What is the difference between Account identifier, Principal identifier and Public-Key

Can someone define each of these in the context of below keysmith command ?
Account identifier
Principal identifier

keysmith []
Available Commands:
account Print your account identifier
generate Generate your mnemonic seed.
legacy-address Print your legacy address.
principal Print your principal identifier.
private-key Write your private key to a file.
public-key Print your public key
version Print the version number.
x-public-key Print your extended public key.

cc @nomeata

  • public-key is your main public-key,
  • principal-identifier is a principal-id which is either a hash of your public key with the 0x02-byte, or a “derived-id” which is a hash of your main-principal and a nonce.

Im not sure how the account identifier is generate, i havent seen it in the spec yet, but it says this on the keysmith readme:

Among these identifiers includes an account identifier, which indicates the source or destination of an ICP token transfer.

1 Like

AccountIdentitifer is a hash of PrincipalId and an arbitrary 32-byte Subaccount


That is a Great find.

For transferring ICP tokens we need to use account identifier unlike public key in other blockchains ? Is this for maintaining privacy of account balance ?

There are no privacy features in the ledger, and all blockchains use a hash of the public key as account identifiers.

Here I think the main motivation is to support subaccounts.


Is the principle ID for an account considered a secret or private key? It seems the answer is no from reading the Integration section of the SDK website, but I’d like to confirm with someone who understands the specification better than myself. I’ve seen many times that people will paste screen captures of their NNS app or type their principal ID into a public chat and I’ve always wondered if that is a mistake. Are the secret or private keys visible in any way or are they handled behind the scenes via the Internet Identity?

Principal ids are public identifiers, you are safe to share them, but posting them publicly would remove the anonymity they offer, since an application will only ever see a principal when you connect to it unless you were to provide additional details yourself.

Private keys will never leave your devices, either the hsm or your local .pem store, these and seed phrases should always be kept private and secure.


The Dfinity ‘keysmith’ utility allows us to generate a seed, and then derive account id, principal id, priv/pub key. But how then is this information connected to Internet Identity for use with NNS, wallets, dapps? Can you confirm that this is what Dfinity refers to as “Self Custody” and whether this support would be coming with hardware wallet support that has been hinted at?


@mac As far as I know, right now the only way to use the nns-website is with the internet-identity service and there is no way to use a custom private key for the internet-identity and also no way to get the private keys that the internet-identity service creates. But it is always possible to create the private keys yourself and send calls to the canisters through the ic-https-api.

1 Like

@wang Norton, do you know how to generate a subaccount on NNS canister for creating neuron purpose?

I think the detailed relationship between them is like this, if there is an error, please let me know.



I haven’t done it myself but you can try the nns-ui interface here

Apparently there aren’t thorough instructions on how to do this. There are open questions here on the forum on 1. what are hotkeys and how to use them 2. how to get sign/send working and checking status of Request ID, 3. how to enable all this functionality without assuming the private keys are on the same computer as the networked computer (airgapped setup).

Is there a way to list the subaccounts for an arbitrary principal? The nns-ui canister has a function get_account which does this for the current principal.



Sorry, ledger is not my area of expertise.