The vast majority of crypto security discourse focuses on the digital domain: smart contract vulnerabilities, private key management, API security, and cloud configuration. This focus is understandable given the technical nature of blockchain systems and the visibility of on-chain exploits. But it creates a systematic blind spot that sophisticated adversaries exploit regularly.
Physical security is the security of the real world: the offices where infrastructure is administered, the hardware wallets sitting in desk drawers, the laptops carried to conferences, the server rooms accessible to contractors, and the signing devices stored in inadequately secured locations. These physical assets underpin every layer of digital security. The strongest cryptographic scheme is irrelevant if the device holding the private key can be walked out of the building.
Security4Web3 brings direct experience from the defence industry, where physical security is treated with the same rigour as technical controls, to the crypto sector. The approach is the same: physical and logical security are two layers of a single integrated defence-in-depth architecture. A gap in either layer undermines the whole.
This guide is the definitive resource on physical security for crypto firms. It covers office controls, server room access, hardware wallet storage, key ceremony security, travel risks, insider threats, and the regulatory framework now demanding formal physical security controls. It is written for CISOs, security directors, and founders responsible for protecting organisations where a physical compromise can be just as catastrophic as a smart contract exploit.
Why Physical Security Matters in Crypto
Physical security matters in every industry, but in the crypto sector the consequences of a physical breach are uniquely severe. The irreversibility of on-chain transactions means that assets stolen via physical compromise cannot be recovered through legal remediation or fraud mechanisms. There is no equivalent of a bank reversing a fraudulent wire transfer once a transaction has been confirmed on-chain.
Hardware wallets and HSMs are physical objects. They can be stolen, copied, tampered with, or destroyed. A hardware wallet removed from a poorly secured office safe and connected to an attacker's machine is a hardware wallet that may be compromised. A seed phrase written on paper and stored in an unlocked drawer is a private key exposed to anyone who can access that drawer. These are not hypothetical risks; they are incident patterns that have occurred at real crypto organisations.
Signing devices need physical protection equivalent to their logical sensitivity. If a signing device is used to authorise large treasury transactions or validator operations, it must be protected with physical controls commensurate with that value. A device that authorises million-pound transactions deserves better physical protection than a padlock on a desk drawer.
Offices contain the administrative access to cloud infrastructure. Even if every private key is stored in a geographically distributed, air-gapped system, the administrators who manage cloud accounts typically work in offices. Their workstations, if physically accessible to an attacker, may be logged into administrative consoles or may store session tokens that provide cloud access. Physical access to an administrator's unlocked workstation is a privileged access event.
The "$5 wrench attack" is the informal name for the simplest possible attack on a crypto firm: physical coercion of a keyholder. The cryptography underlying Bitcoin, Ethereum, and every other blockchain is essentially unbreakable. But the people who hold the keys are not. A credible physical threat to a keyholder bypasses all technical controls instantly. This is not a theoretical concern; credible threats, kidnappings, and home invasions targeting known crypto holders have occurred in multiple jurisdictions. The response is not to make individuals less safe through obscurity alone, but to implement multi-signature schemes, distributed key custody, and operational practices that ensure no single person, under coercion, can authorise a devastating transaction.
Supply chain attacks on hardware wallets represent a category of physical threat that is often overlooked. Tampered hardware wallets have been found in secondary markets, and fake hardware wallets impersonating legitimate brands have been used to steal funds. The risk of purchasing hardware wallets through unofficial channels or receiving pre-seeded wallets from third parties is real. Hardware wallets must be purchased directly from manufacturers, verified for tamper-evident seal integrity on receipt, and initialised by the end user, never by a third party.
Office Security Controls
The office is the primary physical environment for most crypto firm employees, and it is the environment over which the firm has the greatest degree of direct control. Implementing strong physical security controls in the office does not require a large budget; it requires discipline and the consistent application of straightforward measures.
