I was recently looking into key management for the BTC-Parachain and associated client software. Like similar software — namely Proof-of-Stake (PoS) validators or arbitrage keepers — they are designed to run autonomously 24/7 with unrestricted access to private keys for signing. In my effort to understand best-practices I decided to compare approaches across the industry.

Photo by Bradford Nicolas on Unsplash


There are a number of standards that contribute to secure key management in Bitcoin and related technologies such as Ethereum. The first, known as BIP32, formalizes Hierarchical Deterministic Wallets; derivation of a tree of key-pairs from a master seed. Another, BIP38, focuses on passphrase protection; both to encrypt pre-existing and generate pre-encrypted keys. Lastly, BIP39, extends BIP32 with a strategy to generate the master seed from a mnemonic phrase. Multisignatures can also be used to improve security by physically separating the private keys required to spend from a wallet. For example, “m-of-n” style addresses allow “m” signatures to unlock a payment designated to “n” participants.


The Web3 Secret Storage Definition defines the structure and encryption of JSON based private key files as used in Ethereum 1. A supplemental improvement proposal (EIP-2335) generalizes the structure for use within Ethereum 2 and beyond.


Validators in Cosmos only require one private key to participate in consensus. Tendermint supports an integrated Key Management System (KMS) developed by the staking provider Iqlusion. The toolkit has both Ledger and YubiHSM support, but can also sign using in-memory keys.


Validators in Polkadot require three sets of keys: the controller key is semi-online and should hold a small amount of funds, used to start and stop validating; the stash key is almost entirely offline but should hold the majority of funds, this balance is used as stake for the controller; the session key is always online and is used to sign consensus related messages. There are currently no additional protection mechanisms, but Substrate does enable automatic key rotation.


Secure key management is difficult to get right and many projects simply defer to the end-user. In an enterprise system there are many additional risk factors which need to be accounted for such as joint access. In such situations it is important to create a policy that identifies recourse should the system be compromised.


There are a few different models, but each device uses the same Blockchain Open Ledger Operating System (BOLOS) and app development toolkit. The marketplace (Ledger Live) hosts many popular applications for various cryptocurrencies — including Bitcoin and Ethereum. As discussed above, Tendermint even has a custom application which supports autonomous signing for PoS validators. Many of the other (user-oriented) applications do not support similar autonomous operations, however it is possible to fork them and load the custom build onto the firmware.


Designed by SatoshiLabs, Trezor’s application architecture differs from that of its competitor. Recognized coins, tokens and FIDO/U2F apps are described in the core firmware, limited only by the cryptographic library. There is no apparent ability to disable tx verification for autonomous signing which may make this device difficult to use for enterprise systems.


The latest version of this tamper resistant device has extensive cryptographic support. Supporting up to sixteen concurrent connections, the device can even be shared by multiple networked servers. The open-source SDK has already been integrated with a number of popular projects such as Cosmos.


Depending on the service provider, it may also be possible to use a hosted key management solution:

Software Engineer @Interlay

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store