Key management is the single most important security topic in Web3. Every loss of funds eventually traces back to a key handled badly.
A serious key-management posture covers:
- Generation: keys generated on dedicated hardware, not on a laptop, not on a hot machine that has ever browsed the web.
- Storage: hardware wallets, HSMs, MPC shares, or air-gapped machines. Mnemonic phrases stored on paper or metal, in geographically separated locations.
- Use: signing on a device that displays what's being signed; transaction simulation before approval.
- Rotation: a documented process to retire keys, especially when staff changes or after any suspected compromise.
- Destruction: keys are not deleted from a hardware wallet by deleting an account on a computer. Properly retiring a key means transferring out, then physically destroying or wiping the device.
The maturity of an organization's key management is the best leading indicator of how its first incident will go.