The Cerberus Protocol: Secure Bitcoin Storage for Businesses

The first chapter of our guide to corporate bitcoin self-storage

In the world of personal bitcoin storage, retail investors learned long ago that self-custody is essential. Exchanges and other custodians are centralised single points of failure and become highly attractive targets for attackers. They get hacked, they run off with their customers’ funds, they make mistakes, their executives get kidnapped and ransomed, or worse.

Unfortunately, most companies investing in bitcoin today seem to think that these threats don’t apply to them. Instead, they are opting to store their bitcoin with various professional custodians. Unless things change, these companies are destined to learn the same expensive lessons that retail investors did over the last ten years.

One of the main reasons that companies are choosing bitcoin custodians is the lack of corporate self-storage options available. The vast majority of existing storage solutions are aimed at personal storage and come with little guidance on how to deploy safely in a corporate environment.

Enter Cerberus

The Cerberus Protocol was written to start filling the gap in corporate bitcoin storage. It provides strict, step-by-step guidelines for teams to deploy secure bitcoin storage in a corporate setting, distributing control with bitcoin multisig to ensure that no one person can compromise the companies’ bitcoin holdings.

The Cerberus Protocol: Three employees generate a 2-of-3 multisig wallet.

The People Problem

Bitcoin wallet technology is already relatively mature. Ugly user interfaces aside, there are many great options available for highly secure bitcoin storage. Instead, the biggest threat to a company’s bitcoin is people.

No matter how secure your bitcoin software is, the people operating it can make mistakes, they can be fooled, they can be forced to do things against their will, or they may simply have motives that conflict with the broader organisation.

Most bitcoin storage solutions today only provide instructions on how to use the software, but not how to securely coordinate operations between multiple people. As a result, organisations are establishing their own procedures and rules, even though many are not equipped with the time or expertise to do so. Worse, they often just “make it up as they go along.”

When procedures are not followed, things go wrong.

Strict Protocol

The Cerberus Protocol goes further than basic guidance on what hardware and software to use and how to use them. Cerberus mitigates the “people problem” by providing prescriptive internal procedures for key generation, receiving a transaction, sending a transaction, key recovery, and staff replacements.

By following the protocol, each operator of the bitcoin storage will know exactly what they should be doing and when, significantly reducing the risks of errors or the storage being exploited. Anyone deviating from the protocol should understand that they are putting their company’s funds at risk.

Lean and Mean

The Cerberus Protocol is designed to be lightweight, and respect readers’ time — people at work are busy. We’ve stripped all but the most essential explainer text so that companies can get their bitcoin storage up and running as quickly as possible.

There are no choices to make with Cerberus, no optional extras. Often people are unwilling to give firm answers on which hardware and hardware to use, or how to use them. We do.

Don’t worry though, for the more curious we’ll be explaining how the decisions behind the construction of the protocol in a comprehensive Appendix.

We Want Feedback

Today, we’re publishing the first chapter of the protocol — The Overview — to gauge interest in the project and gather feedback from bitcoiners who can suggest improvements or spot potential problems that we may have overlooked. When it comes to bitcoin security, there’s nothing better than peer review.

Future chapters of the protocol will be published at cerberus.clavestone.io and will be announced on our Medium and Twitter. We very much welcome feedback in the comments section, via email, or directly on our GitHub.

And without further ado, see below for a preview of the first chapter of the Cerberus Protocol!

What follows below is a copy-paste of the protocol as shown on the official site. As a result, there may be a little repetition of the introduction above!

Cerberus Overview

Cerberus is a step-by-step protocol for companies to securely store bitcoin investments without the need for a third-party custodian. The protocol combines both technical and procedural guidance for bitcoin storage:

• Technical: Open source bitcoin hardware and software recommendations to securely distribute control, ensuring no single point of failure.
• Procedural: Policies to ensure that any incoming or outgoing transactions are conducted under strict checks and balances.

Cerberus is a fully open source protocol, authored and reviewed by bitcoin industry veterans, taking inspiration from excellent open-source work such as the Glacier Protocol.

Cerberus is intended for:

• Companies: The bitcoin are owned by a collective entity rather than a single individual. Usually this will be an incorporated company.
• Bitcoin investments: Long-term bitcoin storage with a low transaction frequency (a handful of transactions per month).
• Technically-unskilled users: No software engineering or bitcoin expertise should be required. Just follow the steps.
• Fast deployment: Cerberus is designed to be lean and focused, so that your company can get going as quickly as possible.

Cerberus Minimum Requirements

Acquiring all the necessary items to setup the protocol is covered in the Preparation section, but to avoid any surprises, users should ensure they will have access to the following:

• Three trusted employees
• Three Trezor Ones (total cost less than USD 300)
• Three Windows/MacOS/Linux computers
• A free afternoon to follow the Setup section of the protocol

Why Cerberus?

