Holding the keys to your own bitcoin in a multisig wallet helps eliminate single points of failure. If a key in your wallet setup is lost, destroyed, or compromised, there’s fault-tolerance on your side—your bitcoin is still accessible. However, should this scenario occur, having “access” to your bitcoin is one thing, but maintaining a healthy wallet is another. If one of your multisig keys is compromised in some way, you should replace that key as soon as possible. Conversely, replacing a key you don’t need to replace can introduce unnecessary risks.
How do multisig key replacements work?
Before we consider the situations where replacing a key is necessary, it’s first helpful to know how multisig key replacements work.
Getting a new key—and a new safe
Think of your multisig wallet like a digital safe. You hold the keys to that safe. In the example of 2-of-3 multisig, your safe has two keyholes and three compatible keys. Any two keys out of the three can be used to unlock the safe so you can move bitcoin.
If someone stole one of your keys or it was lost or compromised, you would want to replace the key so that it wasn’t left outside of your control.
If you don’t have one of the keys to a physical safe, or you simply need to replace one, you can’t just go get a new key and expect it to function properly with your safe. If this was the case, the entire multi-millennia-old lock-and-key model wouldn’t work for securing anything!
The necessary next step would be to use the two non-compromised keys to open the safe and move goods into a new safe that can be opened with the two original keys, along with the new key. This is how replacing a key in a multisig wallet setup works.
How a new multisig wallet setup is created
Let’s imagine one of the most common multisig key replacement scenarios: a 2-of-3 multisig with keys 1, 2, and 3. In this scenario, 3 is a compromised key that needs to be replaced. A new key, 4, has been generated and the goal is now to replace key 3 with key 4.
In order to completely replace 3, a new multisig wallet must be created using 1, 2, and 4. Once this new multisig wallet has been constructed, funds can then be sent from the old wallet (using signatures from keys 1 and 2) to the new multisig wallet. In other words, you move funds from your old, partially secured safe to your new, fully secured safe.
It’s important to note that when you replace a key in a multisig wallet setup, you are constructing an entirely new wallet with a new key! This means that any address associated with your prior multisig wallet setup is not secured by or associated with the new key.
For this reason among others, it’s important to:
- Only replace keys in your multisig wallet when you actually need to, which we’ll cover in greater detail below.
- Ensure you transfer all funds from the old wallet to the new wallet, if you do replace a key.
- Remember to update whitelisted addresses with exchanges or other platforms.
When do I need to replace one of my keys?
If you think you might be in a situation where a key replacement is needed, take a deep breath. One of the beautiful things about multisig is the fault tolerance it affords you. It is not the end of the world if one of the keys to your wallet is no longer secure.
Each key in your multisig wallet setup has two components: a hardware wallet and a seed phrase backup. In our 2-of-3 multisig setup example, this means there are six total sensitive items—3 hardware wallets and 3 seed phrases—that need to be kept secure, plus a wallet config file. In a collaborative custody 2-of-3 model, it would instead be four total sensitive items—2 hardware wallets and 2 seed phrases—plus a wallet config file (the custody partner holds the third key).
Seed phrases are the more sensitive of the two components of each key because they are a direct human-readable representation of your key’s seed, which is what generates all the private keys to spend your funds. Hardware wallets, on the other hand, store the seed and let you use it to sign bitcoin transactions, and they’re usually protected by a PIN for an added layer of physical security.
Let’s consider the most common situations where your key security can be compromised.
Compromised seed phrase
A compromised seed phrase means that there is a chance your seed phrase words have been viewed by an unintended third party. This can happen if your seed phrase is stored in digital form, is transmitted online in any form or fashion, has been photographed, or has simply been seen physically by someone who isn’t you.
Digital exposure risk
Most hardware wallets encourage you to physically store a seed phrase backup upon setup, but it’s not uncommon for new users to disregard this advice and store a seed phrase digitally.
Hardware wallets are specifically designed to generate seeds in a secure environment separate from less secure, internet-connected devices. Immediately storing your seed phrase on another device that isn’t purpose-built to secure seeds exposes your wallet to a possible failure of digital storage media and the risk of malware like keyloggers. Even worse, you might not know you’re compromised until after you’ve moved significant funds to the wallet.
If you’ve backed up your seed phrase digitally, you should assume the key is compromised and you do need to replace this key in your multisig wallet.
Lost seed phrase
A lost seed phrase means you’re either unable to determine its whereabouts or it’s otherwise not accessible to you. Maybe you’ve checked your safe and your seed phrase is not there, or you misplaced it while traveling.
In these scenarios, you should assume the key is compromised and you do need to replace this key in your multisig wallet.
Destroyed seed phrase
Likewise, you might be the unfortunate victim of a flood or house fire and your seed phrase backup has been destroyed. You can mitigate this risk by upgrading your paper seed phrase backup to a metal one.
If you seed phrase is destroyed, you do need to replace this key in your multisig wallet.
Stolen seed phrase
Thankfully, if you’re using a proper multisig quorum, a single stolen seed phrase in a 2-of-3 cannot lead to loss of funds. Still, one seed phrase that has been stolen should be considered both lost and compromised.
You do need to replace the key in your multisig wallet, because a thief would only need to steal one more key to get closer to accessing your bitcoin should they have your multisig config file or coordinator log-in credentials.
