private key – HD Wallet with BIP44 – workaround of deriving public keys knowing only a xpub

My goal: I don’t want to require a private key to hierarchically derive new addresses.

Sure, I can create a batch of addresses, given a private key, at first. But once I have surpassed that batch I’ll require the private key again to generate more addresses.

I want to derive addresses knowing only a public key. I know this is possible with BIP39, but understand there can be security concerns involved with this, ie. if an attacker stumbles upon an xpub and xprv they can derive as many addresses as they want and be able to sign transactions using them.

Attempting to derive from a HD public key with BIP44 results in a exception stating a hardened path requires a HD private key. However, I have found a workaround, but I fear it is cheating and might sacrifice the benefits of path hardening in BIP44.

Here’s an example:

// It starts off with a `userCode` that represents a BIP39 Mnemonic code.
const codeUser = new Mnemonic('select scout crash enforce riot rival spring whale hollow radar rule sentence')

// Convert to HD private key...
const hdUserPrivateKey = codeUser.toHDPrivateKey()

// The actual xpub for `hdPublicKey` is: `xpub661MyMwAqRbcEngoXGfFNahZ5FzSDGqY8pWKTqo6vtXxK15otDNLXJmbeHV7DUjvPc7CAFhYp6hzBiTanr8rgoHPHf6NSgZAyejK5bk8MiW`
// But we won't use it...

// Instead, I can then derive a BIP44 without the `change`, `address_index` segments from `hdUserPrivateKey` and save that instead.
// Gives: `xpub6CsrEMgU2f8uEGfFMvsPjKB9ekHuZiesLqSHLwCJuNFkP2uJGm7WjTo2gy95S4KEBc4etdodNQXAvn5Vsf4kupJQ1DKR4DMfcHwKdhQ3k6h`
// This is the xpub I can use to derive addresses without requiring the initial private key.

// So knowing this, I can build a HD public key given that xpub...
const hdPublicKey = Mnemonic.bitcore.HDPublicKey('xpub6CsrEMgU2f8uEGfFMvsPjKB9ekHuZiesLqSHLwCJuNFkP2uJGm7WjTo2gy95S4KEBc4etdodNQXAvn5Vsf4kupJQ1DKR4DMfcHwKdhQ3k6h')

const derivative = 0

// We can derive from it this path, but what is this path defined as? Are we back in BIP39 territory now?
const publicKey = hdPublicKey.deriveChild(`m/0/${derivative}`).publicKey

const address = new Mnemonic.bitcore.Address(publicKey)

console.log(address.toString()) // 12XyHwtmoq5w4VQ5mzcu6BQzdLqCLxUv5e

…and of course, I can increment the derivative as many times as I wish to create new addresses from the public key.

Whenever I wish to sign a transaction…

const codeUser = new Mnemonic('select scout crash enforce riot rival spring whale hollow radar rule sentence')
const hdUserPrivateKey = codeUser.toHDPrivateKey()
const derivative = 0

// BIP 44 derivation path for private key...
const privateKey = hdUserPrivateKey.deriveChild(`m/44'/0'/0'/0/${derivative}`).privateKey

Is this approach valid or am I dodging BIP44 standards?

bitcoind – List transactions after losing wallet and private key?

If you have your wallet.dat in the Bitcoin core and someone else for some reason knows a private key that is associated with this wallet.dat, this person can spend the Bitcoins of that private key in basically, any other wallet, if this person does that, you will see this transaction in your Bitcoin core as the type “Sent to”.

If you like to test it you can type listunspent in your Bitcoin core, then you will see the addresses with an amount to be spendable, then you can copy any of these addresses and take the private key for that address using the command dumpprivkey address, take this private key and import in any other wallet then send the Bitcoin to some other wallet.

How to create signature for the payload (data)using private key in java with bitcoinj?

I have private key as ‘cUN9LNcEC54HAbWAwUs6coPSc72TcQYzxf4qSqdHJPVKSapeHzFj’ and payload as ‘hello’, now how to create the signature for this payload using private key in java with bitcoinj library?

encryption – Is there some way to verify that what I think I encrypted is actually what was encrypted when I don’t have the private key? (PGP)

Let’s say that Joe gives his PGP public key to Sue so that Sue can send Joe a secret message.

Sue opens her PGP/GPG program, types I'm in love with Joe! and encrypts the message with Joe’s public key.

The result is a blob that only Joe can read, because only he has the private key to his public key.

When Joe receives the blob and decrypts it using his private key, the message reads: I hate you, Joe!!.

How is this possible? Well, Sue’s computer has been compromised by a jealous third party, Ken. Ken secretly installed a mechanism which changes the messages just before the PGP/GPG program uses the public key to encrypt the message, so that the wrong message is encrypted instead of the intended one.

Is there any way that Sue could have verified that the blob she sent to Joe actually contained the message she thought she inputted, when she doesn’t have the private key? I of course don’t mean to decrypt the message, but some kind of “true/false” answer whether the blob corresponds to exactly a given text. Is that possible?

(She does the verification on a separate, non-compromised computer.)

server – How hacker/ others get your SSH private key / stole your SSH private key?