Access control systems should restrict office entry to authorised personnel using keycard or fob-based systems. PIN pads alone are insufficient because PINs are shared and not individually attributable. Keycard systems log each entry and exit, providing an audit trail that is essential for investigating physical security incidents. Visitor access should require registration at reception, the provision of a temporary access badge, and escort by an authorised employee at all times within the facility.
Visitor management is a control that many crypto firms treat as a formality rather than a genuine security measure. The principle is simple: no unescorted visitors. A visitor who is left alone, even briefly, in an area with accessible workstations, hardware wallets, or printed credentials represents a physical security risk. This policy applies to contractors, maintenance staff, delivery personnel, and any other third party who is not a permanent employee with a background-verified access credential.
CCTV coverage should be installed at all access points to the facility, with dedicated coverage of the server room, the secure storage area for hardware devices, and any area where sensitive operations are conducted. CCTV footage should be retained for a minimum of 90 days and stored in a location that is not accessible to general staff. The footage is both a deterrent and an investigation resource; it is only valuable if it is actually covering the relevant areas with adequate resolution.
Clean desk policy must be enforced rigorously in a crypto firm. Seed phrases must never be written on paper near workstations, on whiteboards, in notebooks left on desks, or in any format visible to passers-by. The same applies to passwords, PIN codes, recovery phrases, and any other authentication material. All sensitive documents must be stored in locked cabinets when not in active use. End-of-day walkthroughs to verify clean desk compliance should be a routine operational task.
Locked cabinets and safes for hardware wallets and sensitive documents should be physically secured to the building structure to prevent removal. A small safe bolted to a floor or wall is meaningfully harder to steal than an unbolted equivalent. Access to secure storage must be logged, with dual-person controls for the highest-value hardware.
Secure document disposal requires cross-cut shredding at minimum, and ideally a professional secure destruction service for the most sensitive materials. Seed phrase printouts, HSM initialisation records, and key ceremony documentation must be destroyed through verifiable processes, not placed in general waste bins.
Alarm systems should cover out-of-hours access to the office, with monitoring by a professional security company. Motion sensors in sensitive areas including server rooms and secure storage areas provide an additional detection layer beyond perimeter alarms.
Server Room and Data Centre Security
The server room, whether on-premises or in a colocation facility, is the highest-security zone within the physical office environment. Access to the server room should be restricted to a small, defined set of authorised individuals, with every entry and exit logged.
Physical access control to server rooms should be implemented through a separate access control system from general office access. A dedicated keycard or biometric reader for the server room, distinct from the general office system, provides a second layer of access control and a separate audit trail. Biometric access control, such as fingerprint or iris readers, eliminates the risk of shared or stolen access credentials for the server room specifically.
Server rack locks provide physical protection for individual rack units, preventing removal of servers or network hardware by anyone with physical access to the room but without the rack key. For co-location environments, rack locks are essential because other customers and facility staff may have physical access to the data centre floor.
Hardware security module physical protection goes beyond rack locks. HSMs are typically rated for physical tamper resistance: they are designed to zeroize (erase) their key material if a physical tamper attempt is detected. However, this protection is only effective if the HSM is properly configured and if the physical environment does not provide easy access. HSMs should be in locked cabinets within the server room, with access further restricted beyond general server room access.
Tamper-evident seals on critical hardware, including HSMs, network switches, and signing devices, provide evidence of physical interference between inspections. Seals should be checked at each access and after any maintenance activity. Any broken seal on critical hardware is an incident that requires investigation before the device is returned to service.
Environmental controls are physical security controls in the operational resilience sense: fire suppression systems rated for electrical equipment, redundant cooling with out-of-band temperature monitoring, uninterruptible power supply (UPS) with generator backup, and water detection. Physical destruction of infrastructure through fire, heat, or flooding is as devastating as a logical breach. These controls are required under DORA for financial entities and are best practice regardless of regulatory obligation.
