Key Takeaways
- Chia vaults use two separate keys — a spend key and a recovery key — instead of one, giving you a critical backup if something goes wrong
- Time-lock withdrawals (called clawback periods) give you a safety window to cancel any unauthorized recovery before it completes
- The Chia Signer app turns your iPhone into a hardware wallet by storing your spend key inside Apple’s Secure Enclave chip
- The free tier of the Chia Cloud Wallet allows one vault; multi-sig support is coming in the paid Prosumer Tier
- You can set a custom clawback period based on how often you need access — from short windows for active wallets to 90 days for long-term cold storage
A Chia vault is a smart wallet that uses two separate keys and a mandatory waiting period to protect your crypto. Unlike a regular Chia wallet — where losing or exposing one key can mean losing everything instantly — a vault gives you time to react and recover if something goes wrong.
What Is a Chia Vault?
Think of a traditional crypto wallet like a single-key safe. One key gets it open, and if someone grabs that key, your funds are gone. A Chia vault works differently — it’s more like a bank vault with two separate locks and a timed delay before anything critical can happen.
Vaults are built on Chia’s blockchain using a special type of smart contract called a singleton — a unique on-chain structure that can only exist once. This singleton acts as a secure container for your XCH, CATs, and NFTs. Rather than locking assets with just one private key, vaults layer multiple keys with different roles and add mandatory waiting periods before sensitive actions complete.
The vault design separates the act of custody from the coins themselves. Your spend key handles day-to-day transactions. Your recovery key is a separate backup that can only be used after a set waiting period. This split creates a meaningful security buffer that doesn’t exist in standard crypto wallets.
Vault vs. Standard Wallet
The standard Chia reference wallet uses a single BLS key. If that key is lost, stolen, or exposed, all of your funds are immediately at risk with no way to recover them. That single-key model works fine for small amounts or for farming, but it becomes a real liability when you’re holding significant value.
Vaults improve on this by assigning two keys with different purposes. Your spend key lives inside your phone’s Secure Enclave or another passkey device and handles everyday transactions. Your recovery key is a 24-word phrase you store offline in a safe location. These two keys create overlapping protection rather than a single point of failure.
If someone steals your recovery phrase, they can’t immediately drain your vault. They would need to initiate a recovery attempt, which triggers a clawback timer. During that window, you receive an email alert from the watchtower service and can use your spend key to cancel the malicious recovery and move your funds to safety. That time-delayed protection is what sets vaults apart from ordinary wallets.
How Time-Lock Withdrawals Work
Time-lock withdrawals, also called clawback periods, add a mandatory waiting time before certain vault actions can complete. When you create your vault, you choose how long this window should be. A shorter clawback suits a wallet you access frequently; a longer one fits cold storage you rarely touch.
The clawback mechanism is enforced directly in Chia’s smart contract code. When someone uses your recovery key, the vault creates a pending transaction that sits on the blockchain but does not finalize immediately. During the clawback window, your spend key retains the power to cancel that pending recovery and rekey the vault with fresh credentials.
This creates a situation that strongly favors the legitimate owner. Even if an attacker obtains your recovery phrase, you have the entire clawback period to notice the alert, cancel the recovery using your spend key, and move your funds. The attacker cannot speed up or skip the timer. Your spend key always wins the race during the clawback window — that’s the core security guarantee of vault design.
What You Need Before You Start
Before you create your vault, gather everything on this list. Having it all ready will make the process much smoother.
You need an email address for your Cloud Wallet account. This email receives security alerts from the watchtower service, including notifications about recovery attempts. Use an address you check regularly and keep it secure.
For your vault’s spend key, you need an iPhone or iPad with Secure Enclave support running iOS 15 or later. According to the official Chia Signer documentation, compatible devices start with the iPhone 6 and iPad mini 4 — not the iPhone 5S, which lacks the necessary Secure Enclave hardware.
Android support for the Chia Signer app is planned but not yet available. Android users can still create vaults by using a passkey as their spend key — stored in a hardware security key like a YubiKey, a password manager, or your computer’s OS keychain.
You also need a separate device to access the Cloud Wallet web interface. This can be a computer or a second phone. The official docs are clear: you cannot currently run both the Cloud Wallet and the Chia Signer app on the same device. This separation ensures that compromising one device doesn’t immediately expose both keys.