“Not your keys, not your bitcoin.”
- Bitcoin Proverb

Currently, the vast majority of bitcoin storage guidance is written for personal bitcoin holdings. But a company investing in bitcoin has very different security needs compared to an individual.

Due to the lack of self-storage options, companies are commonly resorting to trusted custodians. This poses serious risks, as companies’ bitcoin investments are concentrated in honey pots that are highly attractive to potential attackers. A bitcoin custodian represents an easily-targeted, well-known single point of failure.

Cerberus was produced as an easy-to-follow, quick-to-execute protocol to specifically address the unique requirements for companies self-storing bitcoin.

Thanks to the amazing work of the bitcoin industry’s open source community and entrepreneurs, Cerberus is also inexpensive to set up, making highly-secure, industry-standard storage accessible to even the smallest of companies.

Key Concepts

To follow the protocol, users may need to first familiarise with a few key terms:

• Wallet: A collection of addresses with associated private keys, generated from a seed phrase.
• Address: An address that can be shared with third parties who are sending your company bitcoin. A wallet consists of multiple addresses, and a new address should be used to receive each new transaction.
• Private key: Bitcoin transactions are controlled through private keys. Outgoing transactions must be signed with a corresponding private key. Referred to as “key” in Cerberus for brevity.
• Hardware wallet: A device used to manage private keys offline.
• Seed phrase: A string of words that can be used to restore a wallet. Used as a backup in case of key loss.
• Multisig: A method of storing bitcoin that requires signatures from multiple private keys to make an outgoing transactions.
• Signatory: An individual that manages a hardware wallet (and associated seed phrase) on behalf of the organisation.

A diagram showing the relationship between addresses, keys, wallets, seed phrases, and hardware wallets.

Distributing Control

Cerberus uses bitcoin multisig to distribute control over your company’s bitcoin investment across three signatories. Cerberus uses what’s called a 2-of-3 multisig, which means that there are three private keys per address, and at least two of those keys are required to make any outgoing transactions.

Each of the three signatories holds a hardware wallet which manages their set of private keys. They also store a seed phrase at a secure location that only they have access to, which acts as a backup in case anything goes wrong. Both the management and storage of the hardware wallet and seed are outlined in the protocol.

Sending and Receiving

To receive bitcoin a transaction, any of the three signatories can provide a bitcoin address to the sender. While this is a simple process, Cerberus provides guidelines to minimise the risk of the bitcoin being sent to the wrong place.

To send a bitcoin transaction, any of the three signatories should create a transaction and sign it, before sharing the signed transaction file with one more signatory for final signature and broadcast. Cerberus provides a strict protocol for signatories to share transaction details to ensure that all outbound transactions are according to the true intent of the company.

Issue Resolution

Finally, in the case of a hardware wallet failure, loss, or the replacement of a signatory (e.g. in the event of a staff termination), Cerberus walks you through how to resolve the issue in a secure, prompt manner.

Structure

The Cerberus Protocol is split into eight sections:

1. Overview: A brief explainer on the purpose of the Cerberus Protocol
2. Preparation: All the ingredients required before you begin.
3. Ceremony: A setup ceremony to ensure your company’s bitcoin keys are generated in a secure environment.
4. Receive a Transaction: How to safely receive incoming transactions from third parties.
5. Send a Transaction: How to coordinate a secure outgoing transaction.
6. Hardware Wallet Recovery: How to restore a hardware wallet in the event of a hardware failure.
7. Hardware Wallet Replacement: Emergency procedures in the event of hardware wallet or seed loss, and how to replace a hardware wallet in the event of a signatory termination or death.
8. Appendix: All the extra background information that we ultimately decided to trim from the main protocol. Includes the kitchen sink.

Warnings & Disclaimers

Liability

The Cerberus protocol is used at your own risk, and the authors and contributors accept no responsibility for any losses incurred as part of the protocol’s usage.

Legal Support

Although the Cerberus is designed to minimise any potential conflicts, the protocol should still be supported by robust legal agreements between employee and the company, outlining each participant’s obligations for the responsible management of funds. These agreements are beyond both the scope of this protocol and the expertise of the authors. However, should the protocol prove to be popular, we hope that some enterprising lawyers would open source some template documents!

Accuracy of Terminology

To ensure the protocol is quickly comprehensible for newcomers to bitcoin, we have simplified some of the key terminology and definitions. Some keen-eyed bitcoiners may take issue with these compromises, but we feel they the loss of hyper-accuracy is a worthwhile tradeoff to ensure that secure storage is as accessible as possible.

Next chapter coming soon!

We want your feedback! Drop us some comments on Medium, send us an email to storage@clavestone.io, or submit an issue on GitHub.

If you like the look of the Cerberus Protocol and would like updates when we release a new section, sign up for updates here.

And of course, don’t forget to applaud and share our article!