Compromised hardware wallet
Similarly to a compromised seed phrase, if your hardware wallet was lost or stolen, you’ll need to replace the associated key in your multisig wallet. Even if you have a PIN that would prevent anyone from immediately accessing your funds, you should assume that the key is compromised, especially given that there have been documented hardware wallet compromises that have allowed attackers to circumvent PINs entirely on certain devices.
Lost hardware wallet
If you’re unable to determine the whereabouts of your device, you have no way of knowing if your seed has been compromised or may be compromised in the future.
You should assume that the seed phrase is compromised and you do need to replace this key in your multisig wallet.
If your device is missing from your secure location when you perform your regular checkup (something we recommend doing quarterly) or has disappeared from your personal belongings while traveling, it’s possible your hardware wallet has been stolen.
You should assume that the seed phrase is compromised and you do need to replace this key in your multisig wallet.
When you don’t need to replace a key
A physically secured seed phrase is the most sensitive item to secure for a given key. If you have reason to believe your seed phrase was either lost or compromised, you need to replace that key. However, oftentimes there are situations where you do not need to replace your key. In fact, in these situations, replacing your key can add risk to your bitcoin more than mitigate it.
Some of the risks and costs of unnecessarily replacing a key include:
- Transaction fees: Replacing a key means moving funds from an address controlled by one set of keys to another, which involves an on-chain spend.
- Moving large amount of bitcoin: There is always a non-zero risk of making a mistake when moving large sums of bitcoin.
- Wallet configuration file: Your multisig wallet configuration file should be stored in a safe place and you need to replace it when you replace a key.
- Whitelisted addresses: Any whitelisted or “fixed” address you might have with an exchange or other service from your old wallet must be updated to an address from the new multisig wallet.
For these reasons, it’s important to understand the situations where replacing a key isn’t necessary. All of them are situations involving your hardware wallet, not your seed phrase.
Hardware or software failure
If your hardware wallet is physically destroyed (such as in a house fire or flood) or breaks due to an unknown hardware or software failure (such as a firmware update gone wrong, a broken USB port, or a non-functional display), you can restore your seed onto a new device as long as your seed phrase is physically secure.
If your device breaks and your seed phrase is physically secure and uncompromised, you can safely assume that the seed phrase on the destroyed device is not compromised and you don’t need to replace this key in your wallet setup.
Lost or forgotten PIN
Similarly, if you forget the PIN to your device, you can either reset the device to factory conditions and restore your seed onto it, or restore your seed onto a new device.
As long as your seed phrase is physically secure and uncompromised and you know the physical device has not been compromised, you can safely assume that the seed phrase on the device is not compromised you don’t need to replace this key in your wallet setup.
If your PIN has been compromised but nobody has gained access to the physical device, you don’t have to treat the device as if it were lost or stolen.
You can safely assume that the seed phrase on the device is not compromised and you don’t need to replace this key in your multisig wallet setup.
Upgrading your device
Another common instance where you don’t need to replace the key to your wallet setup is when you get a new device. BIP39 seed phrases are compatible with all reputable bitcoin hardware wallets, so you can easily restore a seed phrase for a given key onto the new device. It’s best practice to check that the key was restored correctly by using the new device to confirm your multisignature address or by performing a small transaction.
As long as your seed phrases are physically secure and uncompromised, you don’t need to replace this key in your wallet setup.
How do I replace my key?
If you use bitcoin multisig by way of an Unchained vault, we make it easy to replace your compromised keys with newly-generated ones in your Unchained dashboard. Read more about this in the Knowledge Base or contact us at email@example.com for help.
If one of your keys in a fully self-custody multisig quorum needs to be replaced as explained above, there’s a standard process to follow that applies regardless of the bitcoin wallet software you use. Using 2-of-3 multisig as an example, you need to follow these general steps:
- Generate a new replacement key on a new hardware wallet
- Properly back up the new seed phrase on paper or metal
- Construct a new multisig wallet making use of the new key, along with the two original, uncompromised keys
- Perform a test deposit and withdrawal of a small amount of bitcoin to confirm the multisig wallet was built correctly
- Using the two of the original keys, spend funds from the old wallet to the new multisig
- Ensure that you download and back up the new wallet configuration information for this new multisig wallet, and update any whitelisted or fixed addresses you may have on an exchange associated with the old wallet
After completing this process, the two uncompromised keys and the compromised key control the old wallet (now with no funds), and the two uncompromised keys, along with the newly-generated key, controls the new wallet where you’ve moved your funds to.
How can I avoid replacing a key in the future?
When it comes to replacing multisig keys, the best case scenario is always to ensure that a future key replacement procedure won’t be needed. The specifics of your security model depend on many variables and trade-offs, but generally you should ensure that your seed phrases are physically secure in geographically distributed locations and that your devices are accessible only by known, verified parties.
To learn more about how to store your seed phrases and hardware wallets properly, check out our ultimate guide to seed phrase storage, our guide to paper, metal, and other seed phrase backup methods, and if you’re an Unchained client, our seed phrase and hardware wallet storage recommendations in our operational security guide.
Get help with key replacements from bitcoin experts
One advantage of having a collaborative partner in your multisig arrangement is our team of experts is here to help you handle situations like these. If you want a personal walkthrough on how to replace keys in your multsig wallet setup, be sure to check out Concierge Onboarding, and don’t miss our upcoming webinars which regularly cover technical bitcoin topics like these.