Nostr is a fast-growing decentralized social protocol, and securing your account is critical. With various login methods—HEX/nsec, ncryptsec encryption, bunker remote signers, and browser extensions like nos2x—users may be unsure which approach offers the best balance of safety and convenience. This article breaks down the differences and best practices for each option.
Table of Contents
Understanding Nostr Key Formats: HEX vs. nsec
Your Nostr identity is tied to a cryptographic private key. This key can be expressed as:
- HEX: A 64-character hexadecimal string (raw private key).
- nsec: A Bech32-encoded, user-friendly string version of your key.
Security Implication:
Both formats represent the same secret information. The risk lies not in the format, but in the exposure—never enter your HEX or nsec into untrusted apps or websites, as stealing the key means losing your account forever!
ncryptsec (NIP-49): Encrypted Key Storage
As the ecosystem matures, the ncryptsec format (defined in NIP-49) is gaining support. Here’s what you need to know:
- What is ncryptsec?
It’s your private key, encrypted with a password and presented as a secure string. - Why use it?
Even if someone finds your ncryptsec, they can’t access your Nostr identity without your password. - How to set it up?
Most modern Nostr apps and browser tools let you encrypt your existing key or generate a new one, prompting you to set a password. Always backup your ncryptsec and password safely.
Bunker: Remote Signing for Ultimate Safety
Bunker refers to remote signing services such as nsecBunker or nsec.app.
- What does a bunker do?
Your key never leaves the “bunker” server, which signs actions for you after you approve them. Apps only receive the signature, not your key. - Advantages:
- Private key is never exposed to any third-party app or device.
- Great for users with multiple devices or organizations/teams.
- Bunker permissions can be revoked if a device is lost or compromised.
- How to get one:
Use a hosted service like nsec.app, or self-host your own bunker using nsecBunker.
Browser Extensions like nos2x
- nos2x acts as a local signer: you approve actions, and the extension signs them—never exposing your real key to web apps.
- Recent features now include ncryptsec support, letting you encrypt and back up your key with a password inside the browser.
- How to use it:
- Install nos2x, import or generate your key, optionally encrypt it as ncryptsec for backup.
- All signing happens locally; your key is never sent to websites.
Which is Best?
| Scenario | Best Method |
|---|---|
| Simplicity & Password | ncryptsec (encrypted key) |
| Shared/Advanced Use | Bunker remote signer |
| Browser Convenience | nos2x extension with ncryptsec |
| Legacy compatibility | nsec/HEX (not recommended!) |
Summary:
- Never use unencrypted nsec/HEX keys in untrusted environments.
- Use ncryptsec for simple backup and import across apps.
- Use a bunker for the highest level of protection, permission management, and multi-device safety.
- Use nos2x or similar extensions for browser-based local signing—especially with ncryptsec support for backup.
Securing your Nostr identity isn’t just about convenience—it’s your digital sovereignty. Choose the setup that best fits your technical comfort, and always follow secure backup and recovery practices!
Stay safe, and enjoy your journey on Nostr!
Leave a Reply