Bitcoin security boils down to a few good practices which you should be aware of :
- Your private key is the single most important digital asset. With it all your addresses can be generated by a program.
- Anytime your private key is online, it is at risk. Only offline storage (cold storage) can be considered relatively safe.
- If you do not hold the private key, you do not own the Bitcoins. Any kind of third party wallet where you do not control the PK is not secure.
- Private keys are a tiny piece of data. It literally can be written down by pencil on half a line from a sheet of paper.
Keeping these points in mind, proper storage of Bitcoin means proper storage of your private key. There are infinite possibilities to comply with the above points and keep your Bitcoins safely.
Some folks choose to simply print their private key. Recovering the key is then a matter of copying the characters back into a computer in the future. While you may mistake an O for a zero or a one for an L, these are easy to correct since Bitcoin encodings do not allow these letters in their addresses precisely for this reason!
The important point is that the security of your private key means the security of your Bitcoin stash.
Hardware wallets bring many interesting features to the table, but they’re more of a fashion statement than an absolute necessity. You can safely store your private keys in many ways that do not require giving up $100 or more. Anyway the main advantages of the more popular hardware wallets are long lasting battery life, interfacing with the PC/internet when spending is needed, secure deterministic seeds which can be used to recover the wallet and all its addresses safely and many other features.
Printing your private key on a piece of paper, or simply writing it down using some secure ink like China ink, makes it nearly indestructible. Libraries and ancient writings have survived for centuries, throughout wars and revolutions, and they’re still perfectly readable. The hazards here are the obvious ones: fire, water and theft. If for some reason a cabinet in your home is stolen or destroyed by fire or flood, and the key happens to be in there, then you’re out of luck.
It is thus important to keep an off-site copy of your key. Just like with basic backup security procedures, off-site backups are a necessity to keep a compromised physical installation from allowing the attackers or natural hazard to deny access to your crypto funds. Keeping a secure printed copy of your key at the office, in some unsuspecting location, as a book marker for example, can save you if things go awry in one location but not the other.
The version of your key you keep in physical cold storage (printed,hardware or otherwise) should be encrypted at all times. Every modern encryption tool, the most popular being OpenSSL, will allow you to output strong cryptography in ASCII format that you can read and copy using pencil and paper. By typing back the encrypted message, the same tool is able to decrypt it, provided you rebuild a basic format which usually (but not necessarily) includes a plain text envelope like “—BEGIN CIPHERTEXT—” or something like that before the message and some other markup after the message. The important thing to keep in mind is that even printed keys should be encrypted, so if they fall on the wrong hands the attacker would have to brute force their way to the actual key data. Even the most common encryption algorithm found on OpenSSL, for instance, can be intractable to crack. AES-256 for example would require decades of computing power to crack even for the simplest message. Always use encryption in your favor! It’s freely available via open source packages that you can trust. Gnu Privacy Guard offers many of the same algorithms OpenSSL does, it is also a great option for both asymmetric and symmetric encryption and which one you choose is just a matter of preference. Note though that files encrypted using the same algorithm using different programs are not immediately compatible with other programs. AES-256 encrypted data using OpenSSL will not readily open via GPG and vice-versa, due to differences in their chosen binary and ASCII encoding. The underlying encryption protocol is the same, but how data is represented is not. So keep this in mind if you plan on mixing encryption systems or if you must work in a heterogeneous environment where coworkers chose different encryption solutions.
Do NOT try to roll your own clever encryption scheme to store your secret keys. This is a lesson often learned the hard way even by professional cryptocurrency developers. The folks behind IOTA, for instance, learned this from undergraduate MIT students after they published their source code for the first time. They tried to roll their own cryptographic hash algorithm, only to find out that math wizzes were able to generate any hash collision they wanted, thus being able to spend MIOTA freely if they wanted to. Gladly, the ethics of the MIT academics prevailed and they warned the IOTA team in secret before damage could be done. Therefore take this as a lesson: do not ever roll your own encryption scheme. No matter how clever it is, unless encryption is peer reviewed and tested for many many years before going public, you should assume it has some obvious and blatant security hole that you’ve overlooked. With free and unrestricted access to high quality open source code in software like GPG and OpenSSL, among many other encryption libraries for other languages, like Bouncy Castle for Java, there is absolutely no reason to try and reinvent the encryption wheel by devising your own hashing function.
In summary, you should take these basic precautions when storing your Bitcoin private key(s):
- Always store your keys encrypted. If you print or write down the key, use a strong encryption software that outputs ASCII so it’s humanly readable.
- Do not try to roll your own clever secret encryption scheme. It’s probably not really clever or secret.
- Keep off-site copies of your keys always. Keep them in unsuspecting locations, such as a bookmarker.
- Test your scheme. If you’ve written down your key, practice recovering it and see if your funds are readily available when you add the key to your Bitcoin software.
- If you don’t hold the private key, you hold nothing and the Bitcoins do not belong to you.
Some cryptocurrencies are designed with cold/offline backups in mind. Cardano ADA, for example, allows you to store a humanly readable phrase which can be used to recover your private key and all your ADA addresses by memorizing 12 unique words. This kind of scheme is becoming more and more popular with hardware wallets as well, but this too has security flaws. For instance, some hardware wallets are coming with preset phrases which unsuspecting customers simply store, without minding the fact that someone somewhere has already stored this phrase and can steal all the funds from this particular hardware wallet. Never accept any wallet where the seed phrase has been preset for you! The seed phrase scheme is only secure when you’ve generated the words in a secure, malware-free, computer. Preferably one disconnected from the Internet!
This is just one example of precautions users of any cold storage scheme must take. The safest system is one where you keep non electronic storage of keys, this kind of storage does not depend on energy or batteries, nor can it be accessed from the Internet.
Lastly, but not less important, remember to leave your loved ones a way to recover your cryptos should something happen to you. Always have someone in the know about how to recover and spend funds should emergency happen. We certainly hope that is never needed, but one can never be too careful. Perfectly secure storage systems can be awesome while you are healthy, but they can also be an intractable obstacle for your loved ones if you do not leave them clear and concise instructions on how to proceed should disaster strike.
We hope these simple tips help you create a safe storage scheme for your cryptocurrency. The same advice is valid for any altcoin, with some slight variations between schemes.
Safe vault image credit: ahobbit