In 2025, institutions and public companies hold about 4% of all mined bitcoin, totaling approximately 852,000 BTC.
Bitcoin is accessed through wallets, which manage the private keys that control these assets. A private key is essentially a highly secure, randomly generated number that grants ownership and spending authority over bitcoin.
For institutions, wallet infrastructure providers play a critical role, securing private keys and enabling safe, scalable access to digital assets – whether through direct self-custody, shared custody, non-custodial solutions, or full delegation to a custodian.
In this article, we’ll break down how bitcoin wallets work, outline key custody considerations for institutional investors, and highlight leading solutions to keep these holdings secure.
How do bitcoin wallets work?
Bitcoin wallets manage assets using cryptographic key pairs.
When a user creates a wallet account, they receive a private key, often represented by a seed phrase or recovery phrase–a random string of words that proves ownership.
This private key pairs with a public key, which generates the wallet address for receiving funds.
As the names suggest, the public key can be shared freely, while the private key must remain confidential. The private key is used to sign transactions and authorize spending, meaning anyone with access to it can transfer assets out of the wallet.
Most end-users will store their own seed phrase somewhere securely and control funds themselves. This is known as self-custody or a non-custodial solution. However, users who control large amounts of funds will require an increasingly sophisticated security model in order to keep their private key (and funds) secure.
Why do we need bitcoin custody?
Bitcoin custody exists to address these security needs and provide a wide range of benefits related to operations and scalability compared to self-custodying bitcoin.
In general, crypto custody refers to the secure storage and transfer of cryptoassets. Any organization that holds private keys (and the associated funds) on behalf of users or institutions is technically a custodian, although the term is more often used to refer to services focused on institutions and investors.
Ultimately, custody solutions intend to empower institutions to participate in the Bitcoin ecosystem with confidence, knowing their assets are secured by specialized providers with battle-tested infrastructure.
Existing bitcoin custody solutions
Institutions have multiple options for bitcoin custody, each balancing control, security, and operational efficiency:
- Centralized exchanges (CEXs)
Some of the largest custodians that exist today are centralized exchanges. CEX platforms hold private keys (and by extension bitcoin and other cryptoassets) on behalf of users and institutions, and make it easy to exchange these assets for fiat.
These exchanges are regulated in any jurisdiction in which they operate. While primarily retail-focused, exchanges like Coinbase and Gemini also offer institutional-grade custody solutions with regulated frameworks.
- Dedicated custodians
Companies like BitGo and Anchorage specialize in secure storage solutions tailored for institutional clients. These companies employ specialized security measures and offer features such as insurance, regulatory compliance, and API access to their platform tooling.
- Non-custodial infrastructure
Some providers, like Turnkey and Fireblocks, offer infrastructure that enables institutions to maintain full control and ownership of their private keys while abstracting away the underlying complexity of key management, policy enforcement, and transaction signing.
In these models, the provider cannot access funds or act unilaterally - customers retain sole authority over their digital assets, even while benefiting from institutional-grade security, auditability, and operational tooling.
This approach combines the benefits of self-custody (no counterparty risk, full ownership) with the security and usability of professional infrastructure, enabling institutions to deploy scalable wallet systems without needing to build everything in-house.
- Hybrid models
Some institutions will likely use a mix of self-custody and custodians to balance control and risk of their assets. For example, an asset manager might hold a portion of their bitcoin in self-custody with a hardware wallet for direct control while keeping larger treasury reserves with a regulated custodian like Anchorage for security, insurance, and operational efficiency.
Many providers of bitcoin custody solutions are first and foremost crypto-native, built by teams that are experienced and well-informed of the security risks associated with cryptocurrency.
What problems does bitcoin custody address?
Bitcoin custody and key management solutions are designed to solve the operational and security challenges inherent in institutional self-custody.
Managing a single private key is insufficient at scale. It creates a single point of failure while lacking the controls needed for institutional workflows. Expanding to multiple keys or wallets compounds complexity, introducing fragmented access controls, operational overhead, and increased attack surfaces.
Institutions require custody solutions that address security, operational efficiency, and scalability.
Security concerns
High-value users are frequent targets of sophisticated phishing, social engineering, and even physical threats. In a recent example, the CEO of Ledger was kidnapped and held for ransom, underscoring the real-world risks associated with self-custody.
Hardware wallets are also vulnerable. Attackers can tamper with devices, exploit firmware vulnerabilities, or steal them outright, leading to compromised private keys and irreversible loss of funds.
Bitcoin custody solutions mitigate these security risks by eliminating single points of failure, enforcing institutional policies for transaction approvals, and removing individual key management risks with robust infrastructure controls.
Operational Concerns
If a private key or seed phrase is lost, the account and associated funds are permanently unrecoverable. For large-scale institutions, the loss of a single seed phrase could result in millions of dollars in unrecoverable digital assets.
Unlike traditional financial systems, blockchains are decentralized and immutable, offering no standardized recovery mechanisms or account resets.
Creating multiple wallets, each with its own private key, might seem like a reasonable way to reduce single-key exposure, but it adds significant operational complexity and does not solve the underlying challenge of managing keys securely at scale.
In addition, implementing proper access controls to funds is challenging and introduces key-person risk if approvals depend on a single individual.
Ultimately, effective bitcoin custody is about more than secure storage. It's about implementing infrastructure that combines robust security controls with operational efficiency. Institutions need solutions that integrate seamlessly into their workflows, enforce governance policies by design, and eliminate single points of failure without introducing unnecessary complexity.
