Institution-Grade MPC Key Management
A complete playbook for teams that custody significant value — exchanges, asset managers, DAOs, and enterprise treasury operations. Each topic is its own page so you can jump directly to what you need.
Who this is for
This guide assumes you need a documented, auditable, multi-party custody policy. If you're building a simple wallet app, the basic export & import example is enough.
Core principle
An institution never relies on a single MPC node or a single person. Every design decision in this guide enforces three properties:
- Separation of duties — no individual can act alone on key material
- Geographic distribution — no single physical breach can expose a complete key
- Layered encryption — every sensitive artifact has multiple independent protection layers
Lifecycle at a glance
┌─────────────────────────────────────────────────────────────┐
│ │
│ 1. Ceremony → generate 2-of-3 shares, persist keyId │
│ 2. Custodians → local age keygen + SSS split of age key │
│ 3. Export → deleteAfterExport:true — nodes go empty │
│ 4. Sign → JIT import → sign → delete again │
│ 5. Rotate → local re-wrap, no age key leaves device │
│ 6. Recover → SSS reconstruct → RECOVER_PRIVATE_KEY │
│ │
└─────────────────────────────────────────────────────────────┘
Roles
| Role | Responsibility | Count |
|---|---|---|
| Key Generator | Runs the generation ceremony, stores keyId | 1 (server / CI) |
| Custodian | Holds one encrypted MPC shard in cold storage | 3 (A, B, C) |
| Guardian | Holds one SSS share of a custodian's age key | 3–5 per custodian |
| Quorum Approver | Authorizes sensitive operations (recovery, rotation) | 2-of-3 Custodians |
| Auditor | Reviews logs; no key access | 1+ |
Pages in this guide
| Page | What you'll learn |
|---|---|
| Key Generation Ceremony | GENERATE_KEY_SHARE, threshold config, keyId persistence |
| Custodian Setup & Shamir Secret Sharing | Local age-keygen, AES-256-GCM passphrase protection, SSS split |
| Export, Rotation & Restore | JIT node model, local re-wrap, import/export cycle, full lifecycle |
| Disaster Recovery & Attack Prevention | 5 failure scenarios, 6 threat vectors, pre-launch policy checklist |
Component reference
All MPC components used in this guide are documented in the MPC & Key Management section of the Component Library.