Colocation facility security requirements must be assessed and contractually documented. Colocated server infrastructure lives in a facility controlled by a third party. The security posture of that facility is part of your organisation's physical security posture. Assess the facility's access control model, CCTV coverage, staff vetting procedures, audit log availability, and incident response procedures. Request evidence of SOC 2 Type II or ISO 27001 certification as a baseline expectation.
Audit logs of physical access to server rooms and colocation cages should be reviewed regularly, not just retained. Any access outside normal working hours, any access by individuals not scheduled to work in the facility, or any access of unusually long duration should be reviewed. These logs are also the first place to look when investigating a suspected physical security incident.
Endpoint and Device Security
Laptops, workstations, and mobile devices are the physical assets most commonly at risk in a crypto organisation because they travel, they attend conferences, and they are handled by individual employees who may not always apply consistent physical security discipline.
Full disk encryption is a non-negotiable baseline for all laptops and workstations in a crypto firm. FileVault on macOS and BitLocker on Windows encrypt the entire disk, so that a stolen or seized device yields nothing to an attacker without the decryption credential. Encryption must be verified through the device management platform, not simply trusted to have been enabled. The encryption key should require a strong passphrase on boot, not just the user's login password. See our guide on endpoint detection and response for crypto firms for the full endpoint security stack.
Screen lock policies must enforce automatic screen locking after a short period of inactivity. A 30-second auto-lock is appropriate for workstations in shared office environments. This control directly addresses the risk of an unescorted visitor, a tailgater, or a malicious insider accessing a logged-in workstation. Screen locks must require the user's full authentication credential to unlock, not just a swipe.
Cable locks for workstations in shared or open-plan offices provide a physical deterrent against device theft. A cable lock does not prevent a determined thief, but it prevents opportunistic theft and signals that the organisation treats device security seriously. For laptops used in public spaces including conference venues, cable locks are an essential physical control.
Device inventory and tracking requires a complete, accurate record of all devices in the organisation: serial numbers, assigned users, locations, and encryption status. When a device is reported stolen or missing, the inventory record enables rapid response: remote wipe via the device management platform, revocation of the user's credentials, and notification to the security team. A device that is not inventoried is a device that cannot be effectively managed.
Secure disposal of decommissioned devices requires cryptographic erasure or physical destruction of storage media before devices leave the organisation's control. Even with full disk encryption, best practice is to perform a certified secure wipe before disposal or donation. Hard drives and SSDs containing sensitive data should be degaussed or physically shredded by a certified data destruction service, with a certificate of destruction retained.
Hardware-based authentication tokens such as FIDO2 YubiKeys provide physical two-factor authentication that cannot be phished or remotely extracted. For accounts with administrative access to cloud infrastructure, signing systems, or internal tooling, a physical FIDO2 key is the strongest available second factor. The physical token must be carried by the user; it cannot be used by an attacker who has remotely compromised the user's password.
Hardware Wallet and Cold Storage Physical Security
Hardware wallets and cold storage devices are the physical embodiment of cryptographic key material. Their physical security is directly equivalent to the financial security of the assets they control.
Dedicated secure storage for hardware wallets should be a fireproof safe, bolted to the building structure, with access restricted to the minimum set of authorised personnel and logged on each access. The safe should be located in a restricted area, not in a general office space. A TL-30 rated safe or equivalent provides resistance against sustained physical attack.
Geographic distribution of backup seed phrases is the most important physical security principle for cold storage. If the seed phrase backup and the hardware wallet are in the same location, a single physical event, whether fire, flood, theft, or coercion, can result in total loss. Seed phrase backups should be stored in at least two geographically separate secure locations: for example, a company safe in the primary office and a safety deposit box at a bank in a different city. For institutional cold storage with very high values, three-of-five geographic distribution provides resilience against any single location event.
