If you’ve been around bitcoin for longer than five seconds, I hope that someone has told you that you should hold your own keys and you should put your bitcoin into cold storage. Learning what a bitcoin “cold” wallet is and why you should have one is one of the most fundamental steps on the journey to owning bitcoin.
As a beginner bitcoiner, there is a temptation to do everything on the cheap so you don’t dump too much money into this “bitcoin thing”. Why would you spend money on a cold wallet when you can keep your money on an exchange for free? Why would you learn the complexity of self-custody when it’s super easy to just let the professionals take care of it?
Well, nothing in life is free, and when you keep your money on an exchange, you are paying for that in a number of ways. For one, you’ll likely be getting advertising emails that encourage you to buy into other types of cryptocurrency, to trade bitcoin, or to buy other bitcoin-related products. In other words, securing your bitcoin for you is a loss-leader to get you to buy other stuff.
What’s more important to consider is that when you keep your bitcoin on an exchange, you give up control over your bitcoin. Bitcoin on an exchange is bitcoin you need permission to spend. It’s like a bank being able to decline an online transaction because they think it looks sketchy. But it’s worse because bitcoin exchanges are not banks, and you might have to wait 3-4 days to approve any suspicious transaction.
Also because exchanges are not banks, if the exchange has any financial troubles, your bitcoin could be wrapped up in a lawsuit for a decade. If the exchange gets hacked and doesn’t have insurance, your bitcoin could be gone forever. If the exchange CEO loans your money out to degenerate gamblers and they lose it all, they might go to jail, but you still get zero bitcoin. All of those things have really happened.
So although it might be tempting to trust “the professionals” instead of yourself, that trust comes with tradeoffs.
A bitcoin cold wallet is a wallet not only gives you full control over spending your bitcoin, it also makes your bitcoin impossible to hack.
3 Reasons To Get A Cold Wallet For Your Bitcoin
1. Your Private Key Is Generated Offline
To have keys generated offline means that the process of creating private and public keys for a cryptocurrency wallet is done without any connection to the internet. This method is considered to be more secure because it eliminates the risk of online threats like hacking or malware attacks.
When keys are generated offline, it involves keeping the private keys completely offline as well. This is commonly referred to as “cold storage” or a “cold wallet.” Cold wallets are known to be more secure than hot wallets, which are connected to the internet (e.g. smartphone wallets).
These days, keys are represented by combinations of 12-24 words selected from a list of 2048 words. The randomness here is important, as humans are notoriously bad at being random. Using a proper token generator from a cold wallet means it is more likely to correctly guess a specific atom in the universe than it is to guess your seed phrase.
Hardware wallets, like Trezor, Coldcard, or BitBox, implement BIP 39 standards and use mnemonic phrases to generate tokens. These devices have their own random number generator hardware, which feeds into the cryptographic secure pseudorandom number generator (CSPRNG) and keyseed generator. This ensures that the generated tokens are truly random and secure.
The main advantage of using a hardware wallet with a token generator is the added security it provides. Since the private keys and tokens never leave the hardware wallet, they are not exposed to potential malware or online attacks. This significantly reduces the risk of theft or unauthorized access to your funds.
It’s important to note that a hardware wallet itself is essentially a computer with specific tasks related to key pair and seed generation, as well as transaction signing. While it is possible to create a hardware wallet using an airgapped computer, dedicated hardware wallets offer a more convenient and user-friendly solution.
2. Your Private Key Is Stored Offline
Using a cold wallet for your bitcoin means that private key is stored offline too. Your wallet may communicate with other online devices, but the private key never actually “leaves” the wallet. The offline bitcoin wallet simply approves or denies transactions. This is done to enhance security and protect the private keys from unauthorized access other vulnerabilities that can arise when the keys are stored on a device connected to the Internet.
In contrast, hot wallets are connected to the Internet, making their private keys more vulnerable to network-based theft. For example, if your iCloud is hacked and your phone wallet backs up your private key to iCloud, your bitcoin could be stolen. Hot wallets are generally used for everyday transactions, while cold wallets are used for long-term storage and protection of larger amounts of cryptocurrencies.
