3-of-5 Key Shield

Target Use and Audience

Casa’s flagship premium key management scheme is the 3-of-5 Key Shield. It is the highest security product offered by Casa, designed for clients with large bitcoin balances ($100k to $1mil and up) and with the strongest security needs. Like all Casa products, Key Shield is a sovereign storage system. Casa does not have the ability to control the client’s funds.

System Details

Three keys are needed to sign a transaction with Key Shield. The five total keys are typically distributed as follows:

  • 1 key on the client’s mobile phone

  • 1 hardware key kept at home

  • 1 hardware key at a separate location, such as an office

  • 1 hardware key kept in a third location, such as a safety deposit box

  • 1 emergency backup key kept by Casa

Features provided with the 3-of-5 Key Shield include:

  • Emergency Recovery Service - Casa offers an assisted recovery service in case the client loses two of their keys.

  • Mobile Key Backup - An encrypted copy of the mobile key is kept in the cloud storage offered by the client’s mobile provider (iCloud or Google Drive). The decryption key is kept by Casa. This allows a client to recover their mobile key if it is lost, for example by dropping their phone off a boat. At the same time, neither Casa nor the mobile provider have access to the key.

  • 24/7 Live Support with Client Advisor - Key Shield comes with live phone support from a dedicated client advisor who you know by name. Your Client Advisor can also call in dedicated engineering support to help solve even the most complicated issues.

  • Sovereign Recovery Instructions - Casa provides clear instructions for how to transfer funds to a new wallet at anytime without relying on Casa software. Casa clients get the best of both worlds with a fast, full-support user experience while also maintaining full control.

  • Casa App for iOS and Android - Casa App provides a simple, beautiful interface for managing your keys and funds.

  • Device Health Check - Periodic healthcheck protects from loss of keys due to bitrot.

  • Emergency Lockdown - The Emergency Lockdown button shuts off access to the app and API for a client, preventing unauthorized access. If a client is ever under attack, they can press this button to lockdown their account. Because the client holds most of the keys, the client is never fully locked out of their funds, but without access to our easy to use multisig interface an attacker will be slowed down significantly.

Threat Mitigation

Key Shield is designed to mitigate most sources of theft and loss.

  • Disaster - Multi-location key storage + emergency backup reduce risk of loss due to natural disaster such as a flood, fire, or tornado.

  • Inheritance Errors - Our highest-tier of service (diamond) offers an inheritance planning package with Key Shield.

  • Data and Credential Loss - There are no passphrases or seeds that the client needs to manage. The nature of 3-of-5 provides redundancy that protects against key loss. New keys can be swapped in for lost or compromised keys at any time and very quickly. The emergency backup key and mobile key backup provide additional layers of safety against loss due to user error.

  • Malware - Keyshield uses heterogeneous hardware and software platforms (Trezor + Ledger + iOS mobile OS + Android mobile OS) to protect against malware. Four out of five keys are kept offline, preventing remote key theft.

  • Credential Theft - Four out of five keys are kept on devices that cannot be accessed through user account credentials alone. The remaining mobile key is guarded by two sets of credentials (mobile account login + Casa login) or two biometric/PIN gates (the phone lock screen and the Casa App lock screen).

  • Network-based attacks - If Casa’s servers were compromised, the client’s private keys would still be safe because they are stored offline or on their mobile phone. No private keys are stored on Casa servers.

  • Phishing - All the details of signed transactions are confirmed independently on each hardware device, protecting against fake Casa apps or websites.

  • Supply Chain Attack - Key Shield does not rely on a single hardware or software vendor, so clients are protected against a supply chain attack. A thief would have to compromise multiple independent supply chains at the same time to attempt an attack.

  • Physical Coercion - Multi-location storage mitigates the risk of physical coercion. Clients could still be attacked, but any attacker will need to travel to multiple locations or stay with the client while client travels to multiple locations. The increase in actions, travel and time required to gain access to funds drastically increases the chances that an attacker will be detected and caught. By increasing the cost to attack Casa clients, many potential thieves will be deterred from even attempting an attack.

  • Code Dependency Attack - Mitigated by heterogenous software and hardware.

  • Official Seizure - Because Key Shield is a sovereign storage system, there is no centralized point that can be attacked for seizure. If officials wanted to confiscate the bitcoin of Casa clients, they would have to go to each Casa client individually.