Never store seed phrases digitally. A seed phrase is a human-readable representation of a private key. Storing it in a password manager, a text file, an email, a cloud notes application, or any digital format converts a cold storage control into a hot storage risk. The entire value of a seed phrase backup is that it is inaccessible to remote attackers. The moment it is stored digitally, it becomes vulnerable to every digital attack vector. Seed phrases should exist only on physical media: paper, metal seed phrase plates, or other physical storage media designed for the purpose.
Tamper-evident packaging for hardware wallets provides evidence that a device has not been physically modified since it left the manufacturer. New hardware wallets should arrive in sealed, tamper-evident packaging. The seal should be inspected before use. Any hardware wallet that arrives without intact tamper-evident seals should be treated as potentially compromised and not used until the device has been independently verified.
The risk of counterfeit or tampered hardware wallets is real and documented. Counterfeit hardware wallets have been sold through secondary markets with pre-loaded malicious firmware designed to extract seed phrases during initialisation. Tampered wallets have been found with physical modifications to transmit key material via radio-frequency side channels. The controls are straightforward: purchase hardware wallets only from official manufacturer websites or authorised resellers, verify the device using the manufacturer's verification process before initialisation, and never accept a pre-initialised hardware wallet from any source.
"A stolen hardware wallet and a compromised smart contract have the same consequence: irreversible asset loss. Physical security is not a secondary concern to be addressed after the technical controls are in place. It is an equal layer in the defence-in-depth architecture."
Key Ceremony Physical Security
A key generation ceremony is the process by which cryptographic keys for high-value signing operations are generated and distributed. For institutional key management, multi-signature wallet initialisation, or HSM key loading, the key ceremony is a critical security event. Its physical security is as important as its procedural and technical security, because a compromised key ceremony may result in keys that appear legitimate but are known to an attacker from the moment of generation.
Physical location security for a key ceremony requires a room with controlled access, limited to verified and specifically authorised participants. The room should be swept for surveillance devices before the ceremony begins. No recording equipment, including mobile phones, should be permitted unless the recording itself is part of the ceremony protocol. Windows should be covered if the room has exterior-facing glass. The location should be selected to minimise the risk of physical observation from adjacent areas.
Faraday cage considerations are relevant for the most sensitive key ceremonies. A Faraday cage, or a room lined with RF-blocking material, prevents any wireless communication by devices within it. This eliminates the risk of a compromised device in the ceremony room transmitting key material via RF side channels, even if the device has been physically modified to do so. Portable Faraday bags can be used for individual devices; room-level Faraday shielding is appropriate for the highest-value ceremonies.
Camera and recording policies during ceremonies must be explicit and enforced. For key ceremonies involving large values, the default position should be no personal devices in the room. If the ceremony is being formally recorded for audit purposes, the recording equipment should be under the control of the ceremony security officer, not individual participants. Any recording of seed phrases or key material should be treated as a controlled document with the highest classification.
Personnel vetting for ceremony participants should include background checks appropriate to the value of the keys being generated. All participants should be positively identified before entry, with government-issued identity documents verified by the ceremony security officer. A participant list should be prepared in advance and no additions made on the day of the ceremony. The principle of least privilege applies: the minimum number of people required for the ceremony should be present.
Witness and notary requirements for institutional key ceremonies provide a legal and procedural record of the event. Independent witnesses, who may include legal professionals, attest to the procedural compliance of the ceremony. This record is valuable both for internal audit purposes and for demonstrating compliance to regulators and institutional counterparties who require evidence of key management rigour.
Physical documentation handling during and after the ceremony requires a defined protocol. Any paper containing key material, seed phrases, or key shares must be handled under dual-person integrity: two authorised people must be present whenever the document is being used or transferred. Documents must be stored immediately in designated secure containers after the ceremony. Temporary ceremony materials that are not needed for ongoing operations should be securely destroyed immediately under witnessed conditions.
Travel Security for Crypto Executives and Signers
Travel introduces a set of physical security risks that do not exist in the controlled office environment. Airports, hotels, conferences, and border crossings are environments where physical security controls are largely outside the traveller's control. For crypto executives, signers, and anyone with administrative access to critical infrastructure, travel requires specific preparation and discipline.
