Self‑custody for teams

Choose a governance‑ready model (single‑sig or multisig), define roles and policies, and practice recovery so your organization can hold Bitcoin with confidence.

Governance Security Operations

Custody models

Single‑sig: simplest; one device signs. Good for small treasuries or spending wallets. Multisig (e.g., 2‑of‑3, 3‑of‑5): spreads risk across devices/people and enables governance controls. Consider time‑locks and spending limits for policy enforcement.

Roles & responsibilities

Key holders: maintain hardware, keep backups, participate in ceremonies.
Initiator: prepares transactions and documentation.
Approver(s): review policy alignment and sign.
Auditor: verifies addresses, proofs, and logs independently.

Key ceremony (template)

  1. Procure hardware wallets from trusted sources; update firmware offline.
  2. Generate keys on‑device; record device fingerprints and xpubs.
  3. Build the multisig policy (e.g., 2‑of‑3) and verify receive addresses on‑device.
  4. Create encrypted backups and store in geographically separated locations.
  5. Run a recovery drill with a small UTXO: restore from backups and spend to a known address.
  6. Document participants, locations (redacted), and control checks.
Tip: Use Plan B Vault to codify policy (signers, limits, time‑locks) and schedule periodic recovery drills.

Operating procedures

  • Maintain an allowlist of destination addresses for routine payouts.
  • Use change control: PR-like approvals for address books and policy edits.
  • Batch payments when fees are high; prefer modern address types (bech32/Taproot).
  • Rotate signing devices per lifecycle schedule; log serials and versions.
  • Keep a small hot wallet for operational spends; keep treasury cold.

Backups & recovery

  • Seed backups stored offline in multiple, sealed locations (tamper‑evident).
  • Encrypt coordinates and access details; split knowledge among roles.
  • Quarterly recovery drills with sign‑off and lessons learned.

Emergency procedures

  • Lost device: revoke signer, rotate keys, and move funds via remaining quorum.
  • Compromised site: pause operations, move to emergency wallet, and rotate policy.
  • Personnel change: offboard signer, update policies, and attest to auditors.

Audit & compliance

  • Maintain proof of reserves snapshots with signed messages from addresses.
  • Retain transaction logs with txids, approvers, and purpose tags.
  • Segregate duties and record independent address verification.

Recommended tooling

  • Hardware wallets with secure elements and on‑device address display.
  • Multisig coordinator software compatible with your devices.
  • Secure password manager for non‑seed secrets; offline docs for seed metadata.
← Back: Accept Bitcoin online Next article: Running a production node →