It’s crucial to keep your physical hardware wallet in a safe place to prevent damage or loss that could result in the permanent loss of access to the bitcoins. Though your bitcoin is ultimately controlled by your private key (AKA seed phrase), if your hardware device is compromised, your seed can be extracted in some cases. If you forget your pin, the device could be bricked. If damaged and you didn’t back up your seed, the bitcoin could be inaccessible forever.
3. It’s A Bitcoin Savings Account
Though the main reasons to have a cold wallet are due to security of generating and holding the keys to your bitcoin, another benefit is that it adds an additional step between you and selling your bitcoin.
This is a good thing because it prevents you from panic selling during market downturns. Having your bitcoin locked away in a digital savings account which isn’t easily accessible just by flipping your phone out of your pocket forces you to think twice before selling.
It doesn’t stop you from selling. You just have to be mindful and sell with intent. Even if your hardware wallet is just stored in a desk at home where you work, or in a safe in the attic, you still have to open the drawer, pull out the wallet, find the USB cable, connect the wallet, enter your pin, etc.
A lot can go through your mind in those 30 seconds.
Are you sure you want to sell, or is this just a temporary blip?
Why did you buy bitcoin in the first place?
Weren’t you warned about market crashes and panic selling?
Top 3 Bitcoin Cold Wallets
There is no single perfect solution for buying, holding, and spending bitcoin. Choose the right tools for what you intend to do with bitcoin. For secure, long term storage of bitcoin, a cold wallet is the way to go, so you should really invest some time into understanding how they work and why they are important.
There are quite a few cold wallets on the market, but the best bitcoin hardware wallets effectively secure your bitcoin, are simple to use, and are reasonably priced. Though I’ve tried more than ten different cold wallets in my years using bitcoin either for holding my personal stack or just for testing and reviewing, these are currently top 3 recommendations.
The Blockstream Jade (affiliate) is becoming one of my favorite recommendations for new bitcoiners because it’s cheap, easy to use, and you can use it with a companion mobile + desktop app. You can use on-chain bitcoin, and their lightning bitcoin function is coming cool. Create multiple wallets in the Blockstream Green app for spending, saving, and cold storage, and manage your funds with one or multiple Jades.
The COLDCARD is the most advanced and feature rich hardware wallet on the market. A top recommendation from many long-time bitcoiners, if security is your main goal, the COLDCARD is what you need. COLDCARD uses a microSD card to sign transactions “airgapped”, meaning you never have to plug it into your computer. There are lots of options for trick pins, hidden wallets, advanced seed recovery options, and the newest MK4 version has NFC signing option.
Trezor (affiliate) was the first company to develop a bitcoin hardware wallet, and they are still killing it today. The Trezor One is a super cheap way to get started, and the Trezor T is even better with a touch screen for simplified interaction with the wallet. Both use the Trezor Suite desktop software.
4 Rules For Cold Wallets Every Bitcoiner Should Know
1. Buy Direct From Cold Wallet Manufacturers
Using a second-hand hardware wallet is not recommended for several reasons. Firstly, hardware wallets are designed to securely generate and store public and private keys, as well as sign transactions. They are meant to keep your private keys safely disconnected from the internet, providing a form of cold storage for your Bitcoin. When you purchase a new hardware wallet directly from the manufacturer, you can be confident that it has not been compromised or tampered with.
If you were to buy a second-hand hardware wallet, you cannot be sure of its history or whether it has been modified in any way. There is a risk that the previous owner may have obtained the private keys or installed malicious software on the device. This could allow them to access your funds or manipulate transactions.
I never buy my cold wallet hardware on Amazon.
Furthermore, using a second-hand hardware wallet means that you may not receive any warranty or customer support from the manufacturer. I have bricked at least one hardware wallet that I can remember, and because I bought it from the manufacturer, they simply sent me a new one.
