Designing, setting up and perfecting the cryptocurrency security of your own personal custody solution is a complex and multifaceted problem. Everyone has unique requirements, has unique technical capabilities, various available resources and circumstance so there are many different ways you can design and build them.
As the amount of funds being secured grows, so should the requirements around securing them. From a simple single signature Hardware Wallet setup, all the way up to Multisig Wallet setups that are geographically distributed over thousands of kilometers or have time delayed locking mechanisms in place.
At the same time it’s also important to ensure that the resulting solution isn’t overly complex and with so much security that it locks the owner out of their funds forever. While there are always extreme security situations such as kidnapping, evil maid attacks, stolen Hardware Wallets or the dreaded physical duress attacks, these should be carefully weighed up against the probability of them actually happening in real life, and the complexity of the custodial solution used to combat them.
Contents
A Three Part Series
For those that have a modest amount of funds or that are simply starting out, we recommend a single signature Hardware Wallet. This simple, but highly secure custody solution is an excellent starting point and is perfectly fine to secure your funds.
For the more advanced investors that are holding serious investments, we’ve written this three part series to help guide you through the full consideration, design and practical options that will ensure maximum security whilst not over complicating things.
In this first article we’re going to cover the main things you should consider when designing your own personal cryptocurrency custody solution. In successive articles we’ll dive into industry best practices and what your solution is recommended to have when it comes to storing serious investments.
Then finally we’ll be going through an example top tier level solution you can deploy yourself. This will be similar to what the big boys and girls use to custody billions of dollars of bitcoin and is based off hundreds of hours of research and investigation into some of the top custody solution standards out there.
Yes, these guides are for very, very serious investors!
This is the first part of our Expert Bitcoin Multisig Vault series. You should also read the second (Bitcoin Multisig Vaults) and third (How To Setup A Bitcoin Multisig Wallet) parts too!
Terminology
Before getting started on design considerations, we’d like to make it clear what we mean when we use certain terms. These are quite standardized across the Bitcoin industry, but for clarity and for those perhaps not already aware we thought we’d briefly go over them again:
- Private Key (xPriv): A very large (256 bit), randomly generated number that represents a cryptographic Private Key that’s used to prove ownership and spend funds. This large, random number is converted into groups of 4 numbers sets which are then converted into a set of 12 or 24 words called a Mnemonic Sentence. While there are specific meanings for things like Extended Private Key, Seed Phrase, Mnemonic Sentence, Keys etc, they all get used to essentially mean the same thing
- Public Key (xPub): While private keys are used to spend your funds, public keys are used to receive funds. Public keys are generated from the private keys and then from that public key a Bitcoin Address is generated. This is where the funds are then sent to in the Bitcoin network. Public keys can be shared with anyone, however sharing them can effect your privacy
- Recovery Seed: A physical copy of your Mnemonic Sentence (the 12 or 24 words) usually either written down in pencil on laminated paper, or stamped into a metal seed plate for increased durability
- Passphrase: A 13th or 25th word for the Mnemonic Sentence that is chosen by the user. This is generally not considered to be best practice to use for large funds as it creates a single point of failure. If used, they should be generated by a good source of entropy and be at least 20 characters or more long
- Hardware Wallet (HW): A physical hardware device such as a COLDCARD Mk4 or BitBox02 that is used to generate and store your Private Key. They’re also used to sign transaction with the Private Key
- PIN: A code used to protect your Hardware Wallet that is chosen by the user
- Key Agent: A person or company that you involve in your custody solution to hold one of your Private Keys. They could be a specialized key storage company that charges a fee or a family member
- Single Signature Wallet: A wallet that only requires 1 Private Key signature in order to authorize the spending of funds. It’s not recommended to use these for large fund amounts
- Multisig Wallet: A wallet that requires multiple Private Key signatures in order to authorize the spending of funds. This takes the form of M-of-N, where you need M keys to sign out of a total of N keys. For example, you can have 2-of-3 multisig wallet where you have 3 keys, but only 2 are required to sign a transaction and spend funds. Note you also need a copy of the Wallet Output Descriptor file
- Wallet Output Descriptor: Also called a Multisig Wallet Configuration File, it’s a piece of paper or digital file that contains the collections of output scripts used by a multisig wallet. This is used to tell your wallet software how to find your multisig addresses and to build the spend transaction. You must have this file along with the minimum number of signing keys (M) to spend funds in a multisig wallet
- Vault: A name typically given to a custody solution that is meant for long term holding and storage of funds. Vaults are prioritized for safely storing funds at all expense and are usually multisig wallet setups with the Private Keys stored in geographically separate locations
With that formal terminology out of the way and everyone on the same page, let’s dive straight into all the various considerations you should be thinking about during the design process.