Finally, prepare a secure offline location for your 24-word recovery phrase before you start. A fireproof safe, a bank safety deposit box, or a locked drawer works well. Never photograph these words or store them digitally. Anyone who reads them can initiate a vault recovery — that’s why the clawback period exists.
| Vault Type | Best For | Recommended Clawback | Setup Complexity |
|---|---|---|---|
| Daily Spending | Regular transactions, DeFi activities | 24–48 hours | Simple |
| Savings Vault | Medium-term holdings, monthly access | 7–14 days | Simple |
| Cold Storage | Long-term holdings, rare withdrawals | 30–90 days | Moderate |
| Enterprise/Multi-Sig | Business funds, team management (coming soon) | Custom | Advanced (Prosumer/Enterprise tier) |
Step-by-Step Chia Vault Setup Guide
Setting up your first Chia vault involves two tools working together: the browser-based Cloud Wallet and the Chia Signer mobile app. Follow the steps below in order. The whole process typically takes around 10–15 minutes if you have everything prepared.
Step 1: Create Your Cloud Wallet Account
Visit vault.chia.net to create a mainnet account. If you want to practice first with free test coins, use vault.chiatest.net instead. The testnet works identically to mainnet but uses TXCH rather than real XCH.
Click “Sign Up” and enter your email address. Within a few minutes you’ll receive an email with the subject “Chia cloud wallet email verification link.” Click the link to confirm your address, then enter your name and click “Set new Passkey.” The system offers several storage options: hardware keys like a YubiKey, password managers like 1Password or Bitwarden, or your operating system’s built-in keychain. This passkey is your primary login method for the Cloud Wallet and can also serve as a vault spend key. Choose whichever option fits your security setup, then proceed to create your first vault.
Step 2: Install the Chia Signer App
On your iPhone or iPad, open the App Store and search for “Chia Signer” or find it directly on the iOS App Store. The app is free and requires iOS 15.0 or later. Check that your device is running at least iOS 15 before installing.
After installing, open the app. Tap the + button in the upper-right corner to add a new key. Give it a descriptive name like “Main Vault Key.” Currently the only option is to generate a hardware key inside your device’s Secure Enclave — tap “Generate Key.” Your phone creates the key entirely within the Secure Enclave chip. The key never leaves that chip and cannot be copied or extracted. If you lose or damage the phone, this specific key is gone, which is exactly why the 24-word recovery phrase exists as a separate fallback.
Step 3: Link the Signer App to Your Vault
Back in the Cloud Wallet on your computer (or second device), choose the option to create a vault using the Chia Signer app. Give your vault a name. The Cloud Wallet will display a QR code on screen — keep it visible.
There are two ways to complete the link from the Signer app. Method A: Tap on the key you just created on the app’s main screen, then tap the “Link Key” button to activate your camera and scan the QR code. Method B: From the app’s main screen, tap the scan button (located in the lower-middle area), then scan the QR code and choose your key when prompted. Either method works — use whichever feels more natural. If a green checkmark appears over the QR code in the Cloud Wallet, the link was successful.
Step 4: Save Your Recovery Phrase and Set the Clawback
Once the Signer app links successfully, the Cloud Wallet shows your 24-word recovery phrase. Write these words down in order on paper with a pen. Check every word carefully. Store this paper in a secure offline location — a fireproof safe or a bank safety deposit box are good choices. Never photograph these words, never type them into a digital device except during an actual recovery, and never store them in cloud services.
Next, set your vault’s clawback period. This is the window of time a would-be attacker would need to wait after using your recovery phrase before gaining access — and it’s the same window you have to cancel them. Think about how often you’ll access this vault when choosing the duration. Daily spending vaults work well with 24–48 hours. Cold storage vaults benefit from 30–90 days. You can always create multiple vaults with different clawback periods for different purposes.
When you’re ready, click “Create.” The Cloud Wallet submits a “vault faucet” transaction that mints your new vault on the Chia blockchain. According to the official FAQ, this process can take up to five minutes. Once confirmed, your vault’s receive address appears. Send XCH, CATs, or NFTs to this address to fund your vault. You’re now protected by two-key security with time-locked recovery.
