All posts

Choosing your keyholders

7 min read
securitythreshold-cryptographykeyholdersinheritanceself-custody

When Matthew Mellon died unexpectedly in April 2018, roughly $193 million of his $200 million estate was locked in XRP that he had taken unusual care to secure. He kept the keys in cold wallets distributed across bank vaults in different cities, registered under aliases only he could identify. Nobody else knew where the vaults were, and nobody else knew the names. Three years of legal proceedings later, his estate had been settled, but a substantial portion of the holdings was never recovered.

The story is sometimes told as a self-custody cautionary tale. It is more usefully read as a limit case of a general fact: threshold cryptography is a math problem only until the moment of recovery. At that moment, it becomes a social problem, and the social problem is one that has to be designed for years or decades in advance.

A 3-of-5 scheme requires three keyholders to be reachable, willing, alive, competent, and uncorrupted at the moment recovery is initiated. The first dial of a threshold scheme is the math. The second dial, which gets less attention, is who. A well-chosen m and n with the wrong keyholders fails as completely as a missing share.

Categories of keyholder

There is no single right kind of person to hold a share. Each category has characteristic strengths and characteristic ways of failing.

Close family and partner. Highest baseline trust, lowest baseline competence with cryptographic material, highest correlation with you (same household, same fire, same legal estate, sometimes the same social-engineering target). Best used for one share, never as a majority. Vulnerable to relationship change in ways that are uncomfortable to plan for in advance and ruinous to ignore.

Close friends. Similar trust profile to family, lower legal entanglement, lower geographic correlation. Tend to be the best practical choice for one or two shares in a personal scheme, particularly if they live in different cities or countries. The usual caveat applies: friendships that look durable today may not look durable in twenty years, and the design has to accept that.

Professionals. Lawyer, notary, accountant, family office. Higher operational competence, longer institutional memory than any individual relationship, and a fiduciary structure that survives the death or departure of any one person. The cost is fees, paperwork, and the loss of anonymity. Useful as one of m shares in a higher-stakes scheme, rarely as the only category.

Institutional escrow. A safe-deposit box at a bank you don't otherwise use, a dedicated digital-inheritance service, a custody firm. Highest durability, lowest discretion. The institution will follow its own rules, not yours, so the scheme has to specify the conditions under which they release the share rather than assuming you can negotiate them at the moment.

Self-distributed. Shares held by you in geographically distinct locations: a safe at home, a safe-deposit box, a sealed envelope at a parent's house. Mathematically a special case of "trusted person", with you as the sole trusted person. Provides geographic redundancy without involving anyone else, at the cost of all-shares-held-by-you behaviour under coercion.

Most workable schemes mix categories. A 3-of-5 might be: one self-held, one with a partner, one with a friend in another city, one with a lawyer, one in a safe-deposit box.

Qualities you actually need

The categories above are shorthand. The underlying properties are what determine whether the scheme will work. For each share you place, the keyholder should be:

  • Durable. Likely to be reachable in fifteen or twenty years. Family ties qualify; some friendships qualify; institutions usually qualify; recent acquaintances do not.
  • Discreet. Capable of holding a share for decades without mentioning it casually, posting about it, or storing it somewhere it can be found by accident.
  • Minimally competent. Capable of physically retrieving the share when asked, including the version of "asked" that involves a phone call from your executor in fifteen years.
  • Geographically separated. From you and from other keyholders, so that no single fire, flood, or legal action can disable a quorum.
  • Independent. Has interests that don't naturally align with other keyholders, so that collusion would require crossing real social lines rather than a phone call.
  • Willing. Has agreed to the role and understands that it is a long-term commitment, not a favour they can quietly forget about.

The willing requirement is the most often skipped. Handing someone a sealed envelope without telling them what it is, or telling them and not asking whether they want the responsibility, leaves you with a share that may not exist when needed.

The brief

What you tell each keyholder matters as much as which person you choose. A workable brief includes:

  • What they have. "This is one of several pieces of information needed to recover sensitive material I own. On its own it does nothing."
  • When to use it. A specific recovery condition: a request from you, a death certificate presented to your executor, a written instruction recorded in your will.
  • What not to do. Do not combine it with other shares without your involvement. Do not hand it to anyone claiming to be acting on your behalf without verification. Do not tell other keyholders what they hold.
  • Where to find the rest, but only when needed. A pointer (typically sealed, or held by a professional) to who else holds shares. The standard guidance is that keyholders should not know each other's identities by default, because that is the property that defends against collusion.
  • What to do if you are no longer reachable. A short procedure that does not require you to be alive, conscious, or available.

Time horizons and rotation

Keyholder relationships are not static. The events that should prompt a review of your scheme include marriage, divorce, the birth of a child, the death of any keyholder, a keyholder moving to a different country, a significant change in the value of what is being protected, and any deterioration of trust. Outside of those triggers, an annual review that all keyholders are still alive, reachable, and trustworthy is approximately the right cadence.

Rotating a keyholder is not difficult, but it has to be planned. The cleanest mechanism is to recover the secret yourself, generate a fresh threshold split, and distribute new shares. Anything that tries to swap a single share in place tends to break the confidentiality of the larger scheme.

Coercion, collusion, and geography

A useful operational principle: the scheme should require travel to assemble a quorum. Physical separation slows down coercion. If three of your keyholders are in three cities, an attacker pressuring you in real time cannot quietly reconstruct the secret from the room you are in. The same property defends against several other failure modes: a single seizure, a single subpoena, a single fire.

Collusion is harder to defend against because it is consensual. The mitigation is interest divergence. Pick keyholders who would not naturally cooperate: a sibling and a lawyer, a friend in another country and a notary, a partner and a parent of a different family branch. The goal is not to make collusion impossible (it cannot be) but to require a coordination effort proportional to the value being protected.

Recovery and inheritance are different problems

The keyholders you would want for recovery (you, alive, locked out) and for inheritance (you, dead, heirs needing access) are not always the same set, and the brief is not the same brief. In the recovery case, the keyholders need to be convinced you are who you say you are, which is straightforward when you can call them. In the inheritance case, they need to be convinced you are dead, and that the person asking has the standing to assemble the quorum. The second case typically requires institutional involvement (executor, attorney, death certificate, will), and it usually means at least one of your keyholders should be a professional comfortable handling that paperwork.

Some schemes use disjoint sets of keyholders for the two cases. Most blur them and accept worse handling of the inheritance case. The choice is worth making explicit rather than discovering at the wrong moment.

A small exercise

For each share in your scheme, write down the keyholder and answer three questions about them. Will this person still be reachable in fifteen years? Would I trust their judgement at the moment of recovery as much as I trust it today? If the relationship deteriorated, would the rest of the scheme still work, and would I notice in time to rotate?

If any answer is uncertain, that share is fragile. The fragility will not show up in the math. It will show up the day you need it.