Welcome!
This article has been highly requested and I am excited to bring this deep dive to you all right before Christmas. As a crypto holder you need to become comfortable using a hardware wallet, maybe for those of you who get some extra Christmas $$$ this week think about purchasing one to secure your crypto assets.
This article will feature a special write-up by BowTiedSwan, one of the smartest anons I know. Each section for the 3 different wallets will feature pros, cons, and links to take you directly to their site.
Intro
A hardware wallet is a device that enables you to be the sole owner of your crypto assets. The device generates a “private key” that allows you to sign your transactions. You are in charge of the funds through the device. The device gives you secure access to your digital assets on their respected address on the blockchain (Ethereum, Bitcoin, etc). You are not “downloading” your crypto on the device.
When you keep your coins on Coinbase, Binance, Crypto.com, and all other centralized exchanges you leave them vulnerable to bad actors. Worst part of all? You don’t own the coins, the exchange does because the exchange has your keys.
Those CEXs like Coinbase (aka - CONbase) are prime targets of hackers and leaving your assets on there *can* result in you losing your funds. Another thing to think about, by keeping your assets on the exchange you are also leaving your coins up to the terms of the CEX. This can be seen in many scenarios where the exchange changes the withdrawal terms. By leaving your assets on there you are restricted in the transfer and you can’t move all your crypto out.
They can rob you out of a portion of your holdings by increasing fees, so you end up losing more of your funds than you should. Ultimately, by leaving your assets in the hands of the exchanges you are choosing to irresponsibly “own” crypto.
Crypto Example: A very familiar example of user restrictions comes from Binance back in July.
TradFi Example: Remember when Robinhood and TD Ameritrade restricted the trading of $GME $NOK $BB? Retail suffered and had no power or control over that situation. Don’t let the same thing happen to you again in crypto.
By using a hardware wallet you empower yourself and become the sole bearer of your assets → the entire point of crypto. A hardware wallet thereby makes you your own bank. You decide what happens to the funds. You can send ETH to your online MetaMask wallet and use that to connect with DeFi protocols where your crypto becomes productive.
When I am using my hardware wallet I am using it to store and secure my funds. I do not use it as a computer so to speak, it is used specifically for storage. Ledger and Trezor are the most popular hardware wallets in the industry right now. Each wallet supports various cryptocurrencies.
A Coldcard, a hardware wallet made by CoinKite is a bitcoin specific hardware wallet. It does not support anything other than bitcoin and is more complex than Ledger and Trezor. These are not as easy to use like Ledgers or Trezors. They are complex to learn at first but is very much worth it. I use this specifically for BTC holdings and wouldn’t recommend another way, it the best.
General Advice for Hardware Wallet Use
Personally, I use multiple hardware wallets. I don’t think it is wise to “put all your eggs in one basket” when it comes to self-custody.
With hardware wallets, your “private keys themselves are never handled by the user, instead the user will typically be given a seed phrase that encodes the information needed to regenerate all private keys associated with the wallet.” (CoinKite)
Do not under any circumstance share your seed phrase (recovery words) with anyone. Ideally you want use a metal plate/seed plate to record the phrase. Have backups for the phrase and your password recorded and stored in separate locations.
B) Have designated secure locations where you are storing your seed phrases and hardware wallets. (Don’t put all your eggs into one basket). These should be in locations that are accessible to you, and are hidden and secure. Safes and passcode for access is preferred.
If you want to take extra precaution, ship *any* crypto related item to an address that is not your home or your work and use a discreet payment method (Ex: visa gift card purchased with cash).
Note: This does not make you a “shadowy super coder”.
Currently it can take up to 3-4 weeks for your hardware wallet to arrive to your mailing address, don’t wait too long to order these.
Ledger (Link)
I personally use this device. It is reliable and simple.
The interface of the Ledger Live is very easy to understand and navigate. You download this to your laptop and will use ledger live to download the Ethereum “application” and the Bitcoin “application” and whatever other crypto you own so you can access their blockchains and move your crypto off of the CEX.
(Source)
Trezor (Link)
Same idea as above. Trezor interface is very easy to understand and navigate. You download this to your laptop and will use it to download the Ethereum “application” and the Bitcoin “application” and whatever other crypto you own so you can access their blockchains and move your crypto off of the CEX.
(Source)
Comparing Trezor and Ledger
(Source)
At the end of the day the decision between a Ledger and Trezor comes down to preference. For me, I chose the Ledger Nano X because it has more of what I like in a hardware wallet. It supports more cryptocurrencies and I liked the interface more than Trezor’s.
This brings us to our guest of honor, BowTiedSwan with a special analysis of the Coldcard!
Coldcard
By: BowTiedSwan
Intro:
Hi anons, Swan here. I’m going to do a deep dive into the Coldcard wallet, which I’ve not personally used yet, but whose extra paranoid security measures picked my curiosity, so no better way to learn something than to write about it.
What is Coldcard
Coldcard is a Bitcoin-only hardware wallet with a Jamesbondesque emphasis on security, developed by Coinkite.
