Get Secured
← All Posts Operational Security

Physical Security for Web3 Signing Infrastructure: Key Ceremony Rooms, HSM Controls and Cold Storage Vaults

Perimeter fencing and access cards are table stakes. The infrastructure that actually protects institutional crypto assets requires purpose-built rooms, hardened equipment placement, and procedures written for the specific failure modes of key material.

Most discussions of crypto physical security stop at the level of the generic corporate control: badge access, CCTV coverage, a manned reception desk. Our earlier physical security programme guidance covers that layer thoroughly, and it remains necessary. But for the specific infrastructure that actually holds and moves institutional value, the signing keys, the HSMs, the cold storage hardware, and the validator nodes, generic perimeter controls are not the standard that matters. What matters is whether the room where a key was generated could have been observed, whether the device performing a signature could have been physically substituted, and whether the vault holding a seed phrase backup could be accessed by one person acting alone.

This article goes deeper into that specific layer: the physical design and control requirements for key ceremony rooms, HSM placement and tamper protection, cold storage vault specifications, data centre access for validator infrastructure, and the electromagnetic considerations that apply at the highest end of institutional custody. It sits alongside our work on HSM private key management and cold storage policy, and should be read as the physical layer that underwrites both.

Why Physical Security Is the Foundation of Crypto Key Security

Logical security controls, encryption, multi-party computation, threshold signature schemes, all assume a starting condition: that the hardware and the environment in which keys were generated, stored, and used were themselves trustworthy. That assumption is rarely examined with the same rigour applied to the cryptography built on top of it.

The most sophisticated cryptographic key management scheme is worthless if a physically compromised HSM was used during the key ceremony. Physical security is the trust anchor for every logical control layered on top of it, and an anchor that has not been verified is not an anchor at all.

Consider what a physical compromise actually enables. An attacker with unsupervised physical access to a hardware security module, even briefly, could potentially substitute it for a modified unit, extract firmware for analysis, or install a hardware implant capable of exfiltrating key material or signing operations undetected by any network-based monitoring. An attacker with access to a key ceremony room during generation could observe or record entropy input, participant actions, or displayed seed material through means that no amount of subsequent cryptographic strength can undo. Once key material has been observed or a device has been physically tampered with, no software control implemented afterward can restore the integrity of that key. This is why physical security cannot be treated as a lower tier of the security programme relative to smart contract audits or network security; for the specific infrastructure discussed here, it is the tier everything else depends on.

Key Ceremony Room Design: Physical Requirements

A key ceremony is the formal, witnessed process of generating, splitting, backing up, or restoring cryptographic key material. The room in which it takes place is not an ordinary meeting room repurposed for the occasion; it is a purpose-built control that deserves the same design discipline as a data centre.

Physical Isolation and Access

A dedicated key ceremony room should be physically isolated from general office space, with solid, floor-to-ceiling walls rather than partitions or glass panels that allow observation from adjacent areas. Access should require a separate, more restrictive credential than standard office access, logged independently, with the room configured so that entry requires at least two authorised individuals present before the door will unlock, mirroring the dual-control principle applied to the ceremony itself. There should be no windows facing publicly accessible areas, and any windows that do exist should be fitted with privacy film or blinds that are mandatorily closed during active ceremonies.

No Uncontrolled Devices or Network Connectivity

Personal phones, smart watches, and any other device with a camera or microphone should be prohibited inside the room during an active ceremony, with a secure storage point immediately outside the room for participants to leave devices before entering. The room itself should have no unmanaged network connectivity; any systems used during the ceremony should be air-gapped or connected only to a purpose-built, isolated network segment that is verified clean before each use. Ventilation, power, and cabling should be inspected periodically for signs of tampering, since these are common points for covert surveillance equipment to be introduced.

Recording and Witness Requirements

Ceremonies should be recorded on video for audit purposes, with the recording equipment itself controlled by a party independent of ceremony participants to prevent tampering with the record. A minimum of three roles should be present for any material key ceremony: the operator performing the technical steps, an independent witness verifying the process is followed correctly, and where the organisation's governance requires it, an external auditor or compliance representative. Every ceremony should produce a signed, dated written record capturing what was generated, who was present, and what physical evidence (such as tamper-evident bags for key shares) was used and sealed at the conclusion.

HSM Physical Protection: Tamper Evidence, FIPS 140-3 and Placement

Hardware security modules are designed with physical protection built into the device itself, but that built-in protection only delivers its intended value when the surrounding environment and operational procedures are equally rigorous.

Certification Level as a Baseline, Not a Guarantee

FIPS 140-3 defines physical security requirements across multiple levels, and institutional custody operations should generally specify Level 3 as a floor, which requires identity-based authentication for access to the module and tamper response mechanisms that actively erase (zeroise) sensitive key material when intrusion is detected, rather than merely leaving visible evidence after the fact. Level 4 adds protection against environmental manipulation, extreme temperature or voltage changes used to induce faults that could bypass other protections, and is appropriate for the highest-value custody environments and regulated institutional operators. Certification is necessary but not sufficient: a Level 3 device installed in an unsecured server room with unrestricted physical access provides materially less protection than its rating suggests.

