This is a functional Owner Key Certificate for a real account on the EOS network. We loaded 1000 of our own EOS onto this account - but omitted out the 6-word encryption secret to illustrate their security.


These certificates are part of the new Account Creation process being developed for Anchor. Upon account creation, new users will securely generate their account keys and be prompted to print this sheet or save it. Users will hand write the 6-word encryption key directly on the print out.


At any point in the future the user needs to recover their account, they will be able to scan the QR code on the certificate and enter their 6-word secret. The “owner” key will be temporarily recreated in Anchor and will prompt the user to create a new “active” key for regular use.


You can already see an alpha version of it in action with Anchor Wallet for iOS using the certificate we shared here today. Open Anchor, tap “Scan QR”, and point it at the certificate. You’ll be prompted to enter the 6-word encryption key.


After the new account creation feature is released, all new EOSIO accounts created through Anchor Wallet for Mobile will offer this method of backup. It’s easy, secure, and brings us one step closer to mass adoption.


Some details on the implementation:


Keys are encrypted with AES-CBC using a key derived from the password using scrypt. The standard is based on BIP-38 with the following additions:

Key-type header

The format allows multiple key types, e.g. K1 or R1 so it can be extended as EOSIO adds support for different cryptography schemes.

Scrypt params

Future proofing the standard so that encrypted keys can be configured to require more resources as more compute power becomes generally available. The lowest possible setting matches the BIP-38 recommendation.


Currently we have a Swift implementation of this standard and we will be releasing a JavaScript implementation along with a formal specification in the future.


Key Certificate



The owner key certificate is composed of 4 pieces of information:

  1. The encrypted private key
  2. The EOSIO account
  3. The EOSIO network
  4. The encryption password as 6 words in base2048

All information except the encryption key is redundantly represented in three different formats (QR code, base2048 mnemonic key and as strings).


The QR code is the intended way of recovering an account using the certificate by scanning it in a compatible app and entering the 6 encryption keywords. If the QR cannot be scanned the 28 mnemonic words can be entered along with the 6 encryption keywords.


If both those methods fail the private key can be recovered from the SEC_... key string using the key encryption standard and manually used to recover the account.