> ## Documentation Index
> Fetch the complete documentation index at: https://www.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Export EVM Private Key

> Export the raw EVM private key from a Dynamic MPC wallet for migration or disaster recovery

## Overview

`DynamicEvmWalletClient::exportPrivateKey` returns the wallet's raw 32-byte EVM private key as `0x`-prefixed hex. The MPC export ceremony returns an xpriv; the SDK then BIP-32-derives the final private key at the wallet's recorded derivation path.

<Warning>
  Once exported, the raw private key bypasses MPC — any holder of the key can sign without your server's involvement. Treat it as a one-way operation. Only use it for migration or disaster recovery, and rotate / abandon the wallet afterward.
</Warning>

## Prerequisites

* [Created an EVM wallet](/java/evm/create-wallet)
* Persisted `WalletProperties` and `List<ServerKeyShare>`

## Export the Key

```java theme={"system"}
import xyz.dynamic.waas.evm.DynamicEvmWalletClient;

String privateKeyHex = client.exportPrivateKey(
    walletProperties,
    externalServerKeyShares
).join();

// 0x-prefixed 32-byte hex, e.g. "0xabcd…"
System.out.println("Private key: " + privateKeyHex);
```

## Verifying the exported key

The exported key should derive the same address as `walletProperties.accountAddress()`. With web3j:

```java theme={"system"}
import org.web3j.crypto.Credentials;
import org.web3j.crypto.ECKeyPair;
import org.web3j.utils.Numeric;

ECKeyPair pair    = ECKeyPair.create(Numeric.toBigInt(privateKeyHex));
Credentials creds = Credentials.create(pair);
String derived    = creds.getAddress();   // EIP-55 checksum form

assert derived.equalsIgnoreCase(walletProperties.accountAddress());
```

## Best Practices

* **Treat exports as a one-way operation** — don't use the same wallet through MPC after exporting; rotate to a fresh wallet.
* **Never log the key** — redact it from all logs and error messages. The SDK's `tracing` instrumentation already skips this arg; do the same in your own code.
* **Zero memory after use** — keep the key as `char[]` / `byte[]` where possible and explicitly zero it after forwarding to its destination.
* **Transport over TLS only** — never send the key over an unencrypted channel.

## Next Steps

* [Use delegated access](/java/evm/delegated-access)
* [Import an existing private key](/java/import-private-key)
