dynamic_waas_sdk_evm::DynamicEvmWalletClient;
let evm = DynamicEvmWalletClient::new(&client);
let private_key_hex = evm
.export_private_key(&wallet_properties, &external_server_key_shares)
.await?;
// 0x-prefixed 32-byte hex, e.g. "0xabcd…"
println!("Private key: {private_key_hex}");
Verifying the exported key
The exported key should derive the same address as wallet_properties.account_address. With alloy:
use alloy_primitives::{hex, Address};
use k256::ecdsa::SigningKey;
let bytes = hex::decode(private_key_hex.strip_prefix("0x").unwrap())?;
let signing_key = SigningKey::from_slice(&bytes)?;
let verifying_key = signing_key.verifying_key();
let derived: Address = Address::from_public_key(verifying_key);
assert_eq!(
derived.to_checksum(None),
wallet_properties.account_address,
);
Best Practices
- Treat exports as a one-way operation — don’t use the same wallet through MPC after exporting; rotate to a fresh wallet.
- Never log the key — redact it from all logs and error messages.
- Zero memory after use —
zeroize::Zeroize the String once you’ve forwarded it to its destination.
- Transport over TLS only — never send the key over an unencrypted channel.
