As you start to build up Bitcoin, you are going to want to think about keeping it secure. There are two main choices – either let someone else protect it for you, or protect it yourself. Unfortunately, when you let someone else take care it, you have counterparty risk, and when you take care of it yourself, you have to make sure you don’t lose your private keys.
As the owner of a Bitcoin mining operation, I earn Bitcoin every day. I buy equipment using Bitcoin. I have actual daily experience using it, and also need to save Bitcoin for the future when the next hardware upgrade cycle comes around. My advice is based on what I do with my own Bitcoin.
I’ve tried all sorts of different ways of keeping my Bitcoins safe, and now that I have them in a hardware wallet, I am at peace.
How Bitcoin Wallets Work
There is no actual token or coin that can be placed in a wallet. A Bitcoin wallet refers to a software application that lets you send, store, and receive Bitcoin.
The Bitcoin blockchain is a very long and cryptographically secure transaction record, updated every 10 minutes. In order to participate, your wallet software program generates a private key and a corresponding public key. These keys are used to generate Bitcoin addresses. When someone pays you in Bitcoin, they are using their private key to sign a transaction that sends a certain amount of Bitcoin to an address you control.
Here’s a video with a quick review of Bitcoin:
Your wallet app shows you have a certain amount of Bitcoin that you can spend based on the transaction inputs received by your public address. To spend it, your wallet application takes one or more transaction inputs, encodes it with your private key and your receiver’s wallet address, then sends that encrypted message out to the closest Bitcoin node. The transaction gets included in the next 10 minute blockchain update, and after 5 more updates, or 1 hour, the transaction is fully verified.
Bitcoin nodes are computer servers owned by people all over the world, that contain a complete copy of the entire Bitcoin transaction record. There are tens of thousands of these nodes run by many different people and organizations, of all nationalities.
The Bitcoin you control, and can spend, can be traced back through the chain of transaction ledger blocks all the way to when it was created. New Bitcoins are created every 10 minutes in the transaction block. After they are created, they are passed around from person to person. Every time they are sent from one person to another, the transaction is recorded in the Bitcoin blockchain ledger. Anyone can view and analyze this transaction record.
Thankfully, your wallet can generate many different public addresses from your one private address. You can use a different one for every transaction, if you like.
Even though it takes an hour to fully verify the transaction, other Bitcoin wallet apps can see the transaction was sent within a few seconds of sending.
Bitcoin wallet sounds friendlier than private key. But the important piece of information as far as Bitcoin goes is the private key. Control the private key, and you can spend all the Bitcoins that private key has control over.
Many people I talk to don’t ever use a wallet. They enter the Bitcoin world through an exchange that converts fiat currency, like US Dollars, to Bitcoin. Coinbase and Kraken are good examples of this.
Exchanges seem like banks, and people are comfortable with them. There is a lot of security, including usernames, passwords, two factor authentication (2FA), encrypted email, vaults for cold storage, ID requirements, insurance.
Unfortunately, sometimes there is too much security. If you start bringing in a lot of Bitcoin, your exchange will even ask for ID, copies of lease documents, pictures of your business, and even your power bill!
If you keep your Bitcoin at an exchange, they control the private key. You don’t really own any Bitcoin that’s at an exchange. In that way, it really is like a bank. With an exchange, just like a bank, there is counterparty risk.
Counterparty risk happens when you have your Bitcoins held by someone else. You don’t own the Bitcoin they are holding for you, they own them. You have to trust that when you ask for them back, they will give them to you. This usually happens just fine, but might be delayed, or not happen, for any number of reasons.
It is the same counterparty risk you run with a bank. You deposit your dollars in a bank, and trust that when you ask for it back, you can have it. So far, no one in the USA has had a problem with banks. The taxpayers of the USA make good on any deposits at failed banks through the FDIC program.
Greece is another story, however, and the bank bail-in, where a percentage of everyone’s deposits were taken to keep the bank solvent, shows what can happen when too many banks fail at once.
