1. Knowledge Base
  2. Keys
  3. Key replacements and recovery

How do I conduct a key replacement?

If a key becomes compromised, Unchained offers a way to replace a key.

If a key becomes compromised or your seed phrases are misplaced, it's best practice to replace this key in your multisig quorum.

First, make sure a key replacement is necessary before attempting one. If you’re unsure, you can contact Unchained support or read our blog article on this subject. If you are absolutely sure that you need to do a key replacement, keep reading for more.

Warning: The following steps impact the keys securing your bitcoin, and missteps can result in permanent loss of funds. If you'd like to speak one-on-one with a bitcoin expert to walk through this process, purchase a Premium Support session.

 

What you'll need

To replace a key, you'll need the following:

  • An Unchained account with an active key
  • A new key uploaded to the platform

Video Guide:

1. Upload a new key.

Choose the guide that corresponds with your hardware wallet:

2. Perform the key replacement.

  1. Navigate to your keys dashboard.
  2. Select the key you want to replace.
  3. Click on Replace Key.
  4. Review whether or not you need to perform a key replacement, acknowledge the disclaimer, and press Next.
  5. Answer whether or not you can sign a transaction with your key. If you still have the hardware wallet for this key, click Yes. If it's lost or stolen, click No.
  6. Select a replacement key.
  7. Acknowledge the disclaimer that this process is irreversible and select Start key replacement.
  8. Sign and broadcast the automatically-generated sweep transactions for any vaults or loans using the compromised key.

3. Securely store your new hardware wallet and seed phrase. Do not throw away or destroy your old seed phrase.

Following operational security best practices, you should securely store the new hardware wallet and seed phrase backup.

Tip: Keep the hardware wallet corresponding to the lost seed phrase. Mark it with a pen or stamp as “lost device” or “compromised key” but keep it secure. You can also rename the impacted key in the Unchained platform to reflect that it shouldn't be used.

 

Suppose you accidentally send bitcoin to an address secured by the old key. You’ll need that seed phrase to recover the bitcoin.

4. Download and secure your new wallet configuration file for all affected vaults.

If your key replacement affects multiple vaults, you must re-download the wallet configuration file for each vault. Store the file in a safe place like a password manager or password-protected cloud storage.

Caution: Because you replaced your key, your vault has a new wallet configuration file. You should delete old config files or rename them to indicate they are old or retired.

5. Register your new key with all affected vaults.

Pick the correct guide if your new key is a Ledger or Coldcard. Trezors do not need to be registered with your vault.

6. Remove or adjust any whitelisted addresses.

Many exchanges allow or may even require users to verify receive addresses by “white-listing” or “allow-listing” before sending funds. If you have done this, replace any white-listed addresses at your exchange with a new deposit address. Your new vault has a unique set of addresses associated with it, and bitcoin sent to addresses of old or compromised keys may be lost. 

That's it!

If you followed the above steps correctly, your Unchained vault should be controlled by three new  keys: your original non-compromised key, the newly-generated key and associated hardware wallet, and Unchained's key. You can verify this by performing a test withdrawal.