You can store incredible wealth in the mysterious digital realm that is Bitcoin. It’s an amazing power. But. With great power comes great responsibility and the single most important responsibility you have is learning how to protect your Bitcoin private keys. This comes in 3 forms:
- “Protect” as in should you hold your own private keys or let someone else do it?
- “Protect” as in which Bitcoin Wallet should you use? Software, Hardware etc
- “Protect” as in which Seed Phrase backup system should you use?
We’ll be covering all three parts in this guide and more, as they’re all crucially important aspects to keeping your precious coins safe and sound through out the years.
Contents
Understanding Private Keys
Last week we covered Bitcoin private keys vs public keys in What Are Public And Private Keys? We also covered how to get a private key for Bitcoin but if you haven’t read it yet please do so, as you can’t protect what you don’t understand. It should only take you around 6 minutes or so then you can continue on with this piece. For those too lazy to click a link though…
Public and private keys are what makes up Public-Key Cryptography. In general private keys are used to encrypt data then on the other end the corresponding public key is used to decrypt it. Public and private key cryptography has been around for much longer than Bitcoin and is used in many applications and networks such as the End-to-End (E2E) encryption you see used in messaging applications like Signal.
When it comes to Bitcoin, the private key is used to prove unique ownership of your bitcoins. It’s what’s used to create the signature which authorizes the spending of the funds and as such, should be kept secret at all times. While anyone can view bitcoin funds, only those with the unique private key can spend them.
Without the private keys you don’t actually have control over anything. This is why the saying “not your keys, not your coins” came about. Allowing someone else to custody or hold the private keys to your funds (like centralized exchanges that go bankrupt do) means you own zero bitcoins.
It’s incredibly important that you never share your private keys with anyone, ever!
Understanding what and how important your private keys are should now hopefully make it crystal clear that when it comes to the first “Protection” form, the answer is that you should always hold your own private keys and never let anyone else do it.
Different Bitcoin Wallet Types
With that first point out of the way we now turn to which type of wallet you should use. We have also covered this in significant detail under What Is A Bitcoin Wallet? but our top recommendations are:
- Desktop: Sparrow, connected to a Hardware Wallet
- Mobile: BlueWallet, connected to a Hardware Wallet
If you’re not familiar with all the different wallet types out there, here are the main types:
- Hot Wallet: A wallet that runs on any online computer, phone, exchange or other program and has no hardware wallet protection. They can be custodial or non-custodial and most Bitcoin wallet software out there is a hot wallet. As the private keys are kept in the software, they are highly vulnerable to malware or hackers. It is recommended not to keep a large amount of funds in hot wallets.
- Cold Wallet: A wallet that runs on any online computer, phone, exchange or other program and has hardware wallet protection. They can be custodial or non-custodial and as the private keys are kept physically separate from the software, they are highly resistant to malware or hackers.
- Mobile Wallet: A wallet that runs exclusively on your phone. They can be custodial or non-custodial and even integrate with a hardware wallet device via USB or Bluetooth for added security. Some examples include Electrum, Nunchuk and BlueWallet
- Browser Extension Wallet: A wallet that runs exclusively in a web browser extension program. They can be custodial or non-custodial but are usually non-custodial and don’t use hardware wallet protection. As the private keys are kept in the software, they are highly vulnerable to malware or hackers. It is recommended not to keep a large amount of funds in browser extension wallets.
- Exchange / Web Wallet: A wallet that runs in a website, similar to how a bank runs your bank account. These are usually custodian and don’t use hardware wallet protection. They also introduce third parties (the ones that own the website / exchange) and thus bring even more risks. It is recommended not to keep any amount of funds in exchange or web wallets. Some examples include Coinbase, Binance, Blockchain and BitGo
- Desktop Wallet: A wallet that runs exclusively on your desktop computer. They can be custodial or non-custodial and even integrate with a hardware wallet device via USB or Bluetooth for added security. Some examples include Sparrow, Electrum and Specter.
- Multisig Wallet: A wallet that can only spend the funds when multiple private keys are used together, instead of a single key, avoiding a single point of failure. These private keys can be spread across multiple software and/or hardware wallets, each with their own single private key. They are usually non-custodial, but there are some services which can take custody of one of the multiple private keys for additional security called multicustodial wallets. They are the most advanced wallet type and introduce a few extra complexities in order to increase the security. For example a 2-of-3 multisig wallet might have your private keys spread across three separate hardware wallet devices. Any two are required to move the money but the loss of any one does not result in loss of money.
