TL;DR (concentrated takeaways)
Crypto key management involves understanding and protecting your crypto wallet keys.
Key management also includes protecting the various mechanisms (like passwords) that can provide access to your crypto wallet keys.
Consider all of the accounts and mechanisms that are used to gain access to your keys both in your wallet(s) and in all backup locations.
In the event of a possible wallet compromise, sweep your crypto to a new wallet. Practice this so that you understand the process and could do it quickly.
In case you need to restore your wallet on a new device, you should carefully practice restoring your wallet from its seed phrase.
Also practice restoring any digital assets such as NFTs.
Any time you change your wallet seed phrase or how your keys are stored, update your seed backup or corresponding notes.
What is Key Management?
Congratulations to those of you who manage your own crypto wallet. You probably already know that being in custody of your own crypto gives you some important crypto key management responsibilities, and we will discuss some of the most important aspects below.
In a nutshell, key management is the set of protections that you use to store and protect your crypto keys from theft and loss, so that only you have the ability to authorize crypto transactions or to restore your crypto wallet.
Recall that when you set up your wallet, you had to create a randomized seed phrase (maybe you also chose to set a BIP39 passphrase option). Your wallet used these to generate a master private and public keypair. Any detail that would allow someone to gain access to your keys (your seed phrase, crypto wallet, or passwords to anything that could expose your seed phrase or the keys) is very important to keep secret. Your keys (via the seed phrase) should be stored only in your crypto wallet and in any backups that you have consciously chosen to make and protect as part of your key management strategy.
Because you have choices in the crypto wallets that you use, the devices which you use to access them, and the number and form of backups that you make, exact key management strategies will vary for different people. However, the goals, concepts, and protection strategies are the same. Let’s go over what you need to know in order to safely protect and manage your keys.
If you have significant crypto investments, it is widely and strongly recommended that you manage your own crypto wallet and keys. (“Not your keys, not your coins!”) Therefore, we assume in this article that you are managing your own wallet.
Your keys are in your crypto wallet and in your backups.
Your wallet holds your seed phrase: you initially either used your wallet to generate a seed phrase for you, or you imported a seed phrase that you had previously created. Your wallet also holds generated keys: it uses your extended public key to check your account balances, and your extended private key (and any child keys used for specific crypto coin accounts) to sign transactions. (Your wallet may or may not also store your optional BIP39 passphrase, depending on its model and configuration.)
The wallet backup that you hopefully created when you set up your wallet should contain all of the information needed to restore your wallets: this includes the seed phrase at a minimum, and possibly more information. If you set a BIP39 passphrase, your backup should include that, too (possibly in a second location if you are not using a distributed, encrypted backup solution like Vault 12’s Digital Vault).
Because your seed phrase and optional passphrase can be used to reconstruct your master keypair (and thus all of your crypto assets), it is critical that you protect not just your actual crypto wallet, but also your seed phrase backups, and everything that protects these backups.
Your keys are guarded by various secrets that protect your wallets and backups.
Depending on your setup, other passwords and secrets that may be needed in order to access your keys include:
- A physical vault combination in which you keep your hardware wallet or seed phrase backups.
- A laptop or cellphone username/password login, and a software wallet password.
- Encryption passwords used to encrypt your seed phrase or passphrase before storing on a cloud drive.
- The location and password to your password vault software.
- The location and filename(s) of encrypted seed phrase or passphrase backups.
- 2-factor authentication reset codes.
You should understand the entire set of passwords, PINs, vault codes, and any other secrets that would be necessary to access your crypto. Understand which of them are single points of failure. Ensure that each is strong. If you are using a password manager, understand how you are backing up the master password to your password manager. Ensure that each secret is backed up using good password management practices, and that there is some way for a trusted person to access your crypto using the backups of your secrets if you become incapacitated or unavailable.
Management of the broader, complete set of secrets that are used for all varieties of digital activities is known as “Secrets Management.” This article describes management of only the secrets that are related to protection of one’s cryptocurrency wallet encryption keys.
Protecting the keys in your crypto wallet from theft and loss.
Whether you use hardware, desktop, or mobile devices, always use strong passwords and keep all software up to date.
Hardware wallets are by design more secure than software wallets. Hardware wallets usually hold your keys in a high-security physical chip like a Secure Enclave or similar, and have strong safeguards to prevent a bad actor from using the device directly or extracting the keys if they gain physical access. These safeguards often include initial tamper-evident packaging, a password and/or PIN, protections that temporarily or permanently lock or erase the device if too many incorrect guesses are made, and short-lived timeout locks requiring frequent re-authentication.
