When will I need private key? (when 12-word phrase won't be sufficient)

[siaeae]

Hello, when using a cold wallet like KeepKey, for example, do I need to use a private key(s) to sign every SEND transaction?
If not, is there a situation where private key MUST be used and 12-word recovery phrase won't be sufficient?

I mean if a 12-word phrase is compromised, so can be the private key!
But then simply from functional (not security) point of view, what can private key do that a 12-phrase can't?

[DannyHamilton]

Hello, when using a cold wallet like KeepKey, for example, do I need to use a private key(s) to sign every SEND transaction?

All standard P2PKH and Multi-Sig bitcoin transactions must be signed.

If not, is there a situation where private key MUST be used and 12-word recovery phrase won't be sufficient?

Private key is generated from the recovery phrase.  As long as you have the recovery phrase, you should be able to generate any necessary private keys.

I mean if a 12-word phrase is compromised, so can be the private key!

Correct.

If the recovery phrase is compromised, then all of the private keys that are associated with that recovery phrase are also compromised.

But then simply from functional (not security) point of view, what can private key do that a 12-phrase can't?

Private key can be used to sign bitcoin transactions.  Recovery phrase can not be used to sign bitcoin transactions.  Recovery phrase can be used to reconstruct the private key so that the private key can be used to sign bitcoin transactions.

[onnz423]

As far as i know, the 12 word phrase basically is just some kind of information that can be used to generate private keys.
It is much easier to import a phrase than private keys one by one to the wallet. I don't know much about keepkey but if done safely, hardware wallet is the best security that you can get.
The 12 word phrase is really secure as you can read from Here. I personally only use private keys if i need to sign a multi signature transaction or such. The seed phrase is the  best and easiest bet in my opinion. I recommend generating the seed on a airgapped PC if using the keepkey, just because then there is pretty much no risk of your seed getting into the wrong hands (unless you accidently generate the key on compromised computer that isn't airgapped and connected to internet).

[siaeae]

Danny Hamilton,
You wrote above: "Private key can be used to sign bitcoin transactions" - HOW, manually? Or the wallet does it for you?

On my KeepKey, there is a PHYSICAL BUTTON that I have to press to confirm each SEND transaction.
Nowhere in Chrome KeepKey client do I see a field where I need to enter my private key manually!

Am I understanding it correctly that KeepKey (or ANY "cold" wallet) uses private key IN THE BACKGROUND to sign transactions when I press that button?

[DannyHamilton]

Danny Hamilton,
You wrote above: "Private key can be used to sign bitcoin transactions" - HOW, manually? Or the wallet does it for you?

The maths required to sign a transaction would be complex and time-consuming to try to do with pencil and paper.  Technically, you could, but it would be a pretty silly thing to do.  Generally, people use computer software (such as a Bitcoin wallet) or hardware (such as KeepKey) to build and sign the transaction before broadcasting it.

On my KeepKey, there is a PHYSICAL BUTTON that I have to press to confirm each SEND transaction.
Nowhere in Chrome KeepKey client do I see a field where I need to enter my private key manually!

The private key (or the information needed to generate the private key) is stored in your KeepKey.  The client software interacts with the KeepKey so that the transaction can be signed.

Am I understanding it correctly that KeepKey (or ANY "cold" wallet) uses private key IN THE BACKGROUND to sign transactions when I press that button?

Correct.  I'm not an expert on the KeepKey system, but if it was created securely, then the client should send the necessary transaction information to the KeepKey device, then the KeepKey should use the internal private key to create the signature when you press the button, then the KeepKey should supply the signature (or signed transaction) back to the client.

[siaeae]

Perffect! Thanks for your DETAILED answer.