Never carry seed phrases or hardware wallets in checked luggage. Checked luggage is outside the traveller's physical control for extended periods and is handled by multiple parties. A hardware wallet or seed phrase backup in checked luggage could be copied, tampered with, or stolen without any indication to the traveller. Hardware wallets and any physical key material should always be in carry-on luggage that remains with the traveller, or ideally should not travel at all: operational travel should be conducted on devices that do not carry critical signing infrastructure.
Border crossing laptop inspection risks are material for travellers visiting certain jurisdictions. Customs authorities in numerous countries have legal powers to compel travellers to unlock devices for inspection. A device that is unlocked during a border inspection may have its contents imaged or its authentication credentials extracted. The practical mitigation is a travel-only device with minimal data: a laptop that contains no privileged credentials, no signing software, and no sensitive files. Administrative access to production systems should be revoked for the duration of travel and re-issued on return, after the travel device has been inspected and verified clean.
Hotel safes are inadequate for storing crypto hardware. Hotel room safes are typically low-security devices with master codes known to hotel staff. They provide no protection against a determined attacker with physical access to the room. Hardware wallets and sensitive materials should not be left in hotel rooms if they must travel at all. Physical custody of high-value hardware should be maintained continuously.
Using travel-only devices with minimal data is the most practical mitigation for the full range of travel security risks. A travel device is a laptop or mobile phone that is used only for travel, contains no stored credentials for production systems, has no cached authentication sessions, and is treated as potentially compromised for the duration of travel. If the device is seized, tampered with, or stolen, the exposure is limited. On return, the device should be rebuilt before any production access is restored from it.
VPN use on public networks is essential when accessing any internal system from a conference venue, hotel, or airport. Public Wi-Fi networks are active targets for man-in-the-middle attacks. All traffic from a travel device should be routed through a corporate VPN before accessing any internal resource. The VPN itself should be a zero-trust access product that provides access only to the specific resources required, not full network access to internal zones.
Physical awareness at industry events requires conscious discipline. Crypto conferences are known gathering points for threat actors seeking information about targets. Discussions about holding amounts, wallet locations, key custody arrangements, or infrastructure details should not take place in public areas of conference venues. Conversations at conference social events, in particular, are social engineering opportunities. The information gathered at conferences is often used to plan subsequent targeted attacks, both physical and digital.
People Security: Insider Threat and Social Engineering
Technical physical security controls protect against external threats. People security addresses the threats that originate from within: social engineering by external parties seeking physical access, and insider threat from employees or contractors with legitimate physical access who abuse it.
Tailgating and piggybacking are the simplest physical social engineering attacks: following an authorised person through a secure door without using an access credential. In offices where access control is implemented technically but not culturally, tailgating is common. Every employee must be trained to challenge anyone who follows them through a controlled access point without presenting their own credential, regardless of how legitimate that person appears. This is uncomfortable to enforce, which is precisely why it is a reliable attack vector. Our security awareness training guide for crypto firms covers how to build the culture required to make physical security policies effective.
Social engineering to gain physical access takes many forms: impersonating maintenance staff, IT support, delivery personnel, or visiting executives. Social engineers conduct reconnaissance to understand the office environment, the names of key personnel, and the likely pretext that will gain them access. The counter is a strict visitor management policy that is actually enforced: all visitors are registered in advance, escorted at all times, and their identity verified against the visit record before access is granted. No exceptions, regardless of how plausible the explanation.
Insider threat is the hardest category of physical security threat to address because it originates from individuals who already have authorised access. A disgruntled employee with access to a server room, a hardware wallet safe, or an administrative workstation has physical access that cannot be revoked without removing them from the organisation. Controls include separation of duties, dual-person integrity for high-value physical access, regular access reviews to ensure that physical access privileges are commensurate with current roles, and monitoring for access events that are inconsistent with normal patterns. Our guide on separation of duties for crypto organisations covers how to design processes that limit the damage any single insider can cause.
