What stays the same
Custody does not change the fleet’s access. In both modes:
- Operators receive only the safe test piece and signed search work.
- Operators do not receive the full wallet, customer identity, or spendable key material.
- A possible password is sealed to Verify and independently checked.
- Only the operator who found the accepted password is associated with the operator share.
The custody choice changes where the full encrypted wallet lives and where final wallet ground truth is available.
Side-by-side comparison
| Question | Custodial | Non-custodial |
|---|---|---|
| Who holds the encrypted wallet? | Distribrute’s high-trust storage | The wallet owner |
| Who creates the safe test piece? | Distribrute during secure intake | Locally or with guided assistance |
| What does the operator fleet receive? | Safe test piece only | Safe test piece only |
| Where is a match fully verified? | Against the stored full wallet | Extract confirmation first; full-wallet proof on the owner’s computer |
| Where is wallet recovery completed? | Distribrute’s high-trust workflow | A guided session on the owner’s computer |
| Primary additional trust | Distribrute’s custody and settlement controls | The owner computer and guided recovery software |
| Current operation | Implemented with manual steps | Implemented with a manual guided session |
Custodial flow
The owner submits the encrypted wallet through secure intake. Distribrute derives the safe test piece and retains the full encrypted wallet inside the high-trust verification boundary. If the fleet finds a candidate, Verify can test it against the complete wallet before the case proceeds.
This offers the strongest server-side confirmation and reduces demands on a non-technical customer. The tradeoff is straightforward: the owner trusts Distribrute to safeguard the encrypted wallet, the recovered password, and the final settlement process.
Non-custodial flow
The wallet remains on the owner’s computer. Distribrute coordinates the search using only the safe test piece. After an extract-side match, the complete wallet must be opened locally during a guided session before funds can move.
Non-custodial is trust-minimized, not trustless. Verify handles the reported password candidate, and the guided workflow must use it on an owner-controlled computer. A compromised customer machine could observe the password, private keys, or transaction-signing process. No application can prove that a general-purpose host is clean.
The current process manages this risk with a recorded, guided ceremony and a narrowly scoped workflow. It does not eliminate the host risk.
Transaction timing differs by wallet
Some Bitcoin Core wallets expose enough public information in the encrypted file to prepare parts of a transaction before unlock. Blockchain.com backups do not reliably expose the wallet’s usable addresses before decryption. The recovery workflow therefore cannot assume that every unsigned transaction can be prepared at onboarding.
The safe rule is to treat transaction construction as wallet-specific and to verify all destinations, amounts, and fees after the full wallet information is available.
Recovery Room is planned
Recovery Room is the proposed desktop application for the non-custodial ceremony. The design aims to:
- isolate the wallet operation from the browser and ordinary meeting tools;
- accept a narrowly scoped, authenticated password delivery;
- build and display the transaction locally;
- require the owner to review and approve the transaction;
- sign locally and return only the signed transaction for verification and broadcast;
- publish auditable source and reproducible releases.
It is planned and not implemented today. Current non-custodial cases use a manually guided process. See Implementation status whenever a future-state description and current availability need to be distinguished.
Choosing a mode
Custodial recovery is generally simpler for a non-technical owner and enables stronger full-wallet verification within the service. Non-custodial recovery reduces wallet custody by Distribrute but moves more responsibility and host risk to the owner’s computer.
The appropriate choice depends on the wallet format, value at risk, owner capability, and the threats that matter for the case. Distribrute reviews those factors before intake rather than treating one mode as universally safer.