Placement and Environmental Control

HSMs should be installed in locked, access-logged cabinets within a restricted-access room, never in open racks accessible to general data centre staff or visiting vendors. Physical access to the cabinet should require a credential distinct from general facility access, ideally tied to named individuals with a defined operational need rather than a shared or role-based credential. Environmental monitoring, temperature, humidity, and power stability, should be maintained and alarmed independently of the HSM's own tamper detection, since environmental stress is sometimes used as a precursor to a physical attack attempt.

Tamper Evidence as an Operational Discipline

Tamper-evident seals, whether on the HSM chassis itself or on the cabinet housing it, should be inspected on a defined schedule and logged, not merely relied upon passively. A seal that has not been checked in months provides no practical security benefit even if it remains intact, because a compromise could have occurred and been concealed at any point in that window. This inspection discipline should be written into the same operational procedures that govern hardware security modules more broadly, so that physical checks are treated with the same seriousness as logical access reviews.

Cold Storage Vault Specifications for Institutional Crypto

Cold storage removes network-based attack vectors by keeping key material entirely offline, but it introduces a different category of risk entirely: theft, coercion, and unauthorised physical access to hardware wallets, written seed backups, or metal seed plates. The vault housing this material needs to be specified with the same rigour as a bank vault holding physical bullion, because in value terms, that is frequently an accurate comparison.

Vault Construction and Rating

Institutional cold storage should use a vault or safe rated to a recognised commercial security standard for both burglary resistance and fire protection, sized appropriately for the volume of hardware devices and backup media held. The vault should be installed within a room that itself has restricted access, rather than being the sole control in an otherwise generally accessible space, so that defeating the vault requires first defeating an independent layer of access control.

Access Structure and Dual Control

No single individual should be able to access cold storage contents alone. This is typically enforced through split custody of access credentials (for example, separate combination and physical key holders, or multi-person authentication for electronic vault access), geographic distribution of backup shares across multiple vault locations so that no single site compromise is catastrophic, and mandatory logging of every access event including the individuals present, the reason for access, and what was retrieved or returned. Access frequency should itself be minimised and monitored: a cold storage vault accessed far more often than its operational purpose requires is a signal worth investigating in its own right.

Geographic and Jurisdictional Distribution

For institutional operations holding significant value, distributing cold storage across multiple physically and jurisdictionally separate vault locations protects against single-site risks ranging from natural disaster to coordinated physical attack to local regulatory seizure. This distribution needs to be balanced against operational recovery time; a scheme so distributed that legitimate fund recovery becomes impractical is itself a risk, which is why vault distribution decisions should be made jointly with the firm's broader cold storage policy and business continuity planning.

Data Centre Access Controls for Validator and Node Infrastructure

Validator nodes and staking infrastructure present a different physical risk profile from cold storage: the hardware is typically online and operationally active rather than sealed away, which means physical access controls need to account for routine maintenance access without creating windows of opportunity for tampering, slashing-inducing sabotage, or key extraction.

Colocation and Cage-Level Segmentation

Validator hardware should be housed in a dedicated, locked cage or cabinet within the data centre rather than relying solely on the facility's general perimeter security, so that access is restricted to personnel specifically authorised for that operator's infrastructure rather than anyone with general data centre clearance. Access to the cage should require credentials separate from the data centre's own badge system where possible, with the operator maintaining an independent log rather than depending entirely on the facility's records.

Escort Requirements and Change Control

Any facility staff or third-party technician requiring access to the cage for maintenance should be escorted by the operator's own personnel or subject to real-time video verification, with all planned access pre-approved through a change control process. Unplanned or emergency access should trigger an immediate notification to the security team, not merely be logged for later review. Physical changes to validator hardware, including component replacement, firmware updates requiring physical access, or network cabling changes, should follow the same change management discipline as production software deployments, with rollback plans and a defined approver.

Signing Key Isolation From Validator Hardware

Where the validator architecture allows it, signing keys should be isolated from the validator node itself using a remote signer or HSM-backed signing service, so that physical compromise of the validator hardware in the data centre does not directly expose signing capability. This separation also limits the operational impact of a facility-level incident, since the validator can potentially be rebuilt or migrated without the signing infrastructure ever having been exposed.

Electromagnetic Eavesdropping and TEMPEST Considerations

At the upper end of institutional custody, particularly for regulated custodians and firms managing state or enterprise-scale treasuries, physical security planning should extend to electromagnetic emissions. TEMPEST is the long-established discipline, originating in defence and intelligence contexts, of studying and mitigating unintentional electromagnetic radiation from electronic equipment that can be intercepted at a distance to reconstruct the data being processed, including keystrokes, displayed screen content, or internal signal states.

