Your Veil keypair is what gives you access to and controls your funds in the pool. It has two parts: a deposit key (public) and a private key. The keypair is derived and stored on your device; private keys never leave the client and can be encrypted at rest with a password.
Deposit key (public)
The deposit key is derived from your private key and is used to identify you for private transfers. When you register on Veil, you publish this key on-chain and link it to your Ethereum address. Senders use your deposit key to encrypt transfer outputs so that only you can decrypt them. The deposit key can be shared; it is already associated with your wallet in the Veil Entry contract.
Private key
The private key is used to decrypt your incoming deposits and transfers and to authorize spending your shielded balance. It must be kept secret. Anyone with your private key has full control of your funds in the pool.
How you get a keypair
There are three ways to create a keypair:
- Sign a message â the app derives your keypair deterministically from an EOA wallet signature. The same wallet always produces the same keypair, so you can recover access from any device.
- Passkey â use a passkey (biometrics, security key, or platform authenticator) to derive your keypair via the WebAuthn PRF extension. The key is bound to the Veil origin and your connected wallet address. It works on any device where the same passkey is synced (iCloud Keychain, Google Password Manager, 1Password, etc.).
- Import your own key â generate or import a private key directly and use it to derive the rest of the keypair yourself.
Each method produces a different keypair for the same wallet. A passkey-derived key is not the same as a signature-derived key. Pick one method and use it consistently, or back up your private key so you can switch via import.
Example keypair
