Keys let us verify the origin and integrity of data.
A "key" is simply a number.
A private key is an extremely unique (i.e. large and randomly generated) number.
When a private key is used to generate a public key, the combo is called a key pair.
The public key is generated by using the private key in a specific mathematical algorithm called a cryptographic curve, so key pairs will often be referenced along with the name of their curve, e.g. "secp256k1" (the curve used by Bitcoin and Ethereum) or "ed25519" (the curve used by BigchainDB).
Signing & Verifying
Using a private key, a device can sign any piece of data. Anyone can use the signature, the data, and the public key to mathematically verify the identity of the signer, and the integrity of the data.
Key pairs are the foundation of blockchain identity. Every transaction must be signed using a private key, and verified using the public key.
Security & HSMs
As the foundation of digital identity, the private key must be kept absolutely private and secure. It should never be accessible outside of the hardware that created it. Specialized hardware that manages and performs these tasks is called a Hardware Security Module, or HSM. An HSM provides a Trusted Execution Environment (TEE) that can generate private/public key pairs, store them securely, and perform signing operations internally. The HSM's host system is only allowed to access the public key, or request that a piece of data be signed by the HSM, using one of its internal private keys.