Bitcoin exchanges have been hacked, with the private keys taken. Bitfinex was the latest large exchange to get hacked, and it will probably happen again somewhere else. Mt. Gox is probably the most famous exchange that was hacked. When an exchange gets hacked, someone figures out the private keys of the customers, then uses those keys to send themselves the Bitcoin.
Using Exchanges Safely
If you put yourself in someone else’s power, make sure you minimize the possibility of getting screwed. And if you do get screwed, try to set things up so you minimize the pain.
The first thing to do with any Bitcoin exchange is to set up 2 factor authentication (2FA). This is easy to do with your phone. You can set up basic 2FA by having the exchange text you before allowing a withdrawal to happen. A better way is to use the Google Authenticator app on your phone, which provides a new six digit code every 20 seconds. I use 2FA on every exchange and online wallet account I have.
What you are looking to protect against with 2FA is someone putting a keylogger on your PC, capturing your username and password, then using that information to spend your Bitcoin. Two-factor authentication protects against someone getting your username and password to websites, because without the time and device based passcode, they can’t login.
When I use exchanges, I am sometimes frustrated by all the actions I have to take to verify my identify. With Coinbase, every week or two I have to accept an email and click a link. Same thing with Kraken. For security on Kraken, every email they send me is encrypted with GPG, so I have to type in my GPG key just to read the email. There’s a lot of steps involved in getting access to my Bitcoin. So I prefer to only use exchanges when converting Bitcoin to and from US Dollars.
But taking all these steps only helps make sure my account is not accessed by someone else. It does nothing to protect against counterparty risk. I hedged that risk by using five different exchanges and online wallets. I figured that worst case, one of them would get hacked, and I would lose only 20% of my holdings.
As they say, Hope is not a Strategy. I was still unsatisfied. I moved away from using exchanges and web wallets altogether for primary Bitcoin storage in favor of Software Wallets.
I installed the Electrum Bitcoin wallet app on my PC and transferred all my Bitcoin to it. It was easy. Electrum let me set up different wallets, and I could send and receive Bitcoin whenever I wanted.
When you create a wallet with Electrum, you encrypt it, and get a 12 word passphrase to recover the wallet encryption. If you have that passphrase, you can recreate the wallet and have access to the bitcoin controlled by that wallet’s private keys on any computer. I backed up my wallet to an external drive, and to a USB stick.
I figured since I am an IT professional with decades of experience, I would be OK with keeping my Bitcoins secure in a software wallet. Unfortunately, I also know many different ways PC’s, Mac’s, and Linux boxes can get hacked.
The most common way a computer gets hacked is a trojan dropper downloads a payload application and joins the computer to a botnet. The personal information and keystrokes get uploaded to the control server, where it is automatically scanned, and all usernames and passwords recorded. These usernames and passwords are piped to other applications that run them against available internet sites. Bitcoin software wallets are especially nice finds for the people that run these operations.
I got nervous about access to the 12 word passphrase. I printed it out and put it in two different safes. Then I created an encrypted virtual hard drive on my computer with VeraCrypt (open source application) put the passphrase in a text file in the VeraCrypt file, and made copies of that file. I copied those files to multiple USB keys, and put those in different safes. Then I worried about forgetting the password to the VeraCrypt file! Finally, I figured I would store the Veracrypt passwords in my online password manager, which is also encrypted.
Then I worried about someone getting access to my PC, opening up the Electrum wallet, and sending the Bitcoin to themselves.
I also installed the wallets on a dedicated Linux laptop that has an encrypted hard drive, just in case I lost my PC. I also worried that one of my computers might have a virus on it that runs a keylogger and someone could figure out my passwords. If they were able to copy my Electrum wallet and get my password when I sent Bitcoin, my Bitcoin account could be stolen. But I keep everything up to date and operate in a secure fashion, so I felt I should be OK.
Except I wasn’t OK. Every day I opened my Electrum wallet to make sure my Bitcoin was still there. I was starting to worry about it at night. That was not good. I looked into cold storage with paper wallets, but there’s a bunch of problems with those. Clearly, standalone software wallets were not going to work for me.
Finally, I looked into hardware wallets. I had always thought they were silly toys. Boy was I wrong. They are the Holy Grail of Bitcoin storage and use. I’ll explain.
