Ledger is mostly known for its consumer-facing hardware wallets, but since last year, a number of enterprises have also begun to use Ledger Vault, according to the company’s vice president of product, Jean-Michel Pailhon. This product is focused on providing custody solutions to enterprise clients. In fact, the Ledger team is currently trying to sell MicroStrategy on the advantages of its product.
MicroStrategy is a business intelligence company that made a splash in August 2020 by converting a large portion of its treasury into Bitcoin (BTC). More recently Square, who just acquired $50 million worth of Bitcoin, developed an in-house open-source SubZero framework to secure its assets.
Pailhon said that both employ HSMs, or Hardware Security Modules, for the management of digital assets. HSMs have been used for decades for securing critical data and are generally considered invulnerable. Though SubZero may be a great framework, Pailhon opined that its best suited for tech companies like Square that know how to deploy and manage HSMs. He said that Ledger will set these up for its clients, and that "they don't necessarily need to know how it works. They just need to use the solution.”
We asked Paihon to walk us through onboarding a company like MicroStrategy. He said that one of the first steps would be to decide how many people will be involved in authorizing transactions, a typical setup would require 2-of-3 signatures; where perhaps, the CEO, chief financial officer, and general counsel hold one signature each. All the private keys would be stored on an HSM. At the same time, parts of the private keys may be stored in several physical vaults.
When a company officer wants to initiate a transaction, he would log into Ledger Vault and input the desired transaction. Then, a notification would be sent to all three signatories. To approve it, they would have to log in and connect their Ledger Blue hard wallet to their computer. Finally, they would enter their unique Ledger Blue pin to sign the transaction. There is also an additional layer of protection, which involves one of the signatories choosing to abort the transaction altogether, provided that the minimum number of signatures had not yet been authorized.
Pailhon elaborated that though Ledger provides the backend and takes care of the HSM infrastructure, the client acts as its own custodian. This may present a problem as some companies may be required by law to use a regulated custodian. He explained that this does not present a real challenge though:
“If you need a regulated custodian, you can ask a regulated entity to become one of the signees in the transaction process.”
Meanwhile, MicroStrategy has not named its Bitcoin custodians, though it publicly acknowledged the associated risks:
“While we hold the bulk of our BTC assets with established cryptocurrency custodians, a successful security breach or cyberattack could result in a partial or total loss of our BTC assets in a manner that may not be covered by insurance or indemnity provisions of our custody agreements with those custodians.”