An independent, third-party digital asset custodian is a dedicated service provider with the responsibility of protecting an investor’s private key on their behalf, relieving the investor of having to manage the private key themselves.
The primary responsibility of a custodian is to protect client private keys. How they do so depends on the respective service provider, and investors must always ask the necessary questions before choosing the right custodian.
For institutional investors in particular, fully licensed, insured and audited third-party custody is a necessity. While self-custody has its many benefits, it is not a suitable choice for investors holding a large percentage of their portfolio in digital assets due to security risks or regulatory requirements. As a result, institutional-grade digital asset custody solutions have become increasingly popular. Institutional-grade custody offers investors regulatory peace of mind, as well as robust security measures to ensure full protection of their digital assets. Such security measures include the use of Hardware Security Modules (HSMs) and key sharding.
Hardware Security Modules (HSMs) are physical computing devices designed to securely store and manage data. They provide tamper-evident, intrusion-resistant safeguarding & management of cryptographic keys.
Specific to digital asset custody, HSMs can be used to secure and store a wallet’s private keys directly on the physical device. They can be used to access a digital asset wallet, or to secure backups.
HSMs provide a robust level of security for sensitive data like cryptographic keys or wallet private keys while meeting security standards/regulations. HSMs are disconnected from the Internet, ensuring that only the holder of the physical device can perform operations when needed. This means any hackers or attackers would need physical access to the HSM to steal an investor’s funds. These devices have also been historically used for payment and banking security, recognized under international security standards like the Federal Information Processing Standards (FIPS) by the National Institute of Standards and Technology (NIST).
Using the Shamir’s Secret Sharing (SSS) scheme, key sharding is a procedure of splitting a single key into multiple pieces (shards) such that a subset of those pieces or all can be recombined to recover and use the key for signing transactions. This is an example of an M/N consensus algorithm. For example, if one key is split into 5 shards, and requires 3 shards to authorize a transaction, the holders of 3 shards can combine their efforts to sign a respective transaction.
In the context of digital asset custody, wallet private keys can be split into multiple shards, with each shard stored in a different location. This method eliminates any single point of failure, as a malicious actor would need access to multiple shards in order to access an investor’s funds. It also provides tolerance to partial key loss, as only a subset is required to access the data the keys protect.
Hex Trust’s custody solutions utilize a wide range of security measures and tools for the different wallet types offered. Hex Trust currently offers Zerokey wallets and cold storage solutions.
For Zerokey wallet users, client funds are protected with the use of HSMs and Yubikeys. Yubikeys are hardware security devices isolated from the Internet, dedicated to protecting access to computers, networks, and online services that support public-key cryptography, authentication and more.
Wallets are first generated via the HSM, which has an integrated Key Management Server (KMS). The KMS allows the encryption, wrapping, and storage of private keys. When a transaction is requested by a client, the transaction authorizers (each holding a Yubikey) are notified of the transaction, and are required to approve/disapprove the particular transaction. Following the M/N consensus scheme, N number of Yubikey holders are required to authorize the signing of a transaction. Once the transaction is approved, it is broadcasted to the blockchain and executed.
Below is an illustration of the security layers within a client’s Zerokey wallet.
Clients looking for cold storage solutions can expect protection of their private keys through HSMs, key sharding, and Yubikeys. Cold wallets are first generated for the client using HSM. The private key is then sharded, with each shard stored on separate Yubikeys. When a client wishes to access their assets, Hex Trust’s dedicated operations team works in an air gapped environment to access the Yubikeys holding the key shards to execute a respective transaction.
The client may also request a Yubikey dedicated to authorizing transactions, which follows the same M/N consensus scheme as Zerokey wallets. This adds an extra layer of security to ensure every transaction to access cold storage assets are upon the clients’ instructions. Once the transaction is approved, it is broadcasted to the blockchain, and executed.
Below is an illustration of the security layers within a client’s cold storage.
Hex Trust is a fully-licensed digital asset custodian that provides solutions for protocols, foundations, financial institutions, and the Web3 ecosystem. We have offices in Singapore, Hong Kong, Dubai, Italy, and Vietnam.