How do custodians protect your digital assets?

How do custodians protect your digital assets?

April 26, 2023

An independent, third-party digital asset custodian is a dedicated service provider with the responsibility of protecting an investor’s private key on their behalf, relieving the investor of having to manage the private key themselves.

The primary responsibility of a custodian is to protect client private keys. How they do so depends on the respective service provider, and investors must always ask the necessary questions before choosing the right custodian.

For institutional investors in particular, fully licensed, insured and audited third-party custody is a necessity. While self-custody has its many benefits, it is not a suitable choice for investors holding a large percentage of their portfolio in digital assets due to security risks or regulatory requirements. As a result, institutional-grade digital asset custody solutions have become increasingly popular. Institutional-grade custody offers investors regulatory peace of mind, as well as robust security measures to ensure full protection of their digital assets. Such security measures include the use of Hardware Security Modules (HSMs) and key sharding.

Hardware Security Modules

Hardware Security Modules (HSMs) are physical computing devices designed to securely store and manage data. They provide tamper-evident, intrusion-resistant safeguarding & management of cryptographic keys. 

Specific to digital asset custody, HSMs can be used to secure and store a wallet’s private keys directly on the physical device. They can be used to access a digital asset wallet, or to secure backups.

HSMs provide a robust level of security for sensitive data like cryptographic keys or wallet private keys while meeting security standards/regulations. HSMs are disconnected from the Internet, ensuring that only the holder of the physical device can perform operations when needed. This means any hackers or attackers would need physical access to the HSM to steal an investor’s funds. These devices have also been historically used for payment and banking security, recognized under international security standards like the Federal Information Processing Standards (FIPS) by the National Institute of Standards and Technology (NIST). 

Key sharding 

Using the Shamir’s Secret Sharing (SSS) scheme, key sharding is a procedure of splitting a single key into multiple pieces (shards) such that a subset of those pieces or all can be recombined to recover and use the key for signing transactions. This is an example of an M/N consensus algorithm. For example, if one key is split into 5 shards, and requires 3 shards to authorize a transaction, the holders of 3 shards can combine their efforts to sign a respective transaction.

In the context of digital asset custody, wallet private keys can be split into multiple shards, with each shard stored in a different location. This method eliminates any single point of failure, as a malicious actor would need access to multiple shards in order to access an investor’s funds. It also provides tolerance to partial key loss, as only a subset is required to access the data the keys protect. 

How Hex Trust protects client assets

Hex Trust’s custody solutions utilize a wide range of security measures and tools for the different wallet types offered. Hex Trust currently offers Zerokey wallets and cold storage solutions.

For Zerokey wallet users, client funds are protected with the use of HSMs and Yubikeys. Yubikeys are hardware security devices isolated from the Internet, dedicated to protecting access to computers, networks, and online services that support public-key cryptography, authentication and more.

Wallets are first generated via the HSM, which has an integrated Key Management Server (KMS). The KMS allows the encryption, wrapping, and storage of private keys. When a transaction is requested by a client, the transaction authorizers (each holding a Yubikey) are notified of the transaction, and are required to approve/disapprove the particular transaction. Following the M/N consensus scheme, N number of Yubikey holders are required to authorize the signing of a transaction. Once the transaction is approved, it is broadcasted to the blockchain and executed.

Clients looking for cold storage solutions can expect protection of their private keys through HSMs, key sharding, and Yubikeys. Cold wallets are first generated for the client using HSM. The private key is then sharded, with each shard stored on separate Yubikeys. When a client wishes to access their assets, Hex Trust’s dedicated operations team works in an air gapped environment to access the Yubikeys holding the key shards to execute a respective transaction. 

About Hex Trust

Hex Trust is a fully-licensed digital asset custodian that provides solutions for protocols, foundations, financial institutions, and the Web3 ecosystem. We have offices in Singapore, Hong Kong, Dubai, Italy, and Vietnam.

Thank you! Your submission has been received!
Download the PDF ⟩
Oops! Something went wrong while submitting the form.
More from Hex Trust
Wallet types for your digital assets
April 21, 2023
Wallet types for your digital assets
Wallets can have different temperatures, which measures the degree of accessibility to the wallet through the network/servers. There are hot, cold, and warm wallets.
Read More ⟩
How to choose the right custodian for your organization
February 22, 2023
How to choose the right custodian for your organization
While there are many custody providers in the digital asset space, choosing the right one is a different story. It all boils down to trust, and who is given the trust to safekeep your organization’s assets. But how exactly do you make such a decision?
Read More ⟩
The different types of digital asset custody
February 9, 2023
The different types of digital asset custody
When it comes to digital asset custody, there is no one-size-fits-all solution. It’s crucial to do your research, assess the different custody methods available, and choose the right one depending on your needs.
Read More ⟩
We use cookies, including third-party cookies, to ensure that we give you the best experience on our website. By continuing to browse, you consent to the use of cookies. Learn more about cookies and how to control whether they are enabled. View our Privacy Policy for more information.
Cookie preferences