diff --git a/keychain/derivation.go b/keychain/derivation.go
index d908da75..54144efc 100644
--- a/keychain/derivation.go
+++ b/keychain/derivation.go
@@ -90,6 +90,12 @@ const (
 	// a payment, or self stored on disk in a single file containing all
 	// the static channel backups.
 	KeyFamilyStaticBackup KeyFamily = 7
+
+	// KeyFamilyTowerSession is the family of keys that will be used to
+	// derive session keys when negotiating sessions with watchtowers. The
+	// session keys are limited to the lifetime of the session and are used
+	// to increase privacy in the watchtower protocol.
+	KeyFamilyTowerSession KeyFamily = 8
 )
 
 // KeyLocator is a two-tuple that can be used to derive *any* key that has ever
diff --git a/watchtower/wtclient/derivation.go b/watchtower/wtclient/derivation.go
new file mode 100644
index 00000000..cb0caec0
--- /dev/null
+++ b/watchtower/wtclient/derivation.go
@@ -0,0 +1,24 @@
+package wtclient
+
+import (
+	"github.com/btcsuite/btcd/btcec"
+	"github.com/lightningnetwork/lnd/keychain"
+)
+
+// DeriveSessionKey accepts an session key index for an existing session and
+// derives the HD private key to be used to authenticate the brontide transport
+// and authenticate requests sent to the tower. The key will use the
+// keychain.KeyFamilyTowerSession and the provided index, giving a BIP43
+// derivation path of:
+//
+//  * m/1017'/coinType'/8/0/index
+func DeriveSessionKey(keyRing SecretKeyRing,
+	index uint32) (*btcec.PrivateKey, error) {
+
+	return keyRing.DerivePrivKey(keychain.KeyDescriptor{
+		KeyLocator: keychain.KeyLocator{
+			Family: keychain.KeyFamilyTowerSession,
+			Index:  index,
+		},
+	})
+}