BitGo’s self-managed cold wallets give organizations the ability to take their security into their own hands while still leveraging BitGo’s technology and processes.
To put it simply: If a hot wallet is like a debit card and a custodial wallet is like a bank vault, then self-managed custody is like installing your own safety-deposit box at home.
In this post, we’ll walk through the basics of self-managed cold wallets, break down the different groups who find them most useful, and dive into a more detailed explanation of how they work.
The basics
All BitGo wallets work on a “2-of-3” basis, meaning they come with three keys (client key, platform key, and backup key), two of which must be used to sign any transaction.
BitGo offers different types of wallets, however — each optimized for a unique purpose and varying in terms of who holds the keys and where.
Best for liquidity, hot wallets require the customer to hold the client key and the backup key. In this setup, the client key is generated and stored online so transactions can be created and signed more quickly.
Best for extra security, custodial wallets involve BitGo holding all three keys, with your client and backup keys kept in offline, cold storage. This means transactions get processed more slowly, but also makes it dramatically harder for a hacker to steal the keys.
In self-managed cold wallets, customers effectively manage their own cold storage using BitGo’s technology while holding the client and backup keys.
Schematically, this looks a bit more like the hot wallet diagram — with one very crucial difference. Rather than the client key getting held online, it’s held offline.
This single difference completely changes the mechanics of how transactions get generated and signed (which we’ll cover below). The end result, though, is that sending funds entails a more involved, comprehensive process — which is entirely the point. The extra friction provides extra protection against someone absconding with your funds.
Who uses self-managed cold wallets and why
Self-managed cold wallets work best for two groups:
First, security-minded institutions who want additional protection and are willing to sacrifice transaction speed to get it. Leveraging BitGo’s technology can help them build a more sophisticated setup than simply relying on a hardware device for self-custody.
Note that organizations often use multiple BitGo wallet types and divide their funds across each according to their preference. Some companies, for instance, will save the portion held in self-managed cold wallets as a reserve, using the funds only for large-but-infrequent transactions.
In any event, these institutions should have a security organization in place that can run “key ceremonies” (to generate and assign key shards) and make sure the keys are stored in a secure environment.
Second, organizations located in certain countries where the law requires keys to be managed locally. For example Japan requires the client key be held on Japanese soil, and so self-managed cold custody provided by BitGo is an excellent option.
How self-managed cold wallets help
Self-managed cold wallets offer three key benefits:
-
Stay secure. Like with BitGo’s custodial wallets, self-managed cold wallets ensure your keys never get exposed online, thereby making it safer to use. Moreover, you can also still use BitGo’s wallet policies — like whitelisting, roles and permissions, and velocity limits — to add even more layers of protection.
-
Stay compliant. For organizations in certain jurisdictions, using self-managed cold wallets will help them comply with the law.
-
Stay flexible. Advanced users can choose how they want to store and leverage their client and backup keys, and potentially build more sophisticated setups.
How self-managed custody works
To set-up self-managed cold wallets, clients combine their hardware with our software.
“Hardware,” in this case, refers to “air-gapped” laptops, which means the network card has been removed so that each laptop is physically incapable of connecting to the internet.
“Software,” meanwhile, refers to a BitGo application called “Offline Vault Console,” which enables the client to sign transactions without their client key ever being online.
Clients can then generate their keys offline using the OVC and shard them into any M-of-N solution they like (eg, 2-of-3, 3-of-6, 4-of-7). By fragmenting the client key into even smaller pieces and setting up these minimum thresholds, they can help ensure that no single person has the ability to sign an unauthorized transaction.
Once the client has completed setup, signing a transaction follows these general steps:
-
Create an “unsigned transaction” using the BitGo platform (via the interface or API)
-
Download that unsigned transaction to a microSD card
-
Take that microSD card to an air-gapped laptop
-
Use the client key (stored on a separate microSD card) to create a “half-signed transaction” using our Offline Vault Console; the OVC never stores your private keys in its memory
-
Upload the half-signed transaction back to BitGo
-
BitGo will check the transaction against your wallet policies and, if it passes, will complete the signature and broadcast the transaction to the blockchain
The client can therefore take a larger role in managing their own security while still leveraging BitGo’s wallet technology.
How to get started
To learn more about Self-Managed Cold Wallets, please visit our product page or reach out to our Sales team at sales@bitgo.com.
The latest
All News
About BitGo
BitGo is the digital asset infrastructure company, delivering custody, wallets, staking, trading, financing, and settlement services from regulated cold storage. Since our founding in 2013, we have been focused on accelerating the transition of the financial system to a digital asset economy. With a global presence and multiple regulated entities, BitGo serves thousands of institutions, including many of the industry's top brands, exchanges, and platforms, and millions of retail investors worldwide. For more information, visit www.bitgo.com.
©2025 BitGo, Inc. (collectively with its parent, affiliates, and subsidiaries, “BitGo”). All rights reserved. BitGo Bank & Trust, National Association (“BitGo Bank & Trust”) is a national trust bank chartered and regulated by the Office of the Comptroller of the Currency (OCC). BitGo Bank & Trust is a wholly-owned subsidiary of BitGo Holdings, Inc., a Delaware corporation headquartered in Palo Alto, California. Other BitGo entities include BitGo, Inc. and BitGo Prime LLC, each of which is a separately operated affiliate of BitGo Bank & Trust.
BitGo does not offer legal, tax, accounting, or investment advisory services. The information contained herein is for informational and marketing purposes only and should not be construed as legal, tax, or investment advice. You should consult with your own legal, tax, and investment advisor for questions about your specific circumstances.
Digital assets are subject to a high degree of risk, including the possible loss of the entire principal amount invested. Past performance and illustrative examples do not guarantee future results. The value of digital assets can fluctuate significantly and may become worthless. No BitGo communication is intended to imply that any digital asset services are low-risk or risk-free. BitGo is not a registered broker-dealer and is not a member of the Securities Investor Protection Corporation (“SIPC”) or the Financial Industry Regulatory Authority (“FINRA”). Digital assets held in custody are not guaranteed by BitGo and are not subject to the insurance protections of the Federal Deposit Insurance Corporation (“FDIC”) or SIPC. Custody and other digital asset services are subject to eligibility, jurisdictional, and regulatory restrictions. Availability of specific products and services may vary by location and entity.
BitGo endeavors to provide accurate information on its websites, press releases, blogs, and presentations, but cannot guarantee all content is correct, completed, or updated. Content is subject to change without notice. BitGo disclaims any obligation to update or supplement such information except as required by applicable law or regulation.
BitGo makes no representation that the information contained herein is appropriate for use in any jurisdiction where its distribution or use would be contrary to law or regulation or would subject BitGo or any of its affiliates to any registration or licensing requirements in such jurisdiction. Persons who access this information are responsible for complying with all applicable laws and regulations.