Physical Security
Key Takeaway: Physical security protects people and assets from threats that bypass cryptography entirely: coercion, theft, surveillance, and tampering. It is a distinct domain from operational security, addressing bodily harm, forced access, and physical integrity rather than information disclosure.
Cryptography and digital controls protect keys and data from algorithmic and remote attack. They do not protect the people who hold those keys from physical threats, nor the hardware and facilities those keys depend on. Physical security is the domain that addresses these threats directly: protecting people from harm and coercion, protecting physical assets from theft and tampering, detecting physical surveillance, and preserving the integrity of the hardware supply chain.
What physical security covers
- People: Protection from bodily harm, forced access, kidnapping, and coercion of key-holders and their families.
- Physical assets: Protection of devices, backups, and facilities from theft, destruction, and unauthorized access.
- Counter-surveillance: Detecting and countering physical surveillance that precedes targeted attacks.
- Supply chain integrity: Tamper evidence and provenance for the hardware that custodies keys.
Relationship to Operational Security
Physical security and Operational Security are distinct but overlapping domains:
- Operational Security mitigates information disclosure through procedural and digital controls. Its goal is to reduce what an adversary can learn.
- Physical Security mitigates bodily harm, forced access, and physical tampering through barriers, deterrence, deception, and response. Its goal is to reduce what an adversary can physically do.
Overlap areas — such as travel safety and device theft — are handled by cross-references rather than duplication. Where OpSec guidance touches physical coercion (for example, duress codes or border inspections), it links here rather than restating the controls.
Sub-categories
- Coercion & Duress — Defending key-holders against wrench attacks: coercion, kidnapping, and extortion targeting the people who control keys. This is the most developed sub-section of the framework.
- Facility & Perimeter Security — Access control, surveillance, environmental controls, and secure facility design. (In progress.)
- Physical Counter-Surveillance — Detecting and countering physical surveillance of people and locations. (In progress.)
- Supply Chain Physical Integrity — Tamper evidence and hardware provenance for devices that custody keys. (In progress.)
Who this framework serves
This framework serves individuals (founders, traders, KOLs) and organizations (exchanges, funds, DAOs, and protocols) that control significant on-chain or custodial balances, as well as anyone whose role makes them a target for physical attack because of the assets they can access.