Documentation

Self Custodial vs Non-Custodial Wallets

📘

Unsure about which custody model is right for you?

Read our “Guide to Digital Asset Wallets and Service Providers” for insights into evaluating digital asset wallet and service providers for your business

Overview

Following are the main differences between self custodial and non-custodial wallets in Fireblocks.

  1. Self custodial wallets use a 3-of-3 multi-party computation (MPC) signature scheme while non-custodial wallets use a 2-of-2 signature scheme.
  2. There is only one master key per workspace for self custodial wallets, while each non-custodial wallet has its own master key.
  3. UTXO-based assets, such as BTC, can have multiple deposit addresses per wallet per vault account for self custodial wallets. For non-custodial wallets, one wallet can have multiple accounts while each account can hold only 1 BTC address.
  4. The Fireblocks Network and exchange integrations are supported for self custodial wallets only.

Self Custodial Wallets

Structure

  • The main section of the workspace is the Fireblocks Vault which holds all MPC wallets.
  • Inside the Vault, an unlimited number of vault accounts can be created. This allows to segregate between distinct clients and various use cases.
  • Each vault account can hold as many asset wallets as you need. However, you can only have one wallet per asset.
  • In a vault account, asset wallets can accommodate numerous deposit addresses for UTXO-based assets, while account-based assets are assigned with a single address.

Secret key management and wallet derivation

Each vault account is identified by its vault account ID. This identifier is used for derivation of the asset wallets in a specific vault account.

Using one master key (split into three key shards) for the entire workspace, you can create an unlimited number of vault accounts. The vault account ID acts as the account value of the derivation path.

Each asset within this specific Vault would be derived according to the following structure: m/purpose/coinType/account/change/index.

  • m: master private key
  • purpose: the derivation standard (BIP44 in our example)
  • coinType: the unique identifier of an asset (0 for BTC, 60 for ETH, etc.)
  • account: the vault account ID
  • change: always 0
  • index: the address index (always 0 except for UTXO based assets such as Bitcoin)

Non-Custodial Wallets

Structure

Fireblocks non-custodial wallets can be used in parallel with self custodial wallets. One workspace can support both structures. However, Fireblocks strongly recommends splitting the self custodial and non-custodial parts of your business into two different workspaces due to some settings that are shared by both types of wallets in the same workspace.

Fireblocks non-custodial wallets use 2-of-2 MPC signature scheme. One key share is stored within an Intel SGX-enabled server managed by Fireblocks, and the second key share is stored on the end user's device.

Secret key management and wallet derivation

The derivation for non-custodial wallets is almost the exact same as the derivation for self custodial wallets. The main difference is that each non-custodial wallet will have its own master key, which is split into two key shards. In a single non-custodial wallet, you can create an unlimited number of accounts while each account can have only one supported asset per asset type.

📘

Note

Bitcoin wallets can only have one deposit address per account, unlike self custodial wallets that can have more that one deposit address within the same account. This means that for any account, the derivation path for the BTC asset in it will always be: m/44/0/accountId/0/0.