Even though there are many different types of Bitcoin Wallet options as listed above, if you’re storing any meaningful amount of funds that you care about losing it’s recommended you make sure it’s:
- Non-Custodian: Make sure you always have full control of your private keys
- Reputable: Make sure you fully research and vet the wallets reputation and history. There have been many cases of malware disguised as wallets that steal your bitcoins, so do your research carefully before deciding which one to use and trust. This also goes for any hardware wallet devices you use
- Standardized: Make sure it supports the BIP39 standard and is generally not proprietary. Ideally you want it to be open source software that has been vetted by trusted security audits and the bitcoin community over many years
- Verifiable: Make sure it allows you to verify the signature of the manifest files with PGP keys as well as a shasum to confirm the authenticity of the binaries. This ensures that the software files you’re downloading are actually from the developers and haven’t been secretly replaced by hackers. An example of this info can be seen here
- Backup: Make sure it has robust backup and restore capabilities built into it
There are many more features that wallets have such as fee control, Coin Control, password protection, Tor and Full Node connectivity and more. We will be covering all of this in future pieces so stay tuned!
How To Protect Your Bitcoin Private Key
To address the final and most difficult part we must consider how to protect and backup your Mnemonic Sentence or Seed Phrase. While backing up 12 words is a pretty simple task, the smallest error can be catastrophic. Over the course of a decade people everywhere have been inventing and testing how to do this and there’s been a lot of failures with a lot of Lost Bitcoin.
You don’t need to be a cryptography expert to protect your keys though as there’s some very straight forward, industry best practices to do it now. However there’s also no magical single solution we can give as everyone has different requirements, technology capabilities and most importantly balance amounts.
Yes, we said there are multiple correct solutions for this problem. To help stop analysis paralysis, we recommend following the appropriate advice for your given funds amount.
Level | Beginner | Advanced | Expert |
---|---|---|---|
Funds Amount | Pocket Money | Savings Account | Serious Investments |
Exchange Type | Non-KYC | Non-KYC | Non-KYC |
Wallet Type | Software (Hot) / Hardware (Cold) | Hardware (Cold) | Hardware (Cold) |
Signature Type | Single Signature | Single Signature | Multisig |
Key Custody | Self Custody | Self Custody | Self Custody |
Key Backup | Laminated Paper | Laminated Paper | Metal Seed Plate |
Key Locations | 1+ | 2+ | 2+ |
Key Security | None | Fire Proof Safe | Multiple Methods |
Own Full Node | No | Yes | Yes |
Electrum Server | Public Electrum toggle_on | Private Electrum toggle_on | Private Electrum toggle_on |
Tor | No | Yes | Yes |
So for example, if you have $50,000 USD in bitcoins, you should absolutely have full custody of your own private keys, be using a hardware wallet (signing device) and those bitcoins should be safely stored in it.
For that single signature hardware wallet the private key backup should exist in 2 different (secure!) locations, be written on laminated paper (or metal seed plate) and be properly secured in tamper evident bags.
Some suggest multisig wallets and they are fantastic and even more secure, but they come with more advanced setup and backup requirements which novices can get wrong. So we don’t recommend them until you’ve learned quite a bit more about How Bitcoin Works and have a firm grasp on all aspects of it. If your funds are in the Expert level though, either Learn About Bitcoin or hire someone to assist you.
Terrible Ways To Protect Your Bitcoin Wallet
There are now entire industries all centered around protecting your 12 or 24 words with no shortage of experts and guides telling you how to protect your bitcoins from hackers or what to do with your bitcoin private key. Don’t rely on them.
As there’s pretty much an infinite ways to backup 12 or 24 words this results in there being pretty much infinite suggestions, guides, lists and posts online telling you how to do it. Most of them are severely flawed though and we’ll go into more detail about why below.
You shouldn’t just “trust” us either! We only focus exclusively on Bitcoin. This, together with our independent financing we believe makes us one of the top tier sources of Bitcoin education on the Internet, but that doesn’t mean we don’t get things wrong.
Verify, don’t trust and seek second and third opinions from other leading sources that aren’t “crypto exchanges” or other businesses with vested interests.
OK! Let’s dig into some of the most popular (terrible!) ways to protect your crypto private keys! Knowing what not to do is just as important as knowing what to do.
- Shamir’s Secret Sharing: This involves splitting up a single seed phrase into multiple encoded parts which you then hide. At a later date if you need to recover your wallet, you only need a subset of the hidden parts to reconstruct the full backup. Unfortunately, SSS greatly increases complexity which can itself cause failure of the backup while at the same time cause other issues such as reduced ability to audit and confirm the backups originality, difficulty for other (authorized) people such as next of kin to recover the backup and even reduced security. We go into much more detail on the pros and cons of SSS in our in depth review of the Cypherock X1, so have a read of that before you consider implementing it
- Brain Wallets: This is where you remember the seed phrase exclusively in your brain only and never actually write it down. This is terrible because at any given time you could forget it, get brain damage, die or have any other number of things happen that all result in the total loss of your bitcoins. One potential use for this though is if you are fleeing for your life and want to take your wealth with you without having any physical device like a laptop or hardware wallet with you as they may be confiscated or stolen
- Paper Wallets: This is a very old technique where you print out your Public And Private Keys onto a piece of paper, often with a QR code. It’s an old way of creating Bitcoin wallets which usually involved poor Java programs that didn’t generate properly random seeds and thus, created insecure wallets. If you try and do this, there’s a non-trivial chance that your funds will be stolen almost immediately
- Cloud Storage Backup: As outlined in the Seed Phrase Security section of our Bitcoin Wallet piece, you must always make sure your seed phrase never interacts with or is entered into any computer device, ever! This includes taking a photo of it, entering it into a computer or phone, printing it, copying it with a printer or storing it in digital form of any kind including in the cloud. It doesn’t matter if it’s encrypted. Never give your seed phrase a digital form of any type!
