Docs / Security & Key Management
Security

Security & Key Management

How Morsel stores and protects your keys, seed phrase best practices, and security recommendations.

Morsel is a non-custodial wallet. That means your private keys are generated on your device, stored on your device, and never transmitted anywhere. This guide explains exactly how that works.

How Your Keys Are Stored

When you create or import a wallet, Morsel derives your private keys from your seed phrase and encrypts them using a key derived from your PIN or biometrics. The encrypted keystore is saved in your device's secure local storage.

  • Your seed phrase is encrypted before being stored — it is never saved in plain text
  • The encryption key is derived from your PIN using PBKDF2 with a random salt
  • On mobile, biometric authentication unlocks a key stored in the device's secure enclave
  • Morsel servers never receive your seed phrase, private key, or encryption key
No one — including the Morsel team — can recover your wallet if you lose your seed phrase. There is no backup, no password reset, and no support ticket that can help. Your seed phrase is the only key.

Your Seed Phrase

Your seed phrase (also called a recovery phrase or mnemonic) is a sequence of 12 or 24 words that encodes your master private key. Anyone with these words can access all of your funds on any wallet.

  • Write it down on paper — not in a notes app, email, or screenshot
  • Store it in a physically secure location — a safe, a lockbox, or split between two locations
  • Never type it into any website, app, or chat — no legitimate service will ever ask for it
  • Never photograph it or store it in cloud storage

PIN Security

Your PIN unlocks the encrypted keystore on your device. It is not transmitted anywhere and is never known to Morsel.

  • Use a PIN that is not obvious (not 000000, 123456, or your birth year)
  • Do not share your PIN with anyone — Morsel support will never ask for it
  • If you forget your PIN, you can restore your wallet from your seed phrase

Biometric Authentication

On mobile, Morsel can use Face ID or fingerprint to unlock your wallet and approve transactions. This is handled entirely by your device's secure enclave — Morsel never sees your biometric data.

Under the hood, your biometric check unlocks a device-bound key stored in the secure enclave. That key is then used to decrypt your keystore. The biometric template itself never leaves the chip.

Biometrics are a convenience layer on top of encryption — they do not replace your PIN. You will always need your PIN as a fallback.

What Morsel Cannot See

Because everything is local and encrypted, there is a strict list of things Morsel cannot access:

  • Your seed phrase or private keys
  • Your wallet balance or transaction history
  • Which dApps you connect to
  • Any signing activity

Screenshot Protection

On mobile, Morsel automatically prevents screenshots and screen recordings on screens that display your seed phrase or private key. This is enforced at the OS level — the screen will appear black if you try to capture it.

Best Practices

  • Use a unique PIN that you do not use elsewhere
  • Enable biometrics for daily convenience, but also remember your PIN
  • Regularly check connected dApps in Settings → Connected Sites and revoke any you no longer use
  • Keep Morsel updated — security patches are released regularly
  • For very large holdings, consider using a hardware wallet alongside Morsel

Revoking dApp Access

Connecting a dApp gives it read access to your public key. It does not give it the ability to move funds — every transaction still requires your approval. To revoke a connection:

  1. Open Morsel and go to Settings
  2. Tap Connected Sites
  3. Find the dApp and tap Disconnect
  4. The dApp will no longer be able to request your public key without re-connecting
← Back to Docs Developer page →