Don’t Shitcoin
The most common ways that people lose their bitcoin is by trading altcoins. This isn’t a “bitcoin is better than altcoin” argument, it’s just the reality of the world. People that trade altcoins statistically have a higher probability of losing their bitcoin.
This is due to a variety of reasons such as individuals keeping their funds on exchanges that then go Bankrupt, getting sucked into gambling with their funds and loosing it, converting it to other cryptocurrencies that then go to zero over time, severely increased hacking risks due to using many different poorly designed wallets, getting too risky with leverage or arbitrage and much more.
As such, a primary consideration of a custody solution should be to ensure that it’s fully and permanently separated from any other altcoin funds. We heavily recommend not using any altcoins ever for maximum security.
Complexity Is The Enemy Of Security
Stefan Thomas bought 7,002 bitcoin way back in 2011, storing them in a bitcoin wallet which was secured on a Kingston IronKey USB drive. He then promptly forgot the password. With only 10 attempts to guess it, no one has been able to recover the funds so far
The second most common way people lose their bitcoin is by loosing both a Hardware Wallet and a Recovery Seed card or by overly complicating the custody solution to the point where they lock themselves out. We’ve covered this already in our Lost Bitcoins piece, but in general some of the most common ways include:
- Not backing up your private key at all
- Loss of the private keys (via natural disaster, accident, death etc)
- Loss of the password or login credentials that encrypts the private keys
- Incorrect backing up of your private key (eg writing the words down wrong)
- Incorrect storage of the private key or backup in places like a mobile phone or cloud storage
- Incorrect bitcoin transaction due to wrong locking script or sending to an inaccessible wallet
Basically you’re your own worst enemy. It’s very easy and common for people to overweight big, fancy adversarial attacks like kidnapping or physical duress and as a result, introduce so much complexity that the complexity itself becomes the primary risk factor.
The primary consideration when designing a custody solution is to not over complicate it. Unnecessary complexity is a security threat. You are your own worst enemy. Focus on having fewer well secured locations, rather than many poorly secured locations. Ensure it’s dead simple to understand and use for you, your family and inheritance planning
For example, the risk of a malicious attacker compromising two physically secure key locations and a wallet configuration file in a 2-of-3 multisig wallet is so low that introducing greater complexity by adding keys or additional security measures most often reduces security.
Always remember that your greatest threat is most often the complexity that you yourself create, not a malicious attack.
Future Value & Your Surroundings
Another important consideration to think about when designing your custody solution is what the current or expected future value of your bitcoin will be. While you might not think that $1,000 worth of bitcoin needs a great deal of security now, what about when it’s $100,000?
You should also making this consideration in tandem with the safety status of your country/state/city/neighborhood. Are you in a very publicly exposed house or someone with a publicly facing profile? Is your suburb prone to break ins or are you in a low crime area and close with your neighbors? How often do you leave your storage locations unattended?
This safety also extends to what unexpected natural disasters could reasonably put your seed phrases at risk. Do you live in an area that gets a lot of Earthquakes? Fire? Floods? These along with general safety of your immediate area all combine to help define how you secure your funds.
Maybe you should store your backup or hardware wallet in a families house as they live in a much safer suburb. Maybe it’s not really required to use a multisig setup right now, but you expect your funds to 5x in value over the next few years so you opt to go for the more complex, more secure setup now instead.
Physical Duress & Kidnapping
While it’s much more likely – for most people – that they’ll make a mistake themselves rather than losing their funds to a kidnapping or physical duress attack, it’s still important to consider these scenarios and weigh up how likely they are to happen in your personal environment.
