Phil Geiger
Stephen Hall
How does the bitcoin source code define its 21 million cap?
Many of bitcoin’s staunchest critics have expressed doubt about its 21 million cap, but perhaps the most mindless criticism relates…
,Collaborative custody vaults with Unchained are a form of bitcoin self-custody. This means you hold the keys to your bitcoin and keep complete control over your funds in a permissionless and censorship-resistant way. Unchained’s vaults are built to eliminate single points of failure when securing your bitcoin—to ensure no single entity or item (such as a seed phrase or hardware wallet) can be compromised and result in a loss of funds.
For all parties involved, collaborative custody offers superior protection from a wide range of attack vectors. With Unchained included in your custody solution, you have a partner to assist you in the event you have an issue with any of the items used to secure your bitcoin funds. Though always available to help, Unchained has no way to access or move your bitcoin without authorization from at least one of the keys under your control.
Achieving the highest levels of security requires diligence and forethought, however—especially when it comes to taking steps to secure the physical elements of your vault. This guide is designed to help you identify and deploy an optimized security strategy based on your intended use of your vault and any attack vectors from which you would like to defend.
How is your bitcoin secured in collaborative custody?
In an Unchained client-controlled vault, clients control two of the keys and Unchained holds a third key as a backup. This type of setup is called multisignature, which means that multiple keys are combined to build one wallet with one or more keys being required to spend bitcoin. Because two of the three keys are needed in an Unchained vault, and you control them, you have full control over your funds.
Multisignature addresses are native to the bitcoin protocol—meaning you can always recover an Unchained vault using open-source software that follows multisignature standards. This is the difference between using bitcoin’s native multisignature and other custody models like multi-party computation (which is proprietary) or Shamir Secret Sharing (which involves cryptographically separating a single key into multiple parts).
7 elements to consider for your bitcoin security
In collaborative custody and self-custody more broadly, there’s more to consider than just the physical key elements, however.
With an Unchained vault, ultimately there are seven security elements to consider. These include:
- The bitcoin owner (you)
- Hardware wallet A
- Seed phrase A (for hardware wallet A)
- Hardware wallet B
- Seed phrase B (for hardware wallet B)
- Your custody partner (Unchained)
- A multisig config file backup, stored digitally
For this guide, we’ll primarily be focusing on the physical security for each of the two keys you hold for an Unchained vault, which are comprised of two elements each:
- A hardware wallet, such as a Trezor, Ledger, or Coldcard
- An associated seed phrase, which is a standard physical key, often written down or inscribed in metal, as a unique series of 12 or 24 words generated by the hardware wallet
How many keys are needed to spend bitcoin?
With Unchained, to move or spend bitcoin, two keys are needed to sign a transaction:
- You can use your two keys and sign on your own via Unchained’s website
- You can use one of your keys and request Unchained to use its key as the second signature
- If you need to transfer your bitcoin without accessing Unchained’s website, you will need your wallet configuration file, your two keys, and our open-source multisig coordinator, Caravan (or other multisig software, such as Sparrow)
Unchained’s collaborative custody model means you can lose access to three of the four key elements (hardware wallets and seed phrase backups) and still recover your funds. As we’ll explain below, you should still take storage security seriously for these four items and avoid co-locating any hardware wallets or seed phrases.
If you lose all four items, Unchained cannot help you recover your funds, and your bitcoin will be permanently lost. This makes it vital, at a bare minimum, to store a seed phrase in a secondary secure location. Co-mingling all four items in the same place for any period of time sets up unacceptable single-point-of-failure conditions in which all four elements are at risk (fire, theft, flood, etc).
How to physically secure your bitcoin keys
Required first step: One seed phrase separated
The bare minimum security in collaborative custody requires a first step of physically and geographically separating at least one seed phrase. Once separated, your bitcoin is more secure than with singlesignature self-custody or third-party custodians because there is no longer a single location that can be compromised non-maliciously that can cause you to lose your bitcoin.
| Hardware wallet A | Secured on your physical property |
| Hardware wallet B | Secured on your physical property |
| Seed phrase A | Secured on your physical property |
| Seed phrase B | Secured at secondary location: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Separate property you own |
Keeping one seed phrase in a secure, separate location away from your other three items eliminates all single points of failure, but you’re still reliant on Unchained if the remaining three of four items are lost in a scenario such as a fire, flood or other natural disaster (non-malicious).
This initial step offers protection by eliminating single points of failure in non-malicious scenarios, but does not offer strong protection if someone with malicious intent breaks into your primary location and knows that you have bitcoin secured in a multisignature wallet. An attacker could theoretically acquire sufficient information to transfer bitcoin or could coerce you into moving the bitcoin since enough keys would be present. This is known colloquially as the $5 wrench attack.
For this reason, it is important that the three items secured at your primary physical location are not kept together in the same safe or drawer.
Recommended for maximum security: Separate all four key-related items
The maximum security approach eliminates all single points of failure, significantly reduces both trust in your collaborative custody partner, and offers the strongest protection against both malicious (e.g. $5 wrench attacks) and non-malicious (e.g. natural disaster) attack vectors.
