Overview

In Blockdaemon Institutional Vault, the cold wallet is an offline signing layer: MPC key material stays split across two air-gapped cold nodes (often in separate secure rooms). The hot (online) wallet is where you create activity, run policy, and prepare transactions; cold nodes only co-sign batches brought to them, so full signing keys are not held on internet-connected systems. Pairing is the one-time ceremony that binds hot infrastructure to those cold nodes, without it, cold-backed accounts and cold signing cannot operate. This guide covers pairing only; hot and cold use separate Vault accounts.

📘

Note:

Remember that Hot wallet and Cold wallet are separate entities.

Pairing the Hot & Cold Wallet

---
config:
  themeVariables:
    noteBkgColor: '#9370DB'
    noteTextColor: '#ffffff'
    noteBorderColor: '#4B0082'
  layout: dagre
  look: neo
  theme: redux
---
flowchart LR
 subgraph HOT["Online (hot) wallet infrastructure"]
    direction TB
        API_HOT["Wallet Service"]
        PN["MPC Policy node(s)"]
  end
 subgraph COLD_NODES["Air-gapped cold nodes"]
    direction TB
        COLD1["MPC Cold Node 1<br/>(Secure Room 1)"]
        COLD2["MPC Cold Node 2<br/>(Secure Room 2)"]
  end
    COLD_OP1["🧑‍💼 Cold Operator 1"]
    COLD_OP2["🧑‍💼 Cold Operator 2"]
    COLD_OP1 ~~~ COLD_OP2
    API_HOT -. "1a. Download Hot<br>pairing message" .-> COLD_OP1
    API_HOT -. "1b. Download Hot<br>pairing message" .-> COLD_OP2
    COLD_OP1 -. "2a. Upload Hot pairing" .-> COLD1
    COLD_OP2 -. "2b. Upload Hot pairing" .-> COLD2
    COLD1 <-- "3. Two-node MPC<br>over broker:<br>pairing + initial<br>presignature pool" --> COLD2
    COLD1 -. "4a. Export Cold pairing" .-> COLD_OP1
    COLD2 -. "4b. Export Cold pairing" .-> COLD_OP2
    COLD_OP1 -. "5a. Upload Cold pairing" .-> API_HOT
    COLD_OP2 -. "5b. Upload Cold pairing" .-> API_HOT
    API_HOT <-- "6. Persist cold pairing<br>&amp; master key" --> PN

    style PN fill:#FFCDD2
    style COLD2 fill:#BBDEFB
    style COLD1 fill:#BBDEFB

Cold pairing process

The diagram is the one-time setup: it establishes trust and exchanges pairing key material between the online Wallet Service / Policy nodes and two air-gapped MPC cold nodes. Full cold signing keys never leave the cold environment.

What the diagram shows

• Steps 1–2 — Hot → cold: The Wallet Service exposes a Hot pairing message (including the hot side’s approval public key). Each operator carries it into their secure room and uploads it to their node (1a/1b → 2a/2b) so each cold node knows which hot deployment it is bound to.
• Step 3 — Cold ↔ cold (MPC): Both nodes coordinate over an on-premises broker (still isolated from the public internet—typically a local network or other controlled link). They run two-party MPC: distributed key shares, cold extended public key material, and an initial presignature pool. Neither node ever holds the complete private key alone.
• Steps 4–5 — Cold → hot: Each node outputs a Cold pairing message; operators bring both files online and upload them to the Wallet Service (4a/4b → 5a/5b) so the hot side can derive deposit addresses and verify future cold partial signatures.
• Step 6 — Finalize: The Wallet Service and Policy nodes persist the cold pairing and cold master key attachment, completing custody wiring for later cold batch signing.

Step-by-step pairing (Vault UI)

To integrate the Hot and Cold wallet, follow the steps below:

1. Navigate to your Hot wallet, and log in.

2. Click Settings on the main navigation menu.

3. Click the Wallet Pairing tab.

4. Click the Download Hot Pairing Message button, and you'll receive a prompt to download the pairing message file. This file initiates and authenticates the connection with the Cold wallet.

5. Navigate to the Cold wallet.

📘

Note:

Ensure that you have accessed the Cold wallet from an air-gapped computer/device.

6. Click Settings on the main navigation menu.

7. Under the Wallet Information tab, click the Upload pairing message button.

8. Select your downloaded pairing message file from your Hot Wallet and click Upload.

9. Navigate back to the Wallet Pairing tab under Settings on your Hot wallet. Click the Upload pairing message button.

10. Upload the file you downloaded from the Cold wallet. This action will automatically populate the extended public key and master key fields, ensuring a secure Hot and Cold wallet integration.

11. Once paired, you can create new accounts. Click Accounts on the main navigation menu.

12. Click the New Account button.

13. Fill in the account name, enable the Cold Account to enable the cold storage feature, and click Create.

14. A notification window will appear, confirming the successful pairing of keys between the Hot and Cold wallet.

📘

Note:

Keep in mind that the security architecture involves both the parent keys and a multi-layered security system structure. As a result, even if the parent keys are compromised, the overall security of the system remains resilient and intact.