Scalability concerns
As an organization’s needs grow – whether through increased transaction volume or expanding from bitcoin into additional digital assets – existing self-custody implementations often struggle to keep up. Adding more private keys and wallets quickly compounds operational complexity and introduces new security risks.
Custody solutions can address these challenges with scalable wallet infrastructure designed from the ground up for institutional use. Some provide intuitive interfaces and APIs that enable organizations to create and manage new wallets seamlessly, without the technical overhead or risk that comes with scaling self-managed key systems.
Technical implementations of bitcoin custody
Bitcoin custody solutions use a wide variety of private key management strategies in order to keep assets secure on behalf of users. These include:
Multi-signature wallets
The simplest option a custody solution might offer is a multi-signature wallet.
In Bitcoin, multi-signature functionality has existed since P2SH, enabling wallets that require multiple private key signatures to approve a transaction. These setups can be configured as “M-of-N” (e.g., 3 out of 5 members must approve) or “N-of-N” (e.g., all 5 members must approve).
While multisig solves immediate access control challenges and enhances security by requiring multiple approvals, it does not address the underlying issue of how each private key is securely managed and stored.
Multi-party computation (MPC)
Multi-Party Computation (MPC) enables multiple parties to collaboratively sign transactions without ever reconstructing the full private key in a single location. Even if one key share is exposed or compromised, the assets remain secure as no individual party holds the complete key material.
One downside of MPC is that it can introduce significant computational overhead and latency, making it less suitable for institutions requiring frequent bitcoin withdrawals or high-volume transaction processing.
Trusted execution environments (TEEs)
Another emerging technology for securing Bitcoin wallets is Trusted Execution Environments (TEEs).
TEEs are isolated hardware environments within a processor (typically called enclaves) that securely store private keys and perform cryptographic operations, such as signing transactions, without exposing sensitive data to the rest of the system.
By providing strong security guarantees against compromised software or hardware outside the enclave, TEEs eliminate key exposure risks while maintaining high operational efficiency.
Unlike MPC, TEEs do not split keys across parties, enabling significantly faster transaction processing without added computational overhead.
Other security measures
Alongside some of the technical implementations, some institutions may want to make use of different “hot”, “warm”, and “cold” storage wallets.
Hot wallets refer to wallets used for more frequent (and possibly more risk-adjacent) transactions, while cold storage wallets are typically completely offline and act more as a secure reserve of assets used over a longer period of time. Warm wallets exist somewhere in between the two.
Some other security measures include air gapping (isolating a device from external networks) and geographical distribution of private keys (to reduce single points of failure).
Comparison of Technical Implementations
Turnkey: Non-custodial bitcoin solutions for institutional investors
At Turnkey, we deliver non-custodial solutions that combine uncompromising security with operational flexibility. All critical cryptographic operations run within our secure enclaves, leveraging trusted execution environment (TEE) technology to isolate and protect private keys.
Private keys are never exposed outside the enclave, not even to Turnkey. No single developer can alter or deploy enclaves, ensuring robust internal security controls.
Most importantly, wallets remain fully under the control of end users and institutions, providing true ownership without operational risk.
Some key features of Turnkey’s non-custodial infrastructure:
Organizations and sub-organizations
An organization serves as the foundational unit that houses users, wallets, and policies. Institutions create organizations to manage their operational structure, onboard users, and provision wallets aligned with their workflows.
Suborganizations enable further segmentation. Each suborganization can maintain its users, wallets, and policies while remaining under the governance of the parent organization. This structure allows institutions to scale their operations securely with clear boundaries and delegated management.
Users within an organization perform actions such as approving transactions, generating API keys, and managing wallets. Authentication is secured via passkey biometrics or hardware security devices, such as YubiKeys, ensuring strong user verification.
For best practices on structuring users and permissions within your organization, see our user setup guidelines.
Policies
Every action within an organization is evaluated by the policy engine, which ensures each request meets predefined policies before execution.
Root Users define these policies to enforce organizational governance, such as setting transaction spending limits or restricting wallet access to specific users. The policy engine is highly flexible, enabling institutions to implement controls that align precisely with their operational structure and approval hierarchies.
Read more about policies in our policy overview section.
Wallets
Turnkey uses hierarchical deterministic (HD) wallets, which use a single seed phrase to generate multiple accounts with a parent-child hierarchy.
Organizations can make use of this to allow users with different permissions to access different accounts, whilst also keeping a single seed phrase for a simple backup process. They can also create as many wallets as they need, if they don’t want to rely on a single seed phrase.
There is no vendor lock-in, either. Wallets can easily be imported and exported.
Get started with bitcoin wallets on Turnkey
Institutional bitcoin wallet management must address security, operational efficiency, and scalability to protect and manage digital assets with confidence.
Turnkey delivers cutting-edge non-custodial infrastructure by generating and securing private keys within nitro enclaves, enforcing granular policy controls, and integrating seamlessly into institutional workflows.
Our founding team built Coinbase Custody, the world’s largest and most secure crypto custodian, securing over $100 billion across industry-leading products. Today, we bring that same expertise to Turnkey, offering institutions a non-custodial wallet infrastructure solution that’s faster, more secure, and built for scale.
Whether you’re building in DeFi, payments, or AI, connect with us to onboard seamlessly and start scaling your crypto operations with Turnkey.
Related articles