With this setup, any single location can be compromised while still allowing you to recover your bitcoin without your collaborative custody partner’s involvement. However, it requires identifying and maintaining four separate secure physical locations and makes it more difficult to move your bitcoin for time-sensitive transactions.
| Hardware wallet A | Secured in first of four separate, physical locations: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
| Hardware wallet B | Secured in second of four separate, physical locations: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
| Seed phrase A | Secured in third of four separate, physical locations: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
| Seed phrase B | Secured in fourth of four separate, physical locations: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
In a non-malicious scenario, three out of four locations would need to be compromised simultaneously and be permanently inaccessible to put you in a position where you do not have sovereign control of your bitcoin, but in that situation you could still recover your bitcoin with the help of your collaborative custody partner. You can recover trustlessly without your collaborative custody partner if you have access to two keys and your multisig configuration file.
While offering a high level of security, this approach requires more effort to maintain. At Unchained, we recommend quarterly key checks which, in this scenario, means traveling to at least two locations in your setup once every 90 days. Additionally, it is a good idea to check seed phrases every 180 days, which requires even more travel. When checking your seed phrases, you’ll want to confirm you know their whereabouts and be confident they have not been tampered with. During a seed phrase check, be sure to confirm that the words are legible and can reliably be used to recover onto a new device, if needed.
Example ideal setup:
| Hardware wallet A | Home safe |
| Hardware wallet B | Safe deposit box – Bank A |
| Seed phrase A | Family member safe |
| Seed phrase B | Safe deposit box – Bank B |
Middle ground options: Separating two items
Option A: Optimize for physical threat ($5 wrench attack) risk
With this approach, keys are separated (seed phrase along with its corresponding hardware wallet) to ensure it is not possible for you to move the bitcoin in the event that someone physically shows up at your house. However, for you to transfer bitcoin, you would either need to physically go to the second location and obtain the second key or request Unchained to use its key to complete a second signature, which can take up to 72 hours.
| Hardware wallet A | Secured on your physical property |
| Hardware wallet B | Secured at secondary location: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
| Seed phrase A | Secured on your physical property |
| Seed phrase B | Secured at secondary location: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
Similar to the storage recommendation highlighted in the first step, the key elements should not be kept in the same place within each physical location. For example, you could put one seed phrase in a safe at your house, and the corresponding hardware wallet in a locked drawer.
Separating your two keys and their backups improves your security when,
- You do not have four secure locations
- You do not plan to spend your bitcoin frequently
- You do not have time-sensitive transactions you might need to make—such as selling bitcoin or adding additional collateral to a bitcoin-backed loan
A risk to this method is that if either of your secure locations are compromised or destroyed, you are no longer sovereign over your bitcoin. You must collaborate with your collaborative custody partner to move the bitcoin.
Option B: Optimize for ease of transactions and eliminating dependence on custody partner
Here, both devices and both seeds are kept in two separate locations. This eliminates single points of failure from non-malicious compromises and protects you against your collaborative custody partner being unavailable. It also gives you full control of your bitcoin should any one location become compromised, and allows for greater accessibility to your bitcoin for time-sensitive use cases—such as selling bitcoin or servicing a bitcoin-collateralized loan requiring additional collateral.
| Hardware wallet A | Secured on your physical property |
| Hardware wallet B | Secured on your physical property |
| Seed phrase A | Secured at secondary location: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
| Seed phrase B | Secured at secondary location: – Bank safe deposit box – Family member’s safe (Inheritance consideration) – Home safe – Office safe – Safe on secondary property you own |
This option offers less protection from the $5 wrench attack since you will have the ability to move your multisig funds should someone maliciously compromise you. Similar to the storage recommendation highlighted in the previous sections, the key elements should not be kept in the same place within each physical location. For example, you could put one seed phrase in a safe at your house, and the corresponding hardware wallet in a locked drawer.
Another risk: Should the location securing both of your seed phrases be compromised, you would have to rely on your hardware wallets functioning perfectly in order to move your bitcoin. Unchained recommends always securing your seed phrases physically to reduce the reliance on devices working reliably in order to move your bitcoin.
An important note on maintenance
If any single location is ever compromised for any of the above models, that key and its backup seed phrase should be replaced as soon as possible. If multiple physical locations are compromised by a malicious attacker, you should act immediately to create new keys and transfer your bitcoin to a new wallet you control, even though an attacker would still need access to your account or your wallet configuration file in order to transfer funds.
If you’re ever unsure about the right steps to protect your bitcoin in the case of either non-malicious or malicious events, get in touch. Also see our article on how multisig key replacements work and when you need to perform one so you can be better prepared for scenarios that would require you to take action to protect your bitcoin.
Take your first step
Almost everything in bitcoin is a journey—from education around bitcoin keys and addresses, to appropriately securing the different elements of your setup. Hopefully, this article empowers you with actionable information you can put to use based on your unique situation.
If you currently have all of your hardware wallets and seed phrases in one physical location, we strongly recommend that you take your first step toward optimal security by separating one seed phrase from the rest of the items. If you’ve already taken this step, start thinking about what works best for you as relates to protection against $5 wrench attacks and reducing reliance on your collaborative custody partner.