Contractor physical access management requires treating contractors as a distinct access category with time-limited, escorted access rather than the persistent unescorted access that permanent employees hold. Contractors performing IT work in server rooms should be escorted by a permanent employee throughout their visit. Their access should be revoked immediately upon completion of their engagement, not at the next quarterly access review cycle.
Off-hours access monitoring should flag access events that occur outside normal business hours for review. An employee accessing the server room at 2am on a Sunday is not necessarily a security incident, but it is an event that warrants investigation. The monitoring system should aggregate access logs and produce a daily or weekly report of anomalous access events for review by the security team.
Privileged access management extends naturally from logical to physical access. Our guide on privileged access management for crypto firms covers how to manage and audit privileged access in both the logical and physical domains.
Physical Security Standards and Frameworks
Physical security for crypto firms is now addressed explicitly in multiple regulatory frameworks and standards, making compliance alignment an important dimension of physical security programme design.
ISO 27001 Annex A.7 (in the 2022 revision) addresses physical and environmental security across nine controls, covering secure areas, physical entry controls, office and facility security, protection against physical and environmental threats, working in secure areas, clear desk and screen policies, equipment security, and equipment disposal. ISO 27001 certification requires documented implementation of these controls with evidence of their operation. For crypto firms pursuing certification, Annex A.7 is one of the areas that auditors will assess in depth, given the physical security sensitivity of crypto operations. Our ISO 27001 certification guide for crypto firms covers the full certification process.
DORA (Digital Operational Resilience Act) addresses physical security through its ICT risk management requirements. Article 9 of DORA requires that financial entities, including crypto asset service providers under MiCA, implement controls to protect physical infrastructure supporting ICT systems. The implementing technical standards under DORA reference physical access controls, environmental controls, and the physical protection of data centres as specific requirements. Firms subject to DORA that have not implemented formal physical security controls are in regulatory non-compliance. Our DORA compliance guide covers the full requirements in detail.
CIS Controls relevant to physical security include CIS Control 1 (Inventory and Control of Enterprise Assets), which requires tracking all physical devices; CIS Control 4 (Secure Configuration of Enterprise Assets), which includes physical security settings; and CIS Control 12 (Network Infrastructure Management), which includes physical network security. The CIS Controls provide an implementation-focused framework that complements the policy-level requirements of ISO 27001 and DORA.
Defence-in-depth is the architectural principle that underpins physical security: no single control should be the sole barrier between an attacker and a target. Physical controls layer on top of one another: access control prevents entry, CCTV deters and detects, cable locks prevent device theft, full disk encryption limits data loss if a device is stolen, and remote wipe capability limits the window of exposure. Each layer addresses the failure modes of the layers around it. This is the same principle that Security4Web3 applies from defence industry practice to the crypto security context: no single point of failure in the security architecture.
Physical Security Assessment and Testing
Physical security controls cannot be assumed to be effective simply because they have been implemented. They must be tested, and the testing results must drive a structured improvement process.
Physical penetration testing involves a qualified security professional attempting to bypass physical security controls through social engineering, tailgating, lock bypassing, badge cloning, and other techniques. A physical penetration test provides direct evidence of which controls are effective and which can be bypassed. Physical penetration testing is a distinct discipline from network penetration testing; it requires different skills and different methodology. Our guide on penetration testing for crypto organisations covers how to scope and procure both network and physical penetration testing.
A physical penetration test typically begins with open-source intelligence gathering to understand the target facility: its location, the identity of employees, social media that reveals office layout, and any published information about security procedures. The tester then attempts to gain physical access through a range of techniques, documenting successes and failures. The test report provides a detailed account of vulnerabilities discovered and specific remediation recommendations.
