System Managed Keys
System managed keys are signing keys generated and held by the Sigvault server. The complete key hierarchy — including the private key — is stored encrypted on the system. This enables automated signing without requiring a hardware device.
How It Works
Section titled “How It Works”When you create a system managed key:
- Sigvault generates a new BIP39 mnemonic (seed phrase)
- The full key hierarchy is derived: master key, account keys, and extended public keys
- All key material is stored encrypted on the server
- The key is associated with your account as a “system device”
Since Sigvault holds the private key, it can sign transactions on your behalf without hardware wallet interaction.
What Gets Stored
Section titled “What Gets Stored”For each system managed key, Sigvault securely stores:
- BIP39 mnemonic — The 12-word seed phrase
- Master private key — Root of the key hierarchy
- Account private key — At the standard derivation path (e.g.,
m/84'/0'/0') - Extended public key — Used for address derivation
Custody Model
Section titled “Custody Model”System managed keys are custodial — Sigvault has the ability to sign transactions. This means:
- Transactions can be signed automatically without user device interaction
- You are trusting the Sigvault infrastructure with your funds
- The system handles key backup and availability
Use Cases
Section titled “Use Cases”System managed keys are useful for:
- Hot wallets — Fast, automated spending without device interaction
- Backup keys in multisig — A system key as one of several multisig signers provides a recovery option
- Collaborative vaults — Mix system keys with user hardware devices for balanced custody
- API-driven workflows — Programmatic transaction signing for applications
- Recovery paths — Time-locked backup conditions in taproot vaults
Limits
Section titled “Limits”Each user account has a limited number of system devices, typically one per account. The exact limit may depend on your account tier.
Compared to User Managed Keys
Section titled “Compared to User Managed Keys”| System Managed | User Managed | |
|---|---|---|
| Key location | Sigvault server | Hardware device |
| Signing | Automatic | Requires physical device |
| Custody | Custodial | Non-custodial |
| Recovery | Managed by system | Device seed phrase |
| Best for | Automated workflows | Personal custody |
Common Patterns
Section titled “Common Patterns”Hot Wallet
Section titled “Hot Wallet”A single system managed key as the sole signer. Simplest setup, fully custodial.
Collaborative Multisig
Section titled “Collaborative Multisig”A 2-of-3 setup where the user holds 2 hardware devices and the system holds 1 key. The system key alone cannot spend, but it provides a recovery path if one hardware device is lost.
Vault Recovery Path
Section titled “Vault Recovery Path”In a taproot vault, a system managed key participates in a time-locked recovery condition. The owner uses their hardware wallet day-to-day, but the system key can help recover funds after the time lock expires.
For user-controlled alternatives, see User Managed Keys.