2.3 Master Wallet Setup
2.3.1 What is Master Wallet
The Master Wallet is the primary blockchain wallet used by the platform to execute all critical on-chain operations related to tokenized assets. It is fully owned and controlled by the platform operator — Tokenizer.Estate never has access to the wallet's private keys or seed phrase at any point.
The operator creates the Master Wallet themselves and retains full custody of the cryptographic keys. The wallet is configured during the initial deployment of a Tokenizer instance through a dedicated crypto gateway and is not accessible or editable from the admin panel.
2.3.2 How the Setup Process Works
Step 1: Crypto gateway deployment
The Tokenizer.Estate team deploys a dedicated crypto gateway on the operator's own infrastructure, using the operator's cloud account. All ports are closed except port 443 (HTTPS) to ensure maximum security and isolate the service from external access.
Why do we leave port 443 open?
We leave port 443 open because it is the standard port used for secure HTTPS connections.
Why?
- The wallet microservice needs to communicate securely with your systems and with Tokenizer.Estate to receive the one-time initialization request and to interact with the blockchain-related endpoints.
- By using port 443, all data exchanged is encrypted via TLS (Transport Layer Security), protecting it from interception.
Why do we close all other ports?
- To minimize the attack surface.
- Only allowing port 443 ensures no other services or management interfaces can be accessed from the outside, reducing the risk of unauthorized access.
Step 2: Wallet initialization
The operator opens the one-time initialization link and enters their seed phrase into the crypto gateway interface. This link can only be used once. If the operator visits the link again after initialization, it will display a message confirming that the wallet has already been set up.
During this step, the crypto gateway:
- Stores the seed phrase locally on the operator's infrastructure.
- Encrypts the seed phrase and transmits the encrypted version to the operator's main backend, where it is used for signing blockchain transactions.
If reinitialization is needed (for example, if the link was accessed prematurely), the Tokenizer.Estate team will restart the crypto gateway and issue a new one-time link.
Step 3. Begin operations
After successful initialization, the Master Wallet is ready for use. All blockchain operations within the Tokenizer.Estate instance will be signed using the encrypted seed phrase stored on the operator's main backend.
2.3.3 Security guarantee
- Tokenizer.Estate never sees, stores, or has access to the operator's private keys or seed phrase.
- The seed phrase is entered exclusively by the operator during initialization and is stored only on the operator's own infrastructure.
- The encrypted copy of the seed phrase resides on the operator's main backend and is used solely for transaction signing.
- The entire architecture is designed so that even Tokenizer.Estate cannot access or retrieve the operator's keys, guaranteeing full ownership and control.
2.3.4 What to Do if the Platform Owner Lost Access to the Wallet
If the platform operator loses access to their Master Wallet (e.g., due to loss of the seed phrase or private key), a defined recovery procedure ensures continuity of platform operations.
- Crypto gateway reinitialization. The crypto gateway instance is reinitialized by the Tokenizer.Estate team, clearing the previous wallet configuration.
- New one-time initialization link. A new secure, one-time-use initialization link is generated. The operator uses it to set up a new Master Wallet by entering a new seed phrase, following the same process described in Section 2.3.2.