Some countries / areas do have very high rates of kidnapping or physical violence, so it might make sense to overweight your specific custodial setup to be particularly resistant to them, even if it increases complexity a lot. Whatever your circumstances consider the following:
If you or a loved one is under physical duress or a kidnapping scenario, how will your custody solution stand up to this type of attack?
Ultimately if a gun is pointed at your head, you should not be able to transfer 100% of your assets immediately. How you configure you custody solution to achieve this (or not) is up to you and the likelihood that it might happen. There are many tools out there to help with this from geographically diverse multisig to various trick PINs that many leading hardware wallets have.
Storage Locations
Many people use their family or friends as storage locations for their backups or devices. While these locations are normally very convenient and free, we’d advise that you think deeply about the type of potential harms way you’re putting your loved ones in and how comfortable you are with that, if there ever was an attacker with a gun.
Again, this risk needs to factor in things like your immediate areas risk to break ins, size of funds now or in the future and how capable they are at fending off attackers.
Furthermore, these types of locations usually have little to no physical access controls such as locks, safes, security alarms or cameras and most importantly, guards with guns. It’s recommended that these types of locations are avoided for seriously large fund amounts or at least used with some type of physical access controls such as a fire proof safe.
If relying on a trusted family member or friend, the person should also always be aware of the nature of what he or she is asked to secure. This is so that they can make an informed decision of if they want to be part of the custody solution and also so that they’re aware of how important the information / equipment is and don’t just loose it or accidentally throw it out.
It’s not uncommon for a family or friend to not properly take care of the backup over the many years they might store it for you. Maybe they forget where they hid it. Maybe a spouse, child or hired cleaner finds it, doesn’t know what it is and throws it out. Maybe it just gets damaged beyond usability due to carelessness.
If you’re considering other potential locations to store your Hardware Wallets, seed cards or encrypted backups, think about both the physical access controls that location provides as well as the authentication controls. A good storage location should always have both!
100 guards with guns is of no use if they don’t also check that it’s actually you and not someone impersonating you!
There should be multi-factor authentication systems in place to ensure criminals cannot impersonate you as well as physical access controls to secure your critically sensitive data with places like Private Safety Deposit Boxes (PSDB) being an excellent choice for storing a single key in a multisig wallet setup.
Unfortunately, there’s not really a “perfect” solution to where to store your backups or various private keys. On one hand, family and friend locations are great as there’s no KYC, no cost and you usually trust the person a lot. They have excellent authentication controls as they know you best. However using these locations can put your loved ones at risk and aren’t nearly as secure as formal businesses with safes, 24/7 guards and cameras.
Professional businesses that specialize in secure storage however require KYC, cost money and have their own issues. Bank safety deposit boxes are well known to not be safe from government forfeiture and even if that doesn’t happen, there are certain privacy risks involved when a random company has your private information like name, biometric data and so on.
Cryptocurrency Security Is An Onion
That’s a lot of considerations to, well… consider! As you go through each of them, ensure that whatever design you come up with isn’t over complicated.
Instead, your custody solution should have many ringed fences that are simple, but give excellent protection to you and your funds. Each layer should be a different type of protection that attackers must penetrate with the outer most one being an extremely high level of general privacy for your life and finances.
Inside this general privacy layer might be a strong physical security layer in your house such as locks, security doors, security cameras, a dog and so on. Inside that layer could be a geographically diverse multisig wallet. Inside that might be strong computer security such as using randomly generated, unique and long/complex passwords for all services.
Inside that might be formal processes for accessing and spending the funds. Inside that might be ongoing study on common Bitcoin Scams to ensure you’re always aware of new threats and can defend against them. Inside that might be robust routine maintenance schedules to ensure your devices, seed phrases and more are well maintained, in good working order and replaced before critical failure occurs.
You don’t want 10,000 layers and you also don’t want layers that are so complex they require you to travel the globe and steal the declaration of independence in order to figure out how to recover your seed phrase.
You should have multiple layers and each one should be simple, powerful and aligned with standardized best practices that have been battle tested over decades.
In the second part of this series we’ll be going over some of the top cryptocurrency custody solution standards that are available. From how public companies that secure billions in bitcoin operate, to industry standard custody designs we’ll be going through what you should and shouldn’t do when designing your own setup.
>> Second Part: Bitcoin Multisig Vaults: How To Secure Billions Of Dollars In Bitcoin