2. Wipe And Recover
Wiping and recovering a wallet before storing a large amount of funds on it is recommended for security purposes as well as peace of mind.
Before wiping your wallet, send a small amount of test funds that would not be catastrophic if lost. Then make sure you have your private key (12-24 word seed phrase) backed up, legible, and accessible to you. Make sure your surrounding area is secure from unknown persons and security devices like wifi-enabled cameras.
When you “wipe” the wallet, it removes all data related to your bitcoin wallet and your holdings. It becomes a completely fresh piece of hardware, ready to create a new wallet, or restore an existing wallet from the seed.
Recovering the wallet allows you to restore it to its original state and regain access to your funds. You’ll need to enter the words of your seed phrase in order, one by one. Do NOT type them into the your keyboard, even if it’s very convenient and quicker to do so (most wallet software won’t allow you do this). This is good practice to prevent key loggers from reading your keyboard actions remotely. Hardware wallets should all you to to select letters on the device via physical buttons or a touch screen. It may be tedious, but it’s a good habit.
Some wallets have you use an encrypted backup of the key which you can insert via microSD to make the process more smooth, but it’s important to try the seed phrase method as well. Your microSD can be corrupted or lost, and may not work with other hardware devices. Always have your backup phrase regardless of whether microSD encrypted backup is avaiable.
This process of wiping and recovering the wallet is a great step to new bitcoiners to prove to themselves that they can recover funds in a catastrophic scenario. It also is visual proof that your wallet is doing what it intends to do, and that you actually wrote down your words correctly! One wrong letter like changing an lower case “l” to an upper case “I” could mean your funds are “lost” by a simple mistake in legibility of your backup.
3. There Is No Perfect Cold Wallet
There is no perfect wallet when it comes to securing your bitcoin. Every hardware wallet makes tradeoffs which make it better in some areas, but worse in others. Here are some examples of wallet tradeoffs that are simple to understand.
Some wallets choose to have a touch screen which makes using it super convenient, but also adds to the cost of the wallet.
Some wallets choose to have a secure element which makes key storage more secure and hacker-proof, but also means you can never fully build the wallet from scratch even if it is “open source”. Of the wallets without secure elements, some may wipe your seed completely upon shutdown (stateless), while others may choose various types of PIN security methods and encourage using a passphrase.
Some wallets allow bluetooth or NFC signing for convenience, while others see that as a security risk.
Some wallets default to encrypted backup for familiarity and convenience. Others default to a BIP39 seed phrase to ensure dummy-proof backup even in catastrophic scenarios.
There are many different options. If you don’t know the difference between any of these, it can be quite difficult as a beginner to figure out what the “best” wallet is. The truth is that there is no “best”. There are good wallets and bad wallets, and once you get into good wallet territory, it’s all about preference.
My advice is that if you don’t understand the tradeoffs, know that they are not usually life-or-death. As long as you choose a wallet from one of the 5-10 top brands (don’t buy something random from Amazon!), you’ll be find. If you’re storing a lot of funds on it, then spend a couple hours doing your research and ask some questions on Reddit, Telegram groups, or even your local bitcoin meetup to hone in on a good wallet for yourself.
Holding your own keys, no matter the tradeoffs you make, is infinitely better than holding your bitcoin on an exchange.
4. Complex Cold Storage Can Lead To Loss of Bitcoin
When you think of bitcoin as “bug out money” or as “Gold 2.0”, and consider that the price may go parabolic by 2030, there is a temptation to bury your wallet in the backyard or something even crazier like a 19-of-20 multisig to make your bitcoin practically inaccessible. The idea is that by making your cold storage so complex, you will only be able to retrieve it in the most dire of situations.
While a setup like this may make you feel safe from hackers, thieves, and bear market jitters, what it unintentionally does is put you at risk of forgetting how to access your own bitcoin. The #1 way bitcoiners lose bitcoin is with a footgun:
- forgotten pin
- lost password to encrypted backup
- forgotten passphrase
- hiding spot forgotten or lost access
A cold storage setup that’s so secure that even you can’t access it defeats the purpose of having bitcoin.