Software wallets vary a lot; there are an incredible number of them of varying quality. Because of how much they vary, it is hard to make generalizations, but they are usually protected by passwords and additional system-level protections related to memory, caching, etc. Because of the large variety of applications that are run on desktop and mobile devices, and the fact that they are connected to the internet as a hot wallet, the potential “attack surface” of desktop and mobile wallets is large, and unfortunately, malware on laptops and cellphones is common. It is generally agreed that software wallets are not secure enough to protect high-value crypto holdings – but many people do use software wallets to hold small amounts of crypto for day-to-day transactions.
Some advice about protecting crypto wallets on your mobile device: mobile apps can leverage system-level security features like isolated, encrypted file systems and network transfer mechanisms that are stronger than desktop operating systems commonly offer. However, mobile devices are more frequently lost and stolen due to their portability. If you use a crypto wallet on your smartphone, do your homework and ensure that you are using a well-known, well-reviewed wallet installed on a modern device that has a secure chip for storing your keys. Also enable mobile device security mechanisms offered by your provider such as remotely disabling your phone, or remotely finding your phone if lost.
Regardless of the level of security that your wallet offers, good key management requires that you provide your hardware and software wallets (and any backups) with the best security that you can by keeping them locked up or otherwise limited in who can physically access them.
Protecting the seed phrase in your backups from theft and loss.
Remember that your seed phrase can be imported into a new wallet to regenerate your crypto keys, so even though your seed phrase takes a different form than your actual keys, protecting your seed phrase is equivalent to protecting your keys.
Much of the same advice just offered for keeping your crypto wallet protected also applies to your seed phrase backups – but the scope of key management for your backups expands if your backup scheme becomes complex.
As an example of easy and effective key management for simple backups, if you were to store two copies of a seed phrase in physical vaults in two different locations, your protection of those backups is straightforward: you would only need to limit physical access to the vaults, and safely protect the code(s) to the safes. (You could even choose to safely store the vault codes in your Vault12 Digital Vault!)
Another example of an easy and effective key management strategy would be for you to use the Vault12 Digital Vault to back up your seed phrase – you would just need to keep the Digital Vault mobile app device software updated (likely automatic), and ensure that your mobile device is configured with strong authentication (choose a PIN that’s hard to guess, and consider using Face ID or fingerprint as a second authentication factor). Of course, you would also need to update your Digital Vault seed phrase backup if you ever change your seed phrase by configuring a new wallet.
If you choose to store your seed phrase backup in any form that relies on your laptop/desktop, external digital drive, or Cloud storage, however, key management becomes much more complex:
If your laptop or desktop computer stores your seed phrase, you need to not only limit who has access to it, and keep all of its software up to date, but also have a plan for how to restore your system in the event of disk failure or software corruption. Your system backup should be in a different location in case of natural disaster, and you would need to protect that system backup too.
If you stored your seed phrase backup in some sort of encrypted, Cloud-based container, you would need to document and protect each mechanism involved … including authentication information to whatever device(s) or account(s) or tools are needed to retrieve the key. Depending on your choices, that could include a Cloud platform account, a password manager, an encryption key, 2-factor device authentication passwords or recovery codes, and possibly more. Such complex backup schemes contain not only increased chances of error, but ultimately, you still need to write down, remember, or somehow record one or more passwords in order to gain access to the password manager that would hold more pieces of the puzzle that ultimately leads you to your seed phrase backup. Ultimately, too much complexity introduces management risks that counteract security. If your recovery steps are complex, they would call for a well-documented backup/recovery plan for your complex array of secrets, and you would need to keep that plan in a safe, secret place!
Should you routinely change (rotate) all of your secrets?
It becomes necessary to change passwords or seed phrases any time they are potentially exposed or compromised (including loss, unauthorized access, or if a published software or hardware vulnerability affects them).
Does this mean that you have to change your crypto seed phrase from time to time? Not necessarily. The frequency of password or key changes should be driven by the chance (the risk) of their exposure.
On one end of the spectrum, for crypto that you keep in “cold storage,” and for which you have followed all of the guidance for generating a highly-randomized seed, keeping your seed phrase away from internet-connected environments, and maintaining high privacy about your crypto ownership, there is little to gain in “rotating” your keys regularly, since a good, random seed phrase will never be brute-force guessed, and there is little risk of anyone gaining access to your offline key or backup storage. This cold storage is akin to “set it and forget it.”