Private keys aren’t any different from any other files, so any way for an attacker to get an arbitrary file from your PC is also a way for them to get your private key – provided it wasn’t encrypted. This includes, but is not limited to:

  • Theft
  • Malware
  • Accidental Disclosure
  • Insecure Storage
  • etc.

Each of these issues must be tackled in isolation, and they may not all be of equal importance. For example, I find it very unlikely that someone would break into my apartment and steal my hard drive – but it is much more likely that my laptop is being stolen when I am travelling.

One thing that is specific to private key is that a lot of even tech-literate people do not know what public-key cryptography is and thus think a private key is “like a password, but it’s a file”. As such, when they are supposed to upload their public key somewhere (which is a legitimate and necessary for the process to work), they sometimes upload their private key instead.

Even advanced users occasionally fall for malware, depending on the situation. For example, a few years ago, a friend sent me a message through steam, just with a link to a file. I downloaded and opened it. Big mistake. This wasn’t because I am somehow stupid (although people who know me would disagree), but because a handful of factors played together: I was busy playing a game, it was late at night and that friend happened to often just send me random links to check out. So it wasn’t any behavior that raised alarm bells for me.

Deploy Virtual Private Server In Under 5 Minute. Swiss-VPS.

Every Virtual Private Servers we offer includes full root access, enabling you to run whatever you wish whenever you want to.
Easy payments methods!
Best Cheap VPS Server for your online resource! What will you choose: VPS or Shared Hosting? High quality Best Cheap VPS Hosting!
Try now, 100% win-win program

VPS Server Features

-Choose VPS Server Location
-ISPmanager or cPanel
-Linux VPS SSH
-SolusVM Control Panel
-Support Quality
-Windows or Linux OS
-Guaranteed Dedicated RAM
-Instant Setup
-Windows VPS RDP

# 1 Cheap hosting PHP, MySQL and FTP sites

Low price and high quality – inexpensive premium hosting exists! Thanks to our cloud hosting technology, today cheap website hosting with MySQL, FTP and PHP offers more features. Let us help you create and run quality websites while saving money. Almost unlimited cheap website hosting. Try our free hosting service if you are still new to website development.



$9.95/ month
CPU 1хE5-2680
Dedicated RAM 2 GB
Virtualization KVM
Disk Space SSD 20GB
RAID -10 Yes
Setup Fee Free
Bandwidth 2 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes


$19.95/ month
CPU 2хE5-2680
Dedicated RAM 4 GB
Virtualization KVM
Disk Space SSD 30GB
RAID -10 Yes
Setup Fee Free
Bandwidth 4 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes

Dedicated Server:

Server E5-2670

$79/ month
CPU Intel® Xeon E5-2670
Dedicated RAM 16 GB
Disk Space SSD 100GB
IP IP’s 1
Bandwidth 10 TB per Month
Switzerland, Zurich
Port/Uplink 1 Gbit/s

Windows VPS


$11.99/ month
CPU 2хE5-2680
Dedicated RAM 1 GB
Virtualization XEN
Disk Space HDD 25GB
RAID -10 Yes
Setup Fee Free
Bandwidth 1 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes


$89.99/ month
CPU 2хE5-2680
Dedicated RAM 8 GB
Virtualization XEN
Disk Space HDD 150GB
RAID -10 Yes
Setup Fee Free
Bandwidth 6 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes

Full list of fares:

Our contacts:



private key – Is it possible to use BitGo wallet with other software (Electrum or else), what is the used derivation path?

BitGo wallets are based on a 2-of-3 multi-signature, the end user have access to:

- Public key (xpub) of the 3rd signer
- Native segwit (Bech32, bc1...) address to receive BTC
- Private key seed (BIP39) of the 1st signer (and thus public key xpub as well)
- Private key seed (BIP39) of the 2nd signer (and thus public key xpub as well)

Seeds can be converted to private key here, and xpub can be converted to Zpub (p2wsh) here or with Electrum with the command ./electrum.AppImage convert_xkey 'xpub...' 'p2wsh' --offline (Electrum and xpub-converter uses those specs and derivations paths), note that BigGo provide its own recovery tool as well (its debug infos can be used to get the xpub keys of the first ans second signer).

While it is possible to import the BitGo wallet into Electrum without error, Electrum never generate the same receiving address as BitGo, Following this and this bitcointalk’s forum threads:

1. What is the derivation path used by BitGo Bitcoin wallet?
2. Is it possible to use BitGo wallet in any other software like Electrum or else?

Other related QA: 1, 2, 3

htaccess – Point all to index.php conflict with a private directory

Here is my website structure (root):


The htaccess file contains:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ /index.php (L)

Having this said, all URLs point to index.php

In the private folder I also have a .htaccess file which contains:

Order Deny,Allow
Deny from all

The problem is that throws 403 and I don’t want this. I may want to use location to show something on my website.

I must mention that I don’t want to touch the .htaccess file from the private folder in any way.

So, I’m looking for a way to set some rules in the main .htaccess file.

How do I do that? Is it possible?

encryption – When is a private and public key given to a user, and why can the private key not get hacked?

Trying to understand assymetric encryption. To my knowledge, it deals with the key management problem by having each user have their own private key and public key. But when is this private and public key pair generated for the user? Does each user have a unique and persistent private and public key?

Also, why are hackers unable to get a private key?