Cold key storage setup

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.
8+Years of work900+Completed projects100+In house employees19+Partners
Offered services
Showing 1 of 1 servicesAll 1306 services
Cold key storage setup
Medium
~1 business day
FAQ
Blockchain Development Services
Blockchain Development Stages
Latest works
  • image_website-b2b-advance_0.png
    B2B ADVANCE company website development
    1214
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    852
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_logo-advance_0.png
    B2B Advance company logo design
    561
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    823
Show more works

Cold Key Storage Setup

Cold storage is storing private keys on a device that is never connected to the internet. Properly configured cold storage is the only way to ensure security for significant amounts. Even if your online systems are compromised, keys in cold storage remain safe.

Threat Levels

Before choosing an architecture, you need to understand what you're protecting against:

  • Remote compromise — hacker gains access to online systems
  • Physical access — attacker gains the device
  • Insider threat — team member abuses access
  • Natural disasters — fire or flood destroys physical media
  • Loss/forgetting — accidental loss of access to own keys

Solutions for each threat differ. Strengthening protection against one threat often weakens protection against another (complex multi-sig protects against theft but increases loss of access risk).

Cold Storage Options

Hardware Wallet (Ledger/Trezor)

Optimal balance of convenience and security for most cases. Private key is generated and stored in the device's secure element, never leaves it.

Setup:

  1. Buy only from official distributors (not secondhand)
  2. Check packaging integrity and firmware on first use
  3. Generate seed phrase on the device — never on computer
  4. Write seed phrase by hand on paper — do not photograph or print
  5. Verify seed phrase through recovery test (erase device, restore)
  6. Set strong PIN (6+ characters)
  7. Enable passphrase (25th word) for additional security layer

Passphrase — additional secret beyond 24 words. Same seed + different passphrases → different wallets. If device is stolen — without passphrase, attacker sees empty or decoy wallets.

Air-gapped Machine

Computer that has never been connected to network and never will be. Used for operations with keys.

Requirements:

  • Physically isolated PC (WiFi/Bluetooth adapters removed or soldered)
  • Boot only from verified USB
  • Operating system: Tails OS (amnesic — leaves no traces) or specialized Linux
  • Data transfer only via QR-codes or single-use USB

Transaction signing flow:

  1. Online machine: creates unsigned transaction → QR-code
  2. Air-gapped machine: scans QR, signs → QR-code with signature
  3. Online machine: scans signature QR → broadcast

Tools: Electrum (Bitcoin), Specter Desktop, Sparrow Wallet for Bitcoin. For Ethereum — Gnosis Safe with air-gapped signer or Frame wallet.

HSM (Hardware Security Module)

For corporate use. AWS CloudHSM, Thales Luna, Utimaco. Keys are generated and stored in tamper-evident hardware. Physical intrusion destroys keys. Supports M-of-N for activation (multiple smart cards simultaneously).

Seed Phrase Physical Storage

Paper is vulnerable to water and fire. Options for long-term seed phrase storage:

Metal Plates. Cryptosteel Capsule, Bilodeau, Blockplate — stamp words letter by letter on stainless steel. Withstands 1400°C (most fires), waterproof.

Shamir Secret Sharing. Seed phrase is split into N parts, K of them sufficient for recovery (e.g., 3-of-5). Each part stored with different trusted person or in different locations. Trezor supports SLIP-39 (Shamir Backup) natively.

Geographic Distribution

All copies of keys in one place = single point of failure. Recommended:

  • Primary copy: home safe or bank deposit box
  • Backup: trusted relative in another city
  • Backup 2 (for large amounts): notary or specialized crypto custodian

Important: trusted persons should know what they're storing but not know PIN/passphrase. PIN/passphrase stored separately from seed (different location, different person).

Multi-sig as Cold Storage

Gnosis Safe with multiple hardware wallets in different locations. 2-of-3: one Ledger at home, one with trusted partner, one in bank deposit box. Loss of one — not a disaster. Theft of one — insufficient to steal funds.

Setup for Teams

For companies — mandatory procedure documentation:

  • Who has access to which keys
  • Transaction procedure (who initiates, who signs, who verifies)
  • Key rotation procedure when employee leaves
  • Recovery procedure if key is lost
  • Regular tests (quarterly: verify all keys are present and working)

Cold storage setup for individual — 1-2 days of consultation + implementation. For organization with multi-sig, HSM and documented procedures — 2-4 weeks.