“Not your keys, not your crypto” is a common phrase in the world of digital assets, and for good reason.
Private keys are the only information required to sign transactions and move your digital assets. Because of this, only trusted individuals or third parties should have access to your organization’s private keys.
But how do you ensure this stays true as you grow your business, team, and network of counterparties?
In this blog post, we’ll walk you through how to evaluate private key access from the perspective of storage, user permissions and counterparty risk.
Who has access to your private keys within your organization?
The answer to this question often comes down to what kind of storage method you’re using.
For example, if you’re utilizing a hardware wallet, the private keys are stored in one central location. This means whoever has physical access and the wallet passphrase can unilaterally move funds. This is one of the most common custody methods for individuals, but it’s the least operationally flexible and secure method for organizations.
On the other hand, with crypto and web3 custody methods like multi-sig or MPC, it’s significantly harder for any one person to gain access to a private key from within the organization.
You’ll also want to understand each user’s access level and the approvals they require to send a transaction. By setting user- or transaction-based policies, you can ensure that no one user can withdraw your funds.
Ideally, you can periodically catalog how many people within your team have access – and how many need access.
Some possibilities include executives, operations & finance teams, developers, and investors. We recommend you run an inventory of private key access within your organization starting with:
- Which departments have access and why?
- Who are your quorum of admins that approve or sign transactions? Are they still currently employed?
- How many admins in the quorum are required to approve the transaction?
- How soon do we give new employees access to the private keys?
- What kind of private key offboarding process do we have when someone leaves the organization?
Who has access to your private keys outside of your organization?
There are a range of external parties that may also have access to your private keys. This can include exchanges, trading venues, banks and qualified crypto custodians.
If your private keys are managed by any of these external parties, even temporarily, they technically have total control of your funds.
You’ll want to carefully consider how these counterparties are managing your private keys – and make sure they are aligned with your digital asset security standards and governance.
If you’re going to leave private keys with an external organization (such as a crypto custody provider or an exchange), you’ll want to understand:
- Are your private keys online in a hot wallet or offline in cold storage?
- Who has access to your private keys and what user and transaction policies do they have in place to protect you from compromised employees?
- Are your funds in segregated wallets?
- How long does it take to withdraw your funds? Can this change based on market conditions?
- How secure are your private keys from cyberattacks and malicious actors?
- Are those assets converted to on balance sheet assets?
- What are the business continuity risks?
It’s inevitable that you will use an exchange or trading venue at some point. But it’s a best practice to minimize the time those external parties are in control of your private keys.
Disclaimer: As a custody technology provider, Fireblocks never has access to your digital asset funds; MPC key sharding ensures that your organization always retains full control of your private keys.