Facility walkthrough checklist assessments can be conducted internally between formal penetration tests. A structured walkthrough covers: all access control points and whether they are functioning correctly; CCTV coverage and whether it covers all required areas with adequate resolution; server room access control and the accuracy of the access log; hardware wallet and device storage and whether it meets the required security standard; clean desk compliance; visitor log accuracy; and the integrity of tamper-evident seals on critical hardware. A monthly or quarterly walkthrough by the security team maintains baseline physical security hygiene between formal assessments.
Common physical security findings in crypto firms include: hardware wallets stored in unlocked desk drawers rather than secure safes; seed phrase backups stored in the same location as the hardware wallet; development laptops in open-plan offices without screen locks or cable locks; server rooms accessible to all employees rather than a restricted subset; CCTV systems that cover reception areas but not server rooms or secure storage; visitor logs that are incomplete or unverified; and contractors who have been given unescorted access without a formal visitor management process.
Remediation priorities should be assigned based on the consequence of exploitation. Physical access to key management systems and HSMs represents the highest priority for remediation. Physical access to signing devices and hardware wallets is the second priority. Endpoint device security and office physical controls are the third priority. Environmental controls and facility resilience represent the fourth priority. This prioritisation ensures that the most consequential physical security gaps are addressed first, even when resource constraints prevent simultaneous remediation of all findings.
Frequently Asked Questions
What is the most important physical security control for a crypto firm?
The single most important physical security control is restricting physical access to hardware wallets, HSMs, and signing devices to the smallest possible set of authorised personnel, with that access logged and audited. Hardware security modules and signing devices are the physical equivalent of a vault: their compromise has the same consequence as a logical breach of key management infrastructure. Physical access controls, including keycard systems, PIN pads, and CCTV coverage of secure storage areas, are the foundation of physical security for crypto firms.
What is a "$5 wrench attack" and how do crypto firms defend against it?
The "$5 wrench attack" refers to the use of physical coercion or threats of violence to force a keyholder to surrender private keys or authorise transactions. The name reflects the fact that the attacker does not need sophisticated technical capabilities; physical coercion bypasses all cryptographic protections. Defences include: multi-signature schemes requiring multiple keyholders so no single person can be coerced into authorising a large transaction; time-locked transactions that cannot be accelerated; operational security practices that limit knowledge of who holds keys; and not publicly associating individuals with their role as keyholders. Geographic distribution of keyholders means no single physical location is a target for simultaneous coercion.
How should hardware wallets be stored physically?
Hardware wallets should be stored in a fireproof safe or secure cabinet with access restricted to authorised personnel. The device itself should be stored separately from any written backup of the seed phrase. The seed phrase backup should be stored in a geographically separate location, also in a fireproof, tamper-evident container. Hardware wallets should never be stored in desk drawers, laptop bags, or other easily accessible locations. For high-value wallets, a safety deposit box at a bank or a professional vault service provides stronger physical security than an office safe.
What physical security measures apply during a key ceremony?
A key generation ceremony for high-value signing keys requires a physically secure room with controlled access, restricted to verified and vetted participants only. The room should be swept for surveillance devices before the ceremony. Mobile phones and cameras should be excluded or placed in a signal-blocking Faraday cage. The ceremony should be conducted on air-gapped hardware that has been verified clean. All participants should be logged and the ceremony should have a written procedure followed step by step, with witnesses recording each step. Physical documents generated during the ceremony, such as seed phrase backups, should be handled under dual-person integrity controls and secured immediately.
What are the physical security risks when travelling to crypto conferences?
Key risks at crypto conferences and when travelling include: laptop theft, particularly in common areas of conference venues; physical social engineering where attackers impersonate other attendees to extract information; border crossing inspections where devices may be compelled to be unlocked; hotel room access by cleaning staff or other third parties; and evil maid attacks where a device is physically tampered with whilst left unattended. Mitigations include using a travel-only device with minimal data, enabling full disk encryption, never leaving devices unattended in hotel rooms or conference bags, using a cable lock for laptops in public spaces, and never carrying hardware wallets or seed phrase backups in checked luggage.