Securing your digital assets with a Fireblocks Cold Wallet requires a comprehensive approach covering device security, key management, operational procedures, and governance controls.
These are recommended best practices based on Fireblocks' guidance and customer implementations. Organizations should adapt these recommendations based on their specific risk profile, operational requirements, and regulatory obligations.
Physical Device Security
Purchase and provisioning
- Buy hardware directly from official sources (Apple for iOS devices, manufacturer websites, or authorized resellers) to avoid compromised devices
- Use brand-new, factory-sealed devices and avoid reusing devices from departed employees
- Follow the device provisioning guide exactly without skipping steps or deviating from instructions
- Contact Fireblocks Support if any part of the provisioning process is unclear
Storage and maintenance
- Store devices in secure, physically protected locations with restricted access (locked drawer, fireproof safe)
- Keep devices constantly charged and connected to stable power sources
- Enable strong, unique PIN codes (at least 4-8 digits) to prevent unauthorized access
- Maintain an inventory of all devices with serial numbers and assignments
Air-gap integrity
- Maintain complete network isolation after initial setup (no WiFi, Bluetooth, or cellular signals)
- Never reconnect devices to the internet after pre-processing is complete
Recovery Passphrase Management
Storage principles
- Store offline only - never type, photograph, screenshot, or store on internet-connected devices
- Write on paper or engrave onto fireproof and waterproof materials (metal cards) for durability
- Store multiple copies in different, physically secure locations (home safe, bank safety deposit box)
- Keep devices and recovery passphrases in separate locations to prevent a single point of failure
Passphrase security
- Use strong, unique passphrases for recovery materials
- Store passphrases offline in secure physical locations
- Never share passphrases across multiple users or environments
- Avoid storing passphrases digitally
Access Control and Governance
Role separation and assignment
- Owner: First user in the workspace using an offline device; generally, dedicated to MPC key provisioning and creating backup kits; not usually a specific person but a role in your organization, such as the CISO or similar; cannot sign transactions
- Signers: Require offline devices; one signer signs per transaction
- Non-Signing Admins: Administrative functions without signing capabilities
- Approvers: Can approve transactions, no dedicated offline devices required
Personnel management
- Provision multiple signing devices and users to avoid operational bottlenecks
- Distribute signing authority across multiple individuals
- Promptly revoke access for departed employees and re-provision fresh devices
- Maintain documentation of role assignments and conduct regular access reviews
Approval workflows
- Define approval thresholds based on transaction value or destination
- Consider different requirements for various risk levels
- Document approval workflows for audit purposes
Policy Engine Configuration
Policy design principles
- Order rules from most restrictive to least restrictive (first-match principle)
- Implement value-based thresholds for different approval requirements
- Use Fireblocks P2P Network connections for trusted counterparties
- Use whitelisted addresses when counterparties aren't on the Fireblocks P2P Network
- Consider time-based controls (daily limits) for additional security
Hot/cold segregation
- Use cold wallets for infrequent, high-value transactions
- Maintain clear separation between cold (treasury/strategic) and hot (operational) wallets
- Define rebalancing procedures between environments
- Use Fireblocks' P2P Network for internal transfers between workspaces
Policy management
- Review and approve policy changes with security/compliance teams
- Test policy changes in a testnet workspace before production implementation
- Policy changes via support ticket have a 3-5 business day SLA
Backup and Recovery
Workspace key backup
- Generate a Workspace Key Backup Recovery Kit as a full backup of all key shares
- Store the encrypted recovery kit offline in a secure location separate from devices
- Evaluate third-party disaster recovery services (Coincover, Station70) for institutional requirements
Recovery testing
- Test disaster recovery procedures in the testnet environment regularly
- Verify passphrase access using Cold Wallet app (version 2.0.16 or later) without executing full recovery
- Train multiple personnel on recovery processes
- Maintain documentation of recovery procedures step-by-step
- Request a testnet workspace for disaster recovery testing from your CSM
Operational Procedures
Transaction workflow
- Cold wallet transactions use QR code scanning for signing
- Plan for longer processing times compared to hot wallet transactions
- Use a hot/cold hybrid approach: a separate hot wallet for daily transactions, and a cold wallet for long-term storage
Device lifecycle management
- Plan for device replacement every 2-3 years
- For replacement: onboard the new device first, then decommission the old device
- Securely wipe or physically destroy decommissioned devices
- Plan for device failures and personnel unavailability
Monitoring and Compliance
Audit and logging
- Maintain audit logs of all transaction requests and approvals (automatically captured)
- Review transaction logs regularly for anomalies
- Retain logs per regulatory requirements
Regular reviews
- Conduct periodic reviews of user access and role assignments
- Review Policy Engine rules and thresholds regularly
- Assess the security of device storage locations
- Test backup and recovery procedures periodically
Documentation requirements
- Maintain runbooks for cold wallet operations
- Document escalation procedures for security incidents
- Keep updated contact lists for personnel with cold wallet roles
Emergency Procedures
Suspected compromise
- Use workspace freeze capability (available to Owner, Non-Signing Admin roles)
- Freezing changes all user roles to Viewer, blocking outgoing transactions; however, the workspace continues receiving incoming transfers while frozen
- Document the incident timeline and response actions
Device loss or theft
- Report immediately to the security team and Fireblocks Support
- Conduct a security assessment before re-provisioning
Personnel departure
- Revoke workspace access promptly
- Consider re-provisioning affected devices with new signers
- Review any pending transactions
Common Risks to Avoid
- Reusing devices from departed employees
- Single signer with no backup personnel
- Storing devices and recovery materials in the same location
- Weak or shared passphrases
- Unclear approval authorities or thresholds
- Lack of tested disaster recovery procedures
Success Factors
- Multiple signing devices for redundancy
- Clear Policy Engine rules with appropriate approval thresholds
- Completed workspace key backup with tested recovery procedures
- Leverage Fireblocks Network for trusted counterparties
- Regular access reviews and comprehensive documentation