There’s a famous case of bitcoin developer losing over 100 bitcoin to hackers, and many in the mainstream media declared that bitcoin was too complex for even bitcoin developers to handle! How would normies ever do it?
What they didn’t say was that he had a super custom setup hand coded and that he would have been more secure simply by using a basic $69 Trezor One to secure his bitcoin (his bitcoin was hacked remotely).
The moral of the story is go simple and be smart. Use a hardware wallet. Don’t brag about your bitcoin holdings. Don’t show people where your wallet is. Bitcoin security doesn’t have to be complex to be effective.
Other Types Of Bitcoin Wallets
A paper bitcoin wallet refers to a physical document or piece of paper that contains the necessary information to access and control your bitcoin funds. They are one possible options for physical bitcoin.
A paper wallet includes the private key, which is a secret code that allows you to sign transactions and prove ownership of the bitcoins associated with the wallet. With this private key, you can spend or transfer your bitcoins to other addresses.
Paper wallets typically have the private and public key written out in its full hexadecimal format, which are basically a long strings of numbers and letters. It may also have a set of scannable QR codes.
The main thing is that the entire wallet is contained on a piece of paper. It may have been printed from your computer, or it could have been a fill-in-the-blank type of thing with the keys manually transcribed from a bitcoin wallet generator. It is a physical representation of your wallet.
It’s important to note that paper wallets require careful handling and storage because they are vulnerable to theft or damage. They are like the bearer bonds you always see bad guys steal in movies. There is no “official owner”, and there is no backup anywhere else. If they are lost or damaged, the money is gone forever. They should be stored in a secure place, such as a safe or a bank vault, to prevent unauthorized access.
However, it’s worth mentioning that the reference client for bitcoin does not currently support paper wallets. While it is possible to export individual keys and print them on paper, there are risks involved if you’re not familiar with the implementation details. For example, you may miss important details like change addresses or key pool entries, which could result in lost coins.
Paper wallets are more of a legacy feature of bitcoin than anything you should consider using right now.
I’ve heard the term “brain wallet” refer to two different things, though both include the basic idea of memorizing your bitcoin wallet.
The first, and perhaps most common understanding of a brain wallet is a wallet that uses a passphrase or secret phrase to generate private keys. This passphrase could be a set of song or poem lyrics, or something else memorable, without having to memorize the exact phrase. In other words, your wallet key would be hiding in plain site!
The idea behind a brain wallet is that you can remember the passphrase, so there is no need to store it anywhere physically. Instead of relying on a paper or hardware wallet, the secret phrase is used to generate the private key whenever needed. The advantage of a brain wallet is that you don’t have to worry about losing your wallet since you can always recreate it using the passphrase. However, brain wallets have a downside in terms of security.
Passphrases chosen by humans are usually easier to crack compared to randomly generated keys. This means that if someone manages to guess or crack your passphrase, they can gain access to your funds. In fact, I’ve heard there are programs out there that automatically search for bitcoin wallets generated from popular books and song lyrics, and most brain wallets are cracked relatively quickly these days.
Another type of brain wallet is simply to memorize your BIP39 seed phrase (those 12-24 words). This way, you get the advantage of having a securely generated, properly randomized bitcoin seed phrase, but it’s not written down anywhere that could be compromised. It’s really not that hard to remember 24 words, especially if you turn it into a mnemonic phrase.
A mnemonic phrase would be to take your individual words from your private key and turn it into a little story. Let’s assume your key included the words:
You could make a little story like, I went for Lunch, then took a Nap. Afterwards I ate Supper with my Puppy, but he ate my Dongle! It’s a little hard to crowbar some of the words into a logical story, so there is some rote memorization required, but it’s easier when you remember a story than just a list of words.
The major downside to this wallet, and any other type of memorized brain wallet is that you can simply forget. Not only are you at risk of having some sort of brain injury, it’s more likely that as you age your memory will simply get worse and you’ll start to forget things. Even very important things.
