“Not your keys, not your crypto” is a common phrase in the world of digital assets, and for good reason.
Private keys are the only information required to sign transactions and move your digital assets. Because of this, only trusted individuals or third parties should have access to your organization’s private keys.
But how do you ensure this stays true as you grow your business, team, and network of counterparties?
In this blog post, we’ll walk you through how to evaluate private key access from the perspective of storage, user permissions and counterparty risk.
Who has access to your private keys within your organization?
The answer to this question often comes down to what kind of storage method you’re using.
For example, if you’re utilizing a hardware wallet, the private keys are stored in one central location. This means whoever has physical access and the wallet passphrase can unilaterally move funds. This is one of the most common custody methods for individuals, but it’s the least operationally flexible and secure method for organizations.
On the other hand, with crypto and web3 custody methods like multi-sig or MPC, it’s significantly harder for any one person to gain access to a private key from within the organization.
You’ll also want to understand each user’s access level and the approvals they require to send a transaction. By setting user- or transaction-based policies, you can ensure that no one user can withdraw your funds.
Ideally, you can periodically catalog how many people within your team have access –and how many need access.
Some possibilities include executives, operations & finance teams, developers, and investors. We recommend you run an inventory of private key access within your organization starting with:
- Which departments have access and why?
- Who are your quorum of admins that approve or sign transactions? Are they still currently employed?
- How many admins in the quorum are required to approve the transaction?
- How soon do we give new employees access to the private keys?
- What kind of private key offboarding process do we have when someone leaves the organization?
Who has access to your private keys outside of your organization?
There are a range of external parties that may also have access to your private keys. This can include exchanges, trading venues, banks and qualified crypto custodians.
If your private keys are managed by any of these external parties, even temporarily, they technically have total control of your funds.
You’ll want to carefully consider how these counterparties are managing your private keys – and make sure they are aligned with your digital asset security standards and governance.
If you’re going to leave private keys with an external organization (such as a crypto custody provider or an exchange), you’ll want to understand:
- Are your private keys online in a hot wallet or offline in cold storage?
- Who has access to your private keys and what user and transaction policies do they have in place to protect you from compromised employees?
- Are your funds in segregated wallets?
- How long does it take to withdraw your funds? Can this change based on market conditions?
- How secure are your private keys from cyberattacks and malicious actors?
- Are those assets converted to on balance sheet assets?
- What are the business continuity risks?
It’s inevitable that you will use an exchange or trading venue at some point. But it’s a best practice to minimize the time those external parties are in control of your private keys.
Disclaimer: As a custody technology provider, Fireblocks never has access to your digital asset funds; MPC key sharding ensures that your organization always retains full control of your private keys.
More from FireblocksIf you found this interesting, explore more Industry Insights.
Industry Insights Dec 21, 2023
See AlsoWhat is a Private Key?Maintaining Momentum at SPARK ‘23: Day Two Highlights
In our previous blog post, Igniting Innovation at SPARK ’23, we captured day one highlights at the second annual Fireblocks user conference. Read on...
Read Article
Industry Insights Dec 15, 2023
Igniting Innovation at SPARK ’23: Day One Highlights
Fireblocks’ second annual user conference, SPARK ‘23, saw nearly 600 attendees representing over 300 companies in the digital asset and crypto space. Kicking off...
Read Article
Industry Insights Dec 05, 2023
Meet the winners of the Fireblocks Network Awards 2023
Fireblocks is all about helping our customers succeed in the digital asset and crypto world. At SPARK ‘23, the second annual Fireblocks user conference,...
Read Article
Stay aheadSign up for the Fireblocks newsletter to stay informed about the industry.
As a seasoned expert in the field of digital asset security and custody technology, I bring a wealth of knowledge and practical experience to shed light on the crucial topic discussed in the article dated January 06, 2023. My expertise is underscored by a deep understanding of cryptographic principles, blockchain technology, and the intricate nuances of securing private keys in the fast-evolving landscape of digital assets.
The article emphasizes the fundamental concept in the cryptocurrency space: "Not your keys, not your crypto." This phrase encapsulates the importance of safeguarding private keys, as they are the linchpin for executing transactions and managing digital assets. Now, let's delve into the key concepts discussed in the article:
-
Private Key Access Management:
- The article highlights the significance of evaluating private key access concerning storage, user permissions, and counterparty risk.
- Storage methods such as hardware wallets, multi-sig, or MPC (Multi-Party Computation) have different implications for security and operational flexibility.
-
User Permissions and Transaction Policies:
- Understanding each user's access level and transaction approval requirements is crucial. Implementing user- or transaction-based policies helps prevent unauthorized fund withdrawals.
- Regularly cataloging the individuals within the organization who have private key access is recommended.
-
Inventory and Quorum of Admins:
- Conducting an inventory of private key access involves identifying which departments and personnel have access and the reasons for such access.
- Establishing a quorum of admins who approve or sign transactions, and monitoring their employment status, is essential.
-
Private Key Offboarding Process:
- Defining a comprehensive offboarding process for individuals leaving the organization ensures that access to private keys is promptly revoked, reducing the risk of unauthorized access.
-
External Parties and Counterparty Risk:
- Acknowledging that external parties, including exchanges, trading venues, and custodians, may have access to private keys.
- Evaluating how these counterparties manage private keys, considering factors such as security measures, wallet segregation, withdrawal timeframes, and business continuity risks.
-
Best Practices for Minimizing External Control:
- Minimizing the time external parties have control over private keys is considered a best practice.
- Scrutinizing the security measures implemented by external organizations, especially when leaving private keys in their custody.
-
Fireblocks' Disclaimer:
- The article includes a disclaimer from Fireblocks, a custody technology provider, assuring that they never have access to digital asset funds. They utilize MPC key sharding to ensure organizations retain full control of their private keys.
This insightful article serves as a comprehensive guide for businesses and individuals navigating the complex landscape of private key security in the digital asset realm, emphasizing the importance of robust protocols and continuous evaluation of key access mechanisms.
