diff --git a/core/core.services.yml b/core/core.services.yml
index 967c697..fbb1768 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -369,9 +369,12 @@ services:
     class: Drupal\Core\EventSubscriber\LegacyAccessSubscriber
     tags:
       - { name: event_subscriber }
+  private_key:
+    class: Drupal\Core\PrivateKey
+    arguments: ['@state']
   csrf_token:
     class: Drupal\Core\Access\CsrfTokenGenerator
-    arguments: ['@state']
+    arguments: ['@private_key']
     calls:
       - [setRequest, ['@?request']]
   access_manager:
diff --git a/core/includes/common.inc b/core/includes/common.inc
index 6391dbd..af9fdb1 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -3033,10 +3033,10 @@ function drupal_json_decode($var) {
  *
  * @see \Drupal\Core\Access\CsrfTokenManager
  *
- * @deprecated as of Drupal 8.0. Use the csrf_token service instead.
+ * @deprecated as of Drupal 8.0. Use the private key service instead.
  */
 function drupal_get_private_key() {
-  return \Drupal::csrfToken()->getPrivateKey();
+  return \Drupal::privateKey()->get();
 }
 
 /**
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index e2996a3..255b0dc 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -392,6 +392,16 @@ public static function languageManager() {
   }
 
   /**
+   * Returns the private key service.
+   *
+   * @return \Drupal\Core\PrivateKey
+   *   The private key service.
+   */
+  public static function privateKey() {
+    return static::$container->get('private_key');
+  }
+
+  /**
    * Returns the CSRF token manager service.
    *
    * @return \Drupal\Core\Access\CsrfTokenGenerator
diff --git a/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php
index 0d27a9f..a95dfdd 100644
--- a/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php
+++ b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php
@@ -7,8 +7,8 @@
 
 namespace Drupal\Core\Access;
 
-use Drupal\Core\KeyValueStore\KeyValueStoreInterface;
 use Drupal\Component\Utility\Crypt;
+use Drupal\Core\PrivateKey;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
@@ -19,11 +19,11 @@
 class CsrfTokenGenerator {
 
   /**
-   * The state service.
+   * The private key service.
    *
-   * @var \Drupal\Core\KeyValueStore\KeyValueStoreInterface
+   * @var \Drupal\Core\PrivateKey
    */
-  protected $state;
+  protected $privateKey;
 
   /**
    * The current request object.
@@ -35,11 +35,11 @@ class CsrfTokenGenerator {
   /**
    * Constructs the token generator.
    *
-   * @param \Drupal\Core\KeyValueStore\KeyValueStoreInterface $state
-   *   The state service.
+   * @param \Drupal\Core\PrivateKey $private_key
+   *   The private key service.
    */
-  function __construct(KeyValueStoreInterface $state) {
-    $this->state = $state;
+  function __construct(PrivateKey $private_key) {
+    $this->privateKey = $private_key;
   }
 
   /**
@@ -53,44 +53,6 @@ public function setRequest(Request $request) {
   }
 
   /**
-   * Gets the private key.
-   *
-   * @return string
-   *   The private key.
-   */
-  public function getPrivateKey() {
-    if (!$key = $this->state->get('system.private_key')) {
-      $key = $this->createPrivateKey();
-      $this->setPrivateKey($key);
-    }
-
-    return $key;
-  }
-
-  /**
-   * Sets the private key.
-   *
-   * @param string $key
-   *
-   * @return \Drupal\Core\Access\CsrfTokenGenerator
-   *   An instance of this class instance.
-   */
-  public function setPrivateKey($key) {
-    $this->state->set('system.private_key', $key);
-    return $this;
-  }
-
-  /**
-   * Creates a new private key.
-   *
-   * @return string
-   *   The private key.
-   */
-  protected function createPrivateKey() {
-    return Crypt::randomStringHashed(55);
-  }
-
-  /**
    * Generates a token based on $value, the user session, and the private key.
    *
    * @param string $value
@@ -104,7 +66,7 @@ protected function createPrivateKey() {
    * @see drupal_get_hash_salt()
    */
   public function get($value = '') {
-    return Crypt::hmacBase64($value, session_id() . $this->getPrivateKey() . drupal_get_hash_salt());
+    return Crypt::hmacBase64($value, session_id() . $this->privateKey->get() . drupal_get_hash_salt());
   }
 
   /**
diff --git a/core/lib/Drupal/Core/PrivateKey.php b/core/lib/Drupal/Core/PrivateKey.php
index c1720b5..fd8bb55 100644
--- a/core/lib/Drupal/Core/PrivateKey.php
+++ b/core/lib/Drupal/Core/PrivateKey.php
@@ -7,6 +7,64 @@
 
 namespace Drupal\Core;
 
+use Drupal\Core\KeyValueStore\KeyValueStoreInterface;
+use Drupal\Component\Utility\Crypt;
+
+/**
+ * Manages the Drupal private key.
+ */
 class PrivateKey {
 
+  /**
+   * The state service.
+   *
+   * @var \Drupal\Core\KeyValueStore\KeyValueStoreInterface
+   */
+  protected $state;
+
+  /**
+   * Constructs the token generator.
+   *
+   * @param \Drupal\Core\KeyValueStore\KeyValueStoreInterface $state
+   *   The state service.
+   */
+  function __construct(KeyValueStoreInterface $state) {
+    $this->state = $state;
+  }
+
+  /**
+   * Gets the private key.
+   *
+   * @return string
+   *   The private key.
+   */
+  public function get() {
+    if (!$key = $this->state->get('system.private_key')) {
+      $key = $this->create();
+      $this->set($key);
+    }
+
+    return $key;
+  }
+
+  /**
+   * Sets the private key.
+   *
+   * @param string $key
+   *  The private key to set.
+   */
+  public function set($key) {
+    return $this->state->set('system.private_key', $key);
+  }
+
+  /**
+   * Creates a new private key.
+   *
+   * @return string
+   *   The private key.
+   */
+  protected function create() {
+    return Crypt::randomStringHashed(55);
+  }
+
 }