- Rolling Your Own: Throughout the years many have come up with their own, special unique way to store or secure their seed phrase. It’s more often than not a terrible idea. You’re not smarter than the legions of highly trained and tested nutters out there that live and breath OPSEC daily. Use their experience and follow industry standard best practices
- Randomizing Your Seed: Some people thing mixing up the seed words will make their seed phrase secure. This is not true as once an attackers has your 12 (or more) words that they know contain your wallet, they can just run through every combination for those specific words in no time at all and steal your funds
- Only Having 1 Copy: Terrible idea. Terrible. Unless you are a true Beginner and have a small amount of funds that you truly don’t care about, then make sure your seed phrase is recorded in at least 2 secure, physically separate places. This protects your funds from things like fire, flood or earthquakes
- Seed Splitting: Others think splitting up their seed phrase will help with security. Unfortunately it just means that you’re more likely to be locked out of your wallet if you ever need to recover it and can’t get a hold of one of those split up backups
Passphrases
While not as complex as a Multisig wallet, a Passphrase is also another additional security measure you can use. Passphrases are a 13th or 25th word that is appended to the end of your Mnemonic Sentence and create an entirely new wallet separate from the wallets initial 12 or 24 words.
These provide moderate protection for your Mnemonic Sentence as it’s a simple way you can give someone your 12 words without that other person being able to access or spend any of your funds. The downside though is that you now have two single points of failure in your backup system. Loose either the Mnemonic Sentence or Passphrase and you loose access to your funds!
Deciding if the pros outweigh cons is something we’ll leave up to you, but always in general consider this balance of security and complexity. For the vast majority of people, the main way they end up loosing their bitcoins isn’t through theft or hacking, it’s through locking themselves out.
Whether it’s through forgetting a Passphrase, loosing your Mnemonic Sentence backup or 100 other things, make sure you properly evaluate what the most likely ways you personally might loose your funds and then optimize for protecting that in the simplest way possible.
Also be aware that for a Passphrase to be effective, it should be random and long. Think 15+ characters, generated randomly by a password manager or hashing algorithm. Ensure you write it down and make family aware of it in case something happens to you.
More Security Precautions
We’re not done yet! There’s even more to know:
- Backup your wallet regularly
- Enable App (not SMS!) based Two Factor Authentication (2FA) on anything you can
- Encrypt the software wallet part of your setup with a strong, unique password
- Keep your computers, application and hardware wallets software/firmware up to date
- Never send, receive or post information on social media about your wallet setup. Ever!
- If you Send Bitcoins regularly, do it from another wallet with small amounts in it
- Only buy a hardware wallet directly from the original vendor. Never buy or accept used ones or ones from third parties. They’re almost always scams!
- Never use a pre-generated seed phrase, even if it’s included with your hardware wallet on an official looking piece of paper. This is a scam. You should set up your wallet alone and your hardware wallet should generate your unique seed phrase for you
Always be aware of scams and other threats such as phishing, malware or social engineering. There is never any reason for you to share your Bitcoin Private Key. Ever. To help with this, we have a huge, in depth list of the most common Bitcoin Scams to watch out for.
Test Your Backup!
Finally, one of the most important things to do when it comes to protecting your Bitcoin private key is testing that it actually works! There’s no point having the most perfect system in the world if, when the all important time comes, you try and restore your wallet and it fails. So, during the setup of your wallet:
- Have your software/hardware wallet generate a new wallet
- Create your Seed Phrase backups however you deem is best
- Send a small amount of bitcoins into the wallet, something like $5
- Completely delete your current wallet and reset your hardware wallet
- Using just your Seed Phrase backup, recover your wallet and check your funds appear
- Finally (a very important step!) make sure that you can spend your funds
If you can regenerate your software/hardware wallet exclusively from your backup and spend funds from the wallet then you have a fully tested backup system ready to go!
FAQ
Should You Trust a Custodial Wallet?
No. While not specifically stated in the Bitcoin Whitepaper, the general ethos of Bitcoin is that you should always have custody of your bitcoins and hold your own Private Keys. You should be the only one that holds the private keys as otherwise you have to place your trust in other third parties.
When a wallet is “custodial” it means you only have access to your bitcoins if that third party allows you to. If they think you have done something wrong, don’t like where you want to send your bitcoins, think you have violated their T&Cs, are forced by a government or simply just go bankrupt or get hacked you will lose access to your funds.
This isn’t just theoretical either, people have repeatedly lost all their bitcoins that were stored with these third party companies through hacks, employees disappearing with customer funds (fraud), CEO’s dying and losing the access to the funds and lately, degenerate and greedy gambling of customer funds.
Not your keys, not your coins!