Our Blog and Media Coverage

Why Seed Phrase Security Should Be Priority Number One

Private keys are the backbone of digital asset security as they provide the means by which transactions are signed. Without private keys, institutions cannot access their cryptocurrency or initiate transactions. Similar to other passwords, authentication methods, and authorization codes, it is paramount for institutions to take steps to protect their private keys and keep them safe from unauthorized access.

Losing a private key or having it stolen is a worst-case scenario for any institution providing custody of digital assets. In such cases, a seed phrase is part and parcel of any disaster recovery plan. Seed phrases, usually a string of random words, provide a way to retrieve or restore access to the private keys in case of loss.

If the original private key is lost, the owner can re-enter the seed phrase into a new wallet/vault to recover access to his assets. A proper institutional-grade custody solution will generate seed phrases for any authorized approver in the quorum during the account creation process. Users are then taught how to store their seed phrases (or portions of their seed phrases) securely and how to reinitiate their keys in case of disaster. Keeping backups of the different portions of the seed phrase in various storage locations is considered best practice.

Never give anyone access to your private key or your complete seed phrase

Lately, the market has seen the offering of a seed phrase backup service utilizing third-party entities. This service has been met with concern across the industry, and with good reason. Many fear this service can serve as a backdoor used to gain access to users’ seed phrases. Such fears are not unfounded, as similar approaches have been utilized by malign actors throughout history.

While third-party backup services may seem convenient, they introduce additional risks by opening the organization to counterparty risk. If the third-party service is breached, goes bankrupt, or even has a dishonest employee, seed phrases (and thus private keys) may also be put at risk. While this is true for all users, for institutions managing millions of dollars in assets under management, the security of your private keys and seed phrases is paramount as any unauthorized access to these codes can lead to catastrophic losses.

Moreover, transmitting the seed (shares or portions that can reconstruct the seed) over the internet fundamentally alters the security threat model of a hardware wallet. To enact the backup, users must connect the wallet to their phone via Bluetooth. As mentioned, any device connected to the internet can be hacked. Experience indicates that hackers, on average, spend about $1 million to breach an internet-connected device. If you are an institution with a multimillion-dollar AUM, the potential ROI is enough to encourage cyber criminals.

The only safe solution for seed phrase backup is a proper disaster recovery plan that ensures that seed phrases are never shared with unknown actors but rather stored in a secure location that can be readily accessed in case of any unfortunate scenarios.

Disaster Recovery Hygiene

At GK8, we believe a secure and effective disaster recovery plan is one of the most critical components of an institutional-grade digital asset custody solution. It is essential to have the portions of the seed phrase backed up in both a primary storage location as well as a separate secondary backup location or escrow agent in case of disaster. This ensures the seed phrases are protected while remaining under the direct control of the institutional users.

We recognize how essential seed phrases are for institutional investors to manage their crypto assets properly. That is why our team will walk you through the seed phrase generation process. We will also train you on the best practices of seed phrase regeneration.

At no point does GK8 have access to your seed phrases or your private key.

We urge our institutional users to approach seed phrase backup with caution. Ultimately, the security and safety of both private keys and seed phrases should be taken seriously, and both should be protected and backed up, to ensure that their crypto assets are safe and always accessible.

To learn more about the GK8 solution, click here.


Legal Disclosure: This document, and the information contained herein, has been provided to you by Galaxy Digital Holdings LP and its affiliates including GK8 (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the digital assets or companies mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Galaxy Digital and, Galaxy Digital, does not assume responsibility for the accuracy of such information. Affiliates of Galaxy Digital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other Websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Galaxy Digital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Galaxy Digital Partners LLC. For all inquiries, please email contact@galaxydigital.io. ©Copyright Galaxy Digital Holdings LP 2023. All rights reserved.