If a key becomes compromised, Unchained offers a way to replace a key.
If a key becomes compromised or your seed phrases are misplaced, it's best practice to replace this key in your multisig quorum.
First, make sure a key replacement is necessary before attempting one. If you’re unsure, you can contact Unchained support or read our blog article on this subject. If you are absolutely sure that you need to do a key replacement, keep reading for more.
Warning: The following steps impact the keys securing your bitcoin, and missteps can result in permanent loss of funds. If you'd like to speak one-on-one with a bitcoin expert to walk through this process, purchase a Premium Support session.
What you'll need
To replace a key, you'll need the following:
- An Unchained account with an active vault
- A new key uploaded to the platform
1. Upload a new key.
Choose the guide that corresponds with your hardware wallet:
- How do I upload a key using my Trezor?
- How do I upload a key using my Ledger?
- How do I upload a key using my Coldcard?
2. Perform the key replacement.
- Navigate to your keys dashboard.
- Select the key you want to replace.
- Click on Replace Key and author a transaction.
- Select the new key from the Choose Key dropdown menu.
- Verify that you can or can't sign a transaction via the Can you sign section.
- If you still have access to the compromised key and can sign with it, leave the Can you sign toggle on.
- If you no longer have access to the key, turn the toggle off.
- Click Replace Key.
- Confirm that you are sure of the change by clicking Replace.
- Record a verification video to approve the key replacement and submit it.
- Navigate to each vault affected by the key replacement, and you will see a pending "sweep transaction." Click View transaction.
- Acquire two key signatures, then Broadcast the transaction, just like you would for a withdrawal. You may request Unchained's key for one of the signatures.
3. Securely store your new hardware wallet and seed phrase. Do not throw away or destroy your old seed phrase.
Following operational security best practices, you should securely store the new hardware wallet and seed phrase backup.
Tip: Keep the hardware wallet corresponding to the lost seed phrase. Mark it with a pen or stamp as “lost device” or “compromised device” but keep it secure. You can also rename the impacted key in the Unchained platform to reflect that it shouldn't be used.
Suppose you accidentally send bitcoin to an address secured by the old key. You’ll need that seed phrase to recover the bitcoin.
4. Download and secure your new wallet configuration file for all affected vaults.
If your key replacement affects multiple vaults, you must re-download the wallet configuration file for each vault. Store the file in a safe place like a password manager or password-protected cloud storage.
Caution: Because you replaced your key, your vault has a new wallet configuration file. You should delete old config files or rename them to indicate they are old or retired.
5. Register your new key with all affected vaults.
Pick the correct guide if your new key is a Ledger or Coldcard. Trezor devices do not need to be registered with your vault.
6. Remove or adjust any whitelisted addresses.
Many exchanges allow or may even require users to verify receive addresses by “white-listing” or “allow-listing” before sending funds. If you have done this, replace any white-listed addresses at your exchange with a new deposit address. Your new vault has a unique set of addresses associated with it, and bitcoin sent to addresses of old or compromised keys may be lost.
That's it!
If you followed the above steps correctly, your Unchained vault should be controlled by three new keys: your original non-compromised key, the newly-generated key and associated hardware wallet, and Unchained's key. You can verify this by performing a test withdrawal.