There are three main hardware wallets worth looking at: Trezor, Keepkey, and Ledger Nano S. They all do the same basic thing, but in different ways. They create the cryptographic private key on the device itself. This takes all the concern about hacking and trojans away.
If I want to spend Bitcoin that is secured by a hardware wallet, I open up any wallet app on my PC that can work with a hardware Bitcoin wallet. I type a PIN code directly onto the hardware wallet itself, using buttons on the device. Then I give permission for the PC wallet app to access the public Bitcoin wallet address on the hardware device. At that point, I can see how much Bitcoin I control, and a transaction history.
The hardware wallet also is responsible for signing spending transactions. To spend Bitcoin, I create a transaction on the wallet app on my PC, and click send. This generates a signing request from the PC wallet app to the hardware wallet. The Bitcoin hardware wallet signs and encrypt the transaction only after I click the button on the device granting permission.
My computer never has access to the private key. With a hardware wallet, my Bitcoin keys can’t be stolen!
But wait, you ask, what if I lose my hardware wallet?
- It’s protected by a PIN. Three wrong PINs, and the keys are erased.
- When the hardware wallet is initially configured with a private key, the wallet generates a 24 word passphrase that can be used to recreate the pin key on a replacement wallet.
- I keep those 24 words in a safe. I keep my wallet easily accessible.
The hardware wallet has no battery. It is powered by the PC it plugs into. I can also plug my hardware wallet into my Android phone, and have full access to my Bitcoin with the Mycelium wallet application. That’s a big deal – I don’t need my PC to spend my Bitcoin.
If you are going to buy a hardware wallet, I recommend you buy at least two. That way if you lose your wallet, you can recreate your keys with the passphrase, and be back to normal.
And if someone steals your safe with the 24 word passphrase in it, you can initialize your second hardware wallet with a complete different private key, and transfer all your funds from your first hardware wallet to your second one. Then the 24 word passphrase in the safe is useless.
I no longer worry about losing my Bitcoin. A hardware wallet is better than cold storage. It’s cold storage when it’s not in use, and it’s more secure than either a software wallet, web wallet, or exchange when it is in use.
What’s The best Hardware Wallet?
There are three main hardware wallets. At this point in time, they are very popular, and regularly go out of stock. You may have to try to preorder them from the vendor directly if they are out of stock.
The Trezor has open source software, so all the code can be reviewed by the community. It is probably the best known hardware wallet. I think it was the first.
Keepkey uses the same open source code as the Trezor, and has a display that shows the 24 word passphrase, so those 24 words are never seen by the PC.
I like the Ledger Nano S. It is smaller and less expensive than the Keepkey, yet also has a screen that shows the 24 word passphrase. The Ledger Nano S also has the ability to store Altcoins. Currently it can store Bitcoin, Litecoin, Ethereum, Dash, and Dogecoin.
Finally, the Nano Ledger S has a feature that protects you if you have a gun to your head, and someone is demanding your PIN. You can set up two private keys on your hardware wallet, each protected by its own PIN, with the second key protected by a PIN and a 25th word. Put a little bit of Bitcoin in the first private key, and the rest of your Bitcoin in the second one. Your attacker gets the Bitcoin protected by the first PIN, and probably won’t even know about the second one.
Hardware Wallets Keep Your Bitcoins Safe
There are many different ways to store your Bitcoins. Yes, it’s easy to keep using an exchange. But think about why you own Bitcoins in the first place.
- Is it for investment?
- Is it to be able to buy from organizations that only accept Bitcoin?
- Is it to transfer money to people overseas?
- Is it to operate in an economy where the fiat currency is being devalued through inflation?
- Is it to get your money out of banks so you are not subject to a bail-in?
For all these situations, there are 3 requirements:
- You first of all want control of the private keys that enable your Bitcoin to be spent.
- You don’t want anyone else to have control of your Bitcoin private keys.
- You don’t want that key on any computer that’s connected to the Internet.
Hardware wallets are the only way to meet these three requirements. Buy yourself two of them today!
Bonus Video from BTC Sessions – How to Use the Ledger Nano S