Choosing the Right Clawback Period
Your clawback period is a direct trade-off between security and convenience. Longer periods provide stronger protection against theft but create longer delays if you ever need a legitimate recovery. Here’s how to think through the choice.
For wallets you use daily or weekly for things like DeFi activity or regular transactions, a 24–48-hour clawback strikes a good balance. It gives you enough time to notice an alert and respond without creating frustrating delays when you genuinely need to recover.
Savings vaults you access monthly work well with a 7–14-day clawback. This provides substantial protection while still allowing access within a reasonable timeframe when you actually need your funds.
For long-term cold storage that you rarely touch, consider 30–90 days. Chia Network uses a 90-day clawback period for its own cold wallets protecting its prefarm. At that length, even a sophisticated attacker who obtains your recovery phrase has almost no realistic chance of completing a theft before you notice and respond.
One practical approach is to use multiple vaults for different purposes. Keep a small daily-access vault with a short clawback for regular activity and move larger long-term holdings into a cold-storage vault with a longer clawback. This layered strategy optimizes both security and usability without requiring any compromise.
Security Best Practices for Your Chia Vault
Never store your 24-word recovery phrase digitally. This is the most common mistake. Photos, screenshots, encrypted notes, and cloud storage are all vulnerable to breaches, phishing, or device theft. Write the words on paper and store them in a physically secure location.
For high-value vaults, consider a metal backup plate. Several companies sell stainless steel seed phrase storage products that survive fires, floods, and other disasters that would destroy paper. For significant holdings, this extra step is worth the small investment.
Keep your iPhone with the Chia Signer app physically secure. Enable biometric authentication — Face ID or Touch ID — so that a stolen phone can’t be used to approve transactions. The Secure Enclave protects the key itself, but physical access to an unlocked device bypasses that protection at the app level.
Enable watchtower email notifications and check that inbox regularly. The watchtower service monitors the blockchain for recovery attempts and sends immediate alerts when one is detected. That email alert is your early warning system — it’s what gives you time to act during the clawback window.
Practice on testnet before trusting your vault with real value. Create a test vault at vault.chiatest.net, go through the full setup and simulated recovery, and make sure you understand every step before switching to mainnet. A few minutes of practice now can prevent costly mistakes later.
For very large holdings, store your recovery phrase in a different physical location from your Signer device. Geographic separation means a single incident — a burglary, a house fire — can’t take out both keys at once.
Chia Vault vs. Other Chia Security Options
Chia offers several levels of custody security. Understanding the differences helps you pick the right tool for your situation.
| Solution | Keys Required | Time-Lock Protection | Best For | Setup Difficulty |
|---|---|---|---|---|
| Standard Wallet | 1 (24-word phrase) | None | Learning, farming, small amounts | Simple |
| Cloud Wallet Vault (Free) | 2 (spend + recovery) | Yes (customizable) | Most individuals, medium to large holdings | Simple |
| Multi-Sig Vault | m-of-n (e.g., 2-of-3) | Yes (customizable) | Businesses, families, high-value shared custody | Moderate (Prosumer/Enterprise tier, coming soon) |
| Custody Tool | Customizable multisig | Yes (advanced rules) | Enterprises, exchanges, large institutional holders | Advanced (CLI tool) |
The standard Chia reference wallet is the simplest option but provides no recovery safety net. If your key is lost or stolen, so are your funds. It’s fine for farming or holding small amounts where convenience matters more than security depth.
The Cloud Wallet vault on the free tier adds meaningful protection without much complexity. Two keys plus a clawback period handles the most common loss and theft scenarios. For most individual users, this is the right balance of security and ease of use. The free tier supports one vault; if you want additional vaults or multi-sig functionality, that will require the upcoming Prosumer Tier when it launches.
Multi-signature vaults eliminate single points of failure by requiring approval from multiple keys before any transaction completes. This is valuable for shared custody — a business treasury, a family account, or inheritance planning. According to the official Cloud Wallet FAQ, multi-sig support is coming in the Prosumer Tier. It is not available in the current free tier.