When This Threat Model Applies

For the majority of Web3 firms, TEMPEST-grade shielding is disproportionate to the realistic threat model; it is a control associated with nation-state level adversaries and extremely high-value, high-profile targets. It becomes a relevant consideration specifically for key ceremony rooms and HSM environments operated by institutional custodians, systemically important staking operators, or firms that have specific threat intelligence indicating targeting by a sophisticated state-linked actor. Our team's background in defence-sector security informs how we assess whether this threat model genuinely applies to a given client, rather than recommending shielding as a default that most firms do not need.

Practical Mitigations Short of Full Shielding

Where full TEMPEST-rated shielding is not justified, partial mitigations still reduce exposure meaningfully: locating key ceremony rooms away from external walls and publicly accessible adjacent spaces, using shielded cabling for any equipment involved in key generation or display, and maintaining physical separation between ceremony equipment and any external-facing wireless infrastructure. Firms operating at a scale where full shielding is warranted should engage specialists with defence-sector accreditation for room certification, since this is a highly specialised discipline distinct from general physical security design.

Physical Security Incident Response: What to Do When Hardware Is Missing

A missing or unaccounted-for HSM, hardware wallet, or seed backup should never be treated as an inventory discrepancy to be resolved administratively. It should trigger an immediate, predefined incident response sequence built on the assumption that the key material may already be compromised.

Immediate Actions

The response should begin with treating any associated keys as potentially compromised and initiating rotation or fund migration procedures without waiting for confirmation of misuse, since the time between physical loss and exploitation can be very short and the cost of an unnecessary rotation is far lower than the cost of a confirmed theft. In parallel, all credentials, access badges, and permissions associated with the missing hardware or the personnel with legitimate access to it should be reviewed and, where appropriate, revoked or reset. Physical access logs for the relevant location and time window should be pulled immediately, before retention policies or system limitations make that data harder to recover.

Investigation and Governance

A missing device investigation should establish a clear chain of custody for the period leading up to the loss, identify every individual who had legitimate access during that window, and determine whether the loss is consistent with accidental misplacement, theft, or insider action. This process depends heavily on the strength of the firm's separation of duties programme, since a well-segregated access model narrows the investigation to a small, identifiable set of individuals rather than the entire organisation. Regulatory and client notification obligations should be assessed early rather than left until the investigation concludes, since many jurisdictions and institutional client agreements impose specific disclosure timelines for security incidents involving custodied assets.

Post-Incident Hardening

Every physical security incident, including near misses and process violations that did not result in actual loss, should feed back into a review of the underlying controls: was the missing device properly logged, was dual control actually enforced in practice or only on paper, and were tamper-evident seals genuinely inspected on schedule. Physical security programmes that treat incidents purely as isolated events, rather than as evidence about the health of the broader control environment, tend to repeat the same failure modes with different hardware each time.

Frequently Asked Questions

What is a key ceremony room and why does it need dedicated physical security?

A key ceremony room is a controlled physical space used to generate, back up, or restore cryptographic key material under witnessed, auditable conditions. It needs dedicated physical security because the room itself becomes part of the trust boundary: if the room can be observed, entered, or tampered with by unauthorised individuals, the integrity of every key generated inside it is compromised regardless of the cryptography used.

What FIPS 140-3 level should institutional crypto custody HSMs meet?

Institutional custody operations should generally require HSMs certified to FIPS 140-3 Level 3 at minimum, which mandates identity-based authentication and tamper response mechanisms that actively zeroise key material on detected intrusion attempts. Level 4 adds environmental failure protection against extreme temperature or voltage manipulation and is appropriate for the highest-value custody environments.

Does cold storage still need physical security if keys are offline?

Yes. Offline status protects against remote network attacks but does nothing against theft, coercion, or insider access to the physical hardware or written key material itself. Cold storage requires vault-grade physical protection, access logging, and dual-control retrieval procedures precisely because the assets are only as secure as the room and the personnel with access to it.

What is TEMPEST and is it relevant to crypto key management?

TEMPEST refers to the study and mitigation of unintentional electromagnetic emissions from electronic equipment that can be intercepted to reconstruct the data being processed, including keystrokes or displayed information. It is relevant to the highest-security key ceremony environments, particularly for custody providers and institutional operations, where the value at risk justifies shielding against this class of eavesdropping.

What should happen immediately if an HSM or cold storage device goes missing?

The firm should treat the event as a confirmed key compromise rather than waiting for evidence of misuse, immediately triggering key rotation or fund migration procedures, revoking any credentials associated with the device, reviewing physical access logs for the relevant period, and notifying regulators or clients as required under the firm's incident response and disclosure obligations.

Verify the Physical Trust Anchor Behind Your Signing Infrastructure

Book a Security Review