Wallet keys Explained


Non-custodial wallets reside in a Fireblocks workspace that includes custodial Vault Accounts assigned to the customer.

Each non-custodial wallet has its separate keys. Also, the workspace includes one master key to serve the customer's vault accounts (not connected to the end user wallets).

Fireblocks non-custodial wallets use a 2-of-2 MPC signature scheme. One key share resides in an Intel SGX-enabled server managed by Fireblocks, and the other resides on the end user's device.


The Fireblocks workspace can include an unlimited number of non-custodial wallets and an unlimited number of wallet accounts inside each non-custodial wallet. Each wallet account can hold as many asset wallets as you need. However, you can only have one type of wallet asset per wallet account.

You can also use our non-custodial wallets in parallel with self-custodial wallets. One workspace can support both structures.

Secret key management and wallet derivation

The derivation for non-custodial wallets is almost the same as for self-custodial wallets. Each asset in a non-custodial wallet is derived according to the following structure:

m/purpose/coinType/account/change/index, where:

  • m is the master private key
  • purpose is the derivation standard (BIP-44 in our example)
  • coinType is the unique identifier of an asset (0 for BTC, 60 for ETH, etc.)
  • account is the vault account ID
  • change is always 0
  • index is the address index (always 0 except for UTXO-based assets)



In Non-Custodial Wallets, Bitcoin wallets can only have one deposit address per account, unlike self-custodial wallets that can have more that one deposit address within the same account.

This means that for any account, the derivation path for the BTC asset in it will always be m/44/0/accountId/0/0.

Unsure about which custody model is best for you?

Read our Guide to Digital Asset Wallets and Service Providers for insights into evaluating digital asset wallets and service providers for your business.