The custody tool is Chia’s most advanced custody solution. It’s a command-line tool that powers the security for Chia Network’s own prefarm. It supports complex multisig configurations, customizable timelocks, and sophisticated rekeying procedures. However, it requires deep technical expertise and is primarily intended for enterprises, exchanges, and large institutional holders. Chia Network’s prefarm uses a tiered structure: cold wallets use 3-of-5 multisig with a 30-day withdrawal timelock followed by a 90-day clawback, while warm wallets use 2-of-3 multisig with 24-hour clawbacks for more frequent access. This layered structure optimizes security based on how often each wallet needs to be accessed. You can read more about how this architecture works in our Chialisp smart contracts overview.
Conclusion
Setting up a Chia vault gives you a level of protection that standard crypto wallets simply can’t match. By separating your spend key from your recovery key and adding a time-locked safety window, you eliminate the single points of failure that make most wallets vulnerable. Whether you’re protecting a small savings stash or a substantial long-term holding, the Cloud Wallet vault is designed to be accessible without cutting corners on security. Start on the testnet today, practice the setup and recovery process with test coins, and then move to mainnet when you’re confident. Ten minutes of setup now can protect your assets for years to come. And if you want to go deeper into how Chia’s smart contract layer makes all of this possible, check out our guide on investing in and understanding the Chia Network.
Chia Vault Setup FAQs
How do I set up a Chia vault for the first time?
To set up a Chia vault for the first time, create a free account at vault.chia.net, install the Chia Signer app on a compatible iPhone or iPad (iPhone 6 or later, iOS 15+), generate a spend key in the app, and then link that key to your new vault by scanning the QR code shown in the Cloud Wallet. Write down your 24-word recovery phrase and choose your clawback period. The vault is minted on-chain and your receive address appears within a few minutes.
What is the clawback period in a Chia vault setup?
The clawback period in a Chia vault setup is a mandatory waiting time that must pass after someone uses your recovery phrase before they can gain access to your funds. It’s your safety window — if someone unauthorized triggers a recovery, the watchtower will email you and you can cancel it using your spend key before the timer runs out. Common clawback periods range from 24 hours for active wallets to 90 days for cold storage.
What happens if I lose my phone with Chia Signer on it?
If you lose the phone with Chia Signer, use your 24-word recovery phrase to initiate vault recovery through the Cloud Wallet. After your chosen clawback period expires, you can link a new spend key on a replacement device. Your funds remain safe during that waiting period because a recovery cannot be completed instantly — it requires the full clawback timer to elapse.
Can I use Chia vault setup on Android?
The Chia Signer app is currently iOS-only. Android support is planned for a future release. Android users can still create and use a Chia vault by selecting a passkey as their spend key — stored in a hardware security key, a password manager, or their device’s OS keychain. The vault security model works the same regardless of the spend key method chosen.
Is Chia vault setup secure enough for large holdings?
Yes. Chia vaults are the same technology Chia Network uses to secure its own prefarm. The combination of separate spend and recovery keys, time-locked clawback periods, and optional multi-signature configurations (coming in the Prosumer Tier) provides enterprise-grade security that is accessible to individual users without requiring technical expertise.
Chia Vault Setup Citations
- Chia Network. (2025). “Getting Started.” Chia Cloud Wallet Documentation. https://docs.chia.net/cloud-wallet/getting-started/
- Chia Network. (2025). “FAQ.” Chia Cloud Wallet Documentation. https://docs.chia.net/cloud-wallet/faq/
- Chia Network. (2025). “Chia Signer App — Getting Started.” Chia Documentation. https://docs.chia.net/chia-signer/getting-started/
- Chia Network. (2025). “Chia Vaults: A Secure and Flexible Way to Manage Your Digital Assets.” Chia Blog. https://www.chia.net/2025/01/31/chia-vaults-a-secure-and-flexible-way-to-manage-your-digital-assets/
- Chia Network. (2025). “Chia Cloud Wallet: Now in General Release.” Chia Blog. https://www.chia.net/2025/10/29/chia-cloud-wallet-now-in-general-release/
- Chia Network. (2022). “A New Home for the Prefarm.” Chia Blog. https://www.chia.net/2022/10/29/a-new-home-for-the-prefarm/
- Chia Network. “Chia Signer App.” Apple App Store. https://apps.apple.com/app/chia-signer/id6504493785
- Chia Network. “Custody Tool Description.” Chia Documentation. https://docs.chia.net/guides/custody-tool-description/