On the other end of the spectrum, it makes sense to change some passwords regularly. For example, if you regularly access a software service from a variety of different devices, then the frequency of your use of that password on internet-connected devices raises the chances that it could become compromised at some point in time. This service could be a social media account, banking application, email, or a password manager – it could even be one of your laptop operating system accounts. Think about it: if you use a password over and over again, perhaps from different browsers or different devices over time, and never change that password, chances are good that eventually, it will be captured by malware, observation, or a camera, or possibly hacked. This is why many online services force you to change your password occasionally.
Examples of passwords that you may want to change occasionally just because of the sheer number of times and contexts in which you use it are:
- The password or PIN to your mobile device
- The password to your desktop or laptop computer
- The password to hot wallets or crypto exchange accounts
Events that should cause you to immediately change your secrets.
There are circumstances in which you should immediately change passwords or rotate keys:
- If you lose physical control of your hardware wallet or backup – or suspect that you may have – you should “sweep” your crypto into a new wallet with freshly-generated keys. (Perhaps your home was broken into, or you accidentally packed a hardware wallet in checked baggage when travelling.)
- If an unusual and unplanned event like medical incapacitation, incarceration, device repair, etc. forces you to temporarily trust someone with any secrets to your accounts, devices, or vaults, you should change those secrets as soon as you can afterwards.
- Broken family situations can also lead to a practical need to change passwords.
- If malware is detected on your mobile device or desktop/laptop, you should distrust all accounts, passwords, and software that were used on that device. It would be prudent to restore your software wallet on a new and trusted device by importing the seed phrase, and then from there, sweep the funds to a freshly-created wallet with a new seed phrase / new keys. Don’t trust anything that you have ever typed on any potentially-infected machine. Even though malware protection software may report that it can “clean” malware from devices, it is safer to completely reinstall a device that has been infected with malware. Once you are working in a “clean” environment, change all of the passwords to accounts that you may have used on the infected machine – if your malware-infected machine had a keystroke logger installed, a hacker may have a record of everything that you had typed on that machine.
- If there was a software vulnerability reported in a tool that you used to interact with your crypto (a software wallet, a browser extension, etc.), you may also want to sweep your crypto to a new wallet. Not all software vulnerabilities are practically exploitable, but if you want to be on the safe side and you are not sure how much to worry, you will gain peace of mind by either researching enough to understand whether you should sweep your crypto due to that vulnerability, or sweeping it “just in case.”
Know your wallet’s backup and restore steps.
One of the most essential tests that you can perform in crypto key management is to restore your wallet from your seed phrase backup. Knowing that you can quickly and easily restore your crypto wallet gives you peace of mind, and allows you to act quickly if it is ever necessary to perform a restore on a new device, and then a sweep to a new wallet.
Read your wallet’s documentation to be confident that you understand all of the recommended steps.
Your crypto wallet may also hold NFTs or other digital assets. If you have digital asset files, you can store them in your Vault12 Digital Vault. Practice restoring them, too, for more peace of mind.
Practice sweeping your crypto to a new wallet.
You can practice sweeping funds to a new wallet anytime – you should become familiar with the process, whether you are just practicing by sweeping a small amount of crypto, or whether you choose to sweep the entire wallet account balance.
Remember that if you have a multi-currency wallet, you will likely need to perform one transaction for each type of digital asset – sweeping multi-account wallet balances may take a few steps. Also remember that it may take a few minutes for each blockchain transaction to be validated and completed, and for the swept funds to appear in your new wallet.
Additionally, every time you move crypto, it may appear to any applicable financial or tax regulators as if it is a spend transaction. Have some way of accounting over time for which funds you moved to a different wallet of your own, so that you can keep track of which of your transactions are spend transactions versus “sweep” transactions. If you are willing to give up some of your privacy to a third party, there are crypto portfolio trackers like Cointracker.io that can do this for you.
Practice restoring your wallet from your Digital Vault.
Restoring your wallet from your Vault12 Digital Vault is easy … but it too, should be practiced, with participation from your trusted Guardians, so that when you want to restore your wallet, it is a simple, well-understood, and successful process for all. In addition to being easy to restore, the Vault12 Digital Vault is secure and fault-tolerant.
When you restore your crypto from the Vault12 Digital Vault, pay close attention to any nonstandard instructions that you may have captured in Note files. If you are not available to help your beneficiaries restore your assets from your vault, they will need to be able to understand any Notes that you wrote.
When you change your wallet configuration, update your backups.
Remember that if you change your seed phrase, rotate your keys, or change any of the passwords related to your wallets or seed phrase, you must update your seed phrase backup, or your backup restore notes in such a way that your wallet restore instructions continue to be effective. It would be wise to perform a wallet restore test on a regular, scheduled basis, such as once per year, just to keep it fresh in your mind and the mind of your beneficiaries.