Skip to main content

Cold Wallet Security and Operational Best Practices

Securing your digital assets with a Fireblocks Cold Wallet requires a comprehensive approach covering device security, key management, operational procedures, and governance controls.

These are recommended best practices based on Fireblocks' guidance and customer implementations. Organizations should adapt these recommendations based on their specific risk profile, operational requirements, and regulatory obligations.

Physical Device Security

Purchase and provisioning

  • Buy hardware directly from official sources (Apple for iOS devices, manufacturer websites, or authorized resellers) to avoid compromised devices
  • Use brand-new, factory-sealed devices and avoid reusing devices from departed employees
  • Follow the device provisioning guide exactly without skipping steps or deviating from instructions
  • Contact Fireblocks Support if any part of the provisioning process is unclear

Storage and maintenance

  • Store devices in secure, physically protected locations with restricted access (locked drawer, fireproof safe)
  • Keep devices constantly charged and connected to stable power sources
  • Enable strong, unique PIN codes (at least 4-8 digits) to prevent unauthorized access
  • Maintain an inventory of all devices with serial numbers and assignments

Air-gap integrity

  • Maintain complete network isolation after initial setup (no WiFi, Bluetooth, or cellular signals)
  • Never reconnect devices to the internet after pre-processing is complete

Recovery Passphrase Management

Storage principles

  • Store offline only - never type, photograph, screenshot, or store on internet-connected devices
  • Write on paper or engrave onto fireproof and waterproof materials (metal cards) for durability
  • Store multiple copies in different, physically secure locations (home safe, bank safety deposit box)
  • Keep devices and recovery passphrases in separate locations to prevent a single point of failure

Passphrase security

  • Use strong, unique passphrases for recovery materials
  • Store passphrases offline in secure physical locations
  • Never share passphrases across multiple users or environments
  • Avoid storing passphrases digitally

Access Control and Governance

Role separation and assignment

  • Owner: First user in the workspace using an offline device; generally, dedicated to MPC key provisioning and creating backup kits; not usually a specific person but a role in your organization, such as the CISO or similar; cannot sign transactions
  • Signers: Require offline devices; one signer signs per transaction
  • Non-Signing Admins: Administrative functions without signing capabilities
  • Approvers: Can approve transactions, no dedicated offline devices required

Personnel management

  • Provision multiple signing devices and users to avoid operational bottlenecks
  • Distribute signing authority across multiple individuals
  • Promptly revoke access for departed employees and re-provision fresh devices
  • Maintain documentation of role assignments and conduct regular access reviews

Approval workflows

  • Define approval thresholds based on transaction value or destination
  • Consider different requirements for various risk levels
  • Document approval workflows for audit purposes

Policy Engine Configuration

Policy design principles

  • Order rules from most restrictive to least restrictive (first-match principle)
  • Implement value-based thresholds for different approval requirements
  • Use Fireblocks P2P Network connections for trusted counterparties
  • Use whitelisted addresses when counterparties aren't on the Fireblocks P2P Network
  • Consider time-based controls (daily limits) for additional security

Hot/cold segregation

  • Use cold wallets for infrequent, high-value transactions
  • Maintain clear separation between cold (treasury/strategic) and hot (operational) wallets
  • Define rebalancing procedures between environments
  • Use Fireblocks' P2P Network for internal transfers between workspaces

Policy management

  • Review and approve policy changes with security/compliance teams
  • Test policy changes in a testnet workspace before production implementation
  • Policy changes via support ticket have a 3-5 business day SLA

Backup and Recovery

Workspace key backup

  • Generate a Workspace Key Backup Recovery Kit as a full backup of all key shares
  • Store the encrypted recovery kit offline in a secure location separate from devices
  • Evaluate third-party disaster recovery services (Coincover, Station70) for institutional requirements

Recovery testing

  • Test disaster recovery procedures in the testnet environment regularly
  • Verify passphrase access using Cold Wallet app (version 2.0.16 or later) without executing full recovery
  • Train multiple personnel on recovery processes
  • Maintain documentation of recovery procedures step-by-step
  • Request a testnet workspace for disaster recovery testing from your CSM

Operational Procedures

Transaction workflow

  • Cold wallet transactions use QR code scanning for signing
  • Plan for longer processing times compared to hot wallet transactions
  • Use a hot/cold hybrid approach: a separate hot wallet for daily transactions, and a cold wallet for long-term storage

Device lifecycle management

  • Plan for device replacement every 2-3 years
  • For replacement: onboard the new device first, then decommission the old device
  • Securely wipe or physically destroy decommissioned devices
  • Plan for device failures and personnel unavailability

Monitoring and Compliance

Audit and logging

  • Maintain audit logs of all transaction requests and approvals (automatically captured)
  • Review transaction logs regularly for anomalies
  • Retain logs per regulatory requirements

Regular reviews

  • Conduct periodic reviews of user access and role assignments
  • Review Policy Engine rules and thresholds regularly
  • Assess the security of device storage locations
  • Test backup and recovery procedures periodically

Documentation requirements

  • Maintain runbooks for cold wallet operations
  • Document escalation procedures for security incidents
  • Keep updated contact lists for personnel with cold wallet roles

Emergency Procedures

Suspected compromise

  • Use workspace freeze capability (available to Owner, Non-Signing Admin roles)
  • Freezing changes all user roles to Viewer, blocking outgoing transactions; however, the workspace continues receiving incoming transfers while frozen
  • Document the incident timeline and response actions

Device loss or theft

  • Report immediately to the security team and Fireblocks Support
  • Conduct a security assessment before re-provisioning

Personnel departure

  • Revoke workspace access promptly
  • Consider re-provisioning affected devices with new signers
  • Review any pending transactions

Common Risks to Avoid

  • Reusing devices from departed employees
  • Single signer with no backup personnel
  • Storing devices and recovery materials in the same location
  • Weak or shared passphrases
  • Unclear approval authorities or thresholds
  • Lack of tested disaster recovery procedures

Success Factors

  • Multiple signing devices for redundancy
  • Clear Policy Engine rules with appropriate approval thresholds
  • Completed workspace key backup with tested recovery procedures
  • Leverage Fireblocks Network for trusted counterparties
  • Regular access reviews and comprehensive documentation
Was this article helpful?
1 out of 1 found this helpful

Related Articles