It also puts you at risk of exposing your wallet information under distress, under the influence, or other compromised situations.
An encrypted bitcoin wallet is not a different type of wallet per se, but it is a way of backing up your wallet worth discussing. An encrypted bitcoin wallet provides an additional layer of security by encrypting the private key. Without the password to unencrypt the wallet, the key is inaccessible.
An encrypted wallet is useful when storing your bitcoin wallet information on a daily driver computer. Though this is typically not recommended, some people still do this, and it’s a security tradeoff they are willing to make.
Some cold wallet software allows you to do this as a primary or secondary backup to your seed phrase. Just be aware that if you are not choosing your own password to write down and store, you’ll need the specific hardware that encrypted the wallet to decrypt that same wallet. A Trezor cannot decrypt an encrypted key from a BitBox!
If you are using a generic bitcoin software and choosing your own password to encrypt the wallet, full sentences can work better than single words or random phrases. They are longer and more memorable. Password crackers are quite good cracking passwords these days, so ilikeboobs100 isn’t going to cut it.
To create an encrypted wallet, you need to use the “encryptwallet” command in the bitcoin client software. This command will prompt you to enter a secret password, which will be used to encrypt the wallet. Once the wallet is encrypted, the private keys and seed will be securely stored, and you will need to enter the password every time you want to access the wallet or make a transaction.
It’s important to note that if you forget or lose the password for an encrypted bitcoin wallet, there is no way to recover the encrypted data. The bitcoins stored in the wallet will be effectively lost. Therefore, it is crucial to remember the password or keep a secure backup of the encrypted wallet file.
Multisig Cold Storage – The Safest Way To Store Bitcoin?
Many people consider multisig cold storage to be the safest way to store bitcoin.
Multisig, short for multisignature, is a way of creating a transaction output in Bitcoin that requires multiple keys to sign. It offers several benefits to a standard single signature, or “single sig” setup. With multisig, there is typically an M-of-N setup, where a certain number out of a maximum available keys can be used to spend bitcoin. For example, 2 of 3 keys, or 3 of 5 keys. You would need 3 or 5 cold wallets to set up these multisig wallets, respectively.
Though it may seem like a big investment to buy as many as 5 hardware wallets to set up a single digital wallet, consider the investment in comparison the amount of value you’re securing. If your live savings is even just one single bitcoin, the current value is almost $30,000. Hardware for cold wallets can be as cheap as $70 each. Would you spend $210 to secure $30,000 against catastrophic loss?
One of the main advantages of multisig is that it eliminates the risk of a single point of failure. In other words, if one key is lost or compromised, the funds can still be accessed and recovered using the remaining keys.
By using multisig, individuals can create a spending policy that allows for key loss without losing access to their funds. The keys are generated, stored, and accessed in different ways to ensure that a problem with one key doesn’t affect the others.
For example, the if it was discovered that some popular cold wallet hardware was generating keys in some kind of predictable way, those keys may become vulnerable to loss of funds. However, if your multisig wallet uses hardware from different manufacturers, only one key would be compromised.
If it was discovered that there was some kind of supply chain attack, or even that a wallet manufacturer inserted a back door into their hardware, your funds would still be safe.
Multiple low probability catastrophic events would have to occur for the Bitcoin to be lost.
More common however is simply loss of a key, and of course, you’re safe from that as well, and individual wallets in a quorum can be replaced if lost or compromised.
As with all things bitcoin, there is no perfect solution, and multisig does come with some tradeoffs. It does come with increased complexity, which users must manage effectively. Where do you store each wallet, and how much time are you willing to spend learning the basics of how to operate different types of wallet hardware and software? Then every time you want to spend bitcoin, you need to collect at least 2 wallets to sign, instead of just 1.
A 2-of-3 multisig setup or “quorum” is pretty much what it sounds like. There are a total of 3 keys that can be used to spend your bitcoin, but only 2 of the 3 are required. This is the most popular multisig setup because once you start getting more than three keys in a quorum, spending is more complex, and even more expensive.
2 of 3 is more simple to set up, track, spend, and recover.
There are a couple different popular options for 2-of-3 multisig.
Full Custody 3 Keys From Different Manufacturers
In this setup, you’d create your own multisig quorum using a software like Sparrow, Specter, or Caravan. You can choose from any of the popular bitcoin hardware devices. Though it’s tempting to simply use the same hardware for all three keys for simplicity’s sake, there’s are benefits to using different hardware for each key.
Not only you mitigate the risk of “supply chain attacks”, where hardware would be compromised at the manufacturer level or en route to the customer, but you also decrease the risk of your hardware being compromised while in your possession.
On top of that, you protect yourself from future unknown issues with specific models of hardware. For example, if it was discovered that a specific brand wasn’t generating private keys with enough randomness (as has happened in the past), even if they key to one wallet was discovered, you’d still be protected by having 2 other keys generated by other hardware.
Collaborative Custody With Institution
For beginners, collaborative custody is extremely popular. It’s super easy to feel comfortable, and gives you a feeling of a having failsafe, even though you are in full control of your funds.
With this setup, a corporation holds one key and you hold two. Unchained, Casa, And Nunchuk are three companies that currently do this. Onramp is another company that does something similar, but they hold all three keys in separate institutions, and only cater to high net worth clients.
The benefit here is that you have a service to walk you though setting up your bitcoin wallet, and they always hold one backup key. Backing up a multisig wallet has some added complexity, and they can help you with that too. Because they only have one key, they can’t actually spend your bitcoin, but they can serve as an emergency signer if you lose one of your keys. You can spend your bitcoin however you like since you hold two keys.
Smartphone As One Key
This isn’t technically different from the other two examples, it’s just my favorite example to talk about because it’s very convenient. Your smartphone can actually be used as a signing device for a multisig wallet, then you can have two hardware wallets you control, or one hardware wallet and one key at company. Nudnchuk and Casa both have phone apps that act like signing devices, though there are more services being developed in this niche.
This means you have one key with you at all times, and either one key at a custodian and a key you control, or both other keys you control. You still can’t spend your bitcoin on the fly because you need a second key to sign. To spend you either need to contact the company, which takes a day or two and some extra verification, or you need to get that second hardware device you have hidden somewhere.
TAPSIGNER As one Key
I wanted to do a quick additional section here for TAPSIGNER because it’s such a cool product. It’s still quite new, so not a lot of people know about it, but it’s basically a hardware signing device that’s like a credit card. It’s slim form factor makes it easy to store or keep on your person, and to sign you just need to tap it to an NFT-enabled smartphone.
It’s slightly less “secure” in that you aren’t confirming spending information on a screen like you normally would with a hardware wallet, but it’s also super convenient in that you just tap in on your phone and it acts as an additional security feature for spending from your phone.
Imagine using smartphone wallet with a 2-of-2 requirement to spend. Your phone does one signature, and you need the TAPSIGNER to do the second. That means your phone wallet can’t get hacked and have your funds drained, but you still have instant access to the bitcoin on your phone.
It’s a great compromise to for a more secure version of a hot wallet, but you can also use these for deep cold storage multisig. In fact, Nunchuk’s inheritance product is built on being a 2-of-4 multisig where your inheritor has a tapsigner, they control one key, and you control 2. That means they can only move your funds in collaboration with Nunchuk after your death or acquiring at least one of your keys.
With a 3-of-5 multisig, the rules are the same as the 2-of-3, but with more signers. In this setup, you need three keys out of a total of five in order to move your bitcoin.
The main benefit of having more keys is that you can lose or compromise more of them and still have access to your bitcoin. You can simultaneously screw up two keys instead of just one!
The main downside is that you now have a more complex setup. You need more places to hide your keys or more key custodians. It also requires more effort to collect, sign, then re-hide all your keys if you do need to move your bitcoin. Plus, all these keys need to be checked occasionally. It can be a pain in the ass if you aren’t actually spending bitcoin and just making updates to everything.