The number of security features is mind-boggling, so instead of going over each one at the beginning, we’ll review the main ones, security scenarios, some background on the company, and how they tie together. I will list those features with more resources in the end.
What makes it different from Ledger or Trezor
- Tamper evident packaging and software:
- Packaging is sealed with the serial number embedded in the hardware
- Sensitive parts are covered in epoxy, which makes physical modification of components harder and obvious upon inspection.
- Anti-phishing words: Coldcard uses a two-part pin like 2344-7543, after you enter the first 4 digits you will be shown two words that are factory set (which you must memorize). If anyone were to swap your Coldcard with a compromised one, the two words would be different.
- Uses a “secure element” which is a second chip out of the main microprocessor memory for storing the 24-word seed phrase. This SE enforces a max of 13 PIN attempts, after which it will brick itself, lingo for self-destruction. The seed phrase is encrypted using a one-time pad which only the main microprocessor knows (if you want to find out what that means in long-form, I challenge you to read Cryptonomicon by Neal Stephenson).
- Air gapped, the only connection to the real world is an SD card slot for signing transactions.
- Allows for offline transactions
- Login countdown (up to 28 days): After you input your pin, a countdown starts which is shown on the screen. From minutes to days, you and your new friends will have to wait until being able to access the funds (you’ll need to input the pin a second time). Enough time for the police to come by.
- Duress pin: you can input a different pin that gives access to a secondary wallet with fewer funds.
- Brick me pin: “fries” the device’s chip, stopping coercive attacks. The nuclear option
- Caution lights: a green light is shown during operation if the firmware hasn’t been modified. The circuit controlling this light is part of the secured element which can’t be overwritten. Any outside tampering will make this light shine red.
Who is behind Coinkite
Founded in 2012, currently there appear to be three public employees on LinkedIn, two being the founders, Rodolfo Novak and Peter Gray, its CTO. While this could raise some eyebrows, I take it that a company of this nature wouldn’t necessarily want to doxx its employees.
They’ve developed and operated different Bitcoin-related services, from web wallets to enterprise-grade hardware vaults, processing 10% of total daily Bitcoin transactions at a point in 2015 (source)
This points to a deep knowledge of the industry and what looks to be a long-term player, no red flags raised on that front.
Potential weak points?
In November 2020 a couple of security researchers identified a flaw in Coldcard’s multisig process, communicating it to Coinkite for which a firmware update was released in January.
The bug affected the process by which Coldcard verified it owns one of the listed xpubs (extended public keys) that define public addresses generated by a private key. An attacker could load a file with different xpubs owned by him and Coldcard would interpret it as valid, hence giving it the ability to steal the funds. For a full breakdown, see here.
Earlier in August 2020, a security researcher found a way in which an attacker could get a user to try signing a testnet transaction that will actually be confirmed in the mainnet. A patch was released to avoid this possibility, and yet the attack would have required the attacker to know the victim xpub and the transaction ID to succeed.
More info here
Basic setup
There are no brief ways of describing the setup so I’ll defer to some well-written articles about it:
1. For a simple and clear setup using Electrum, go here https://bitcoiner.guide/coldcard/
2. For a Vitamine Butane level article on Colcard’s firmware verification, seed phrase generation with dice, seed backup and backup stress testing, go here: https://www.econoalchemist.com/post/don-t-take-chances-rolling-the-dice
Annex: *Almost* all features and more learning resources
- Coldcard firmware: https://github.com/Coldcard/firmware
- Secure element PIN design whitepaper: https://github.com/Coldcard/firmware/blob/master/docs/pin-entry.md
- Secure element specifications: https://www.microchip.com/en-us/product/ATECC608A
- Coldcard CLI and Python interface library: https://github.com/Coldcard/ckcc-protocol
- Modifiable firmware through MicroPython (this allows to create pre-setup transactions,
- https://github.com/Coldcard/firmware/blob/master/docs/dev-access.md
- MicroPython docs http://docs.micropython.org/en/latest/
- Transaction signing:
PSBT(BIP0174 standard https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki)
- BIP174 allows interoperability between different BTC hardware wallets by creating a binary file format accepted by all wallets (see the second guide below about offline transactions). Offline transactions are simply transactions signed with your private keys on a device not connected to the internet.
- Manufactured in Canada
- SD backup for offline signing. Backups are encrypted using 7z or AES 256. This allows for transfer or unsigned/signed transactions on Sneakernet, which is a cute term for moving digital media in USB sticks, hard drives, etc through physical means.
- Compatibility with BitcoinCore, Electrum, BTCPay, Casa, BlueWallet, and many others.
- Display masking signal to foil OLED-generate power supply noise.
Guides
- Official guide: https://coldcard.com/docs/quick
- ColdCard community guides: https://coldcard.com/docs/community-guides
- Making offline transactions with ColdCard and Electrum https://multicripto.medium.com/how-to-make-offline-transactions-in-electrum-with-coldcard-wallet-838f84df379a
- Video tutorials: https://www.youtube.com/playlist?list=PLZKkuPrgFw0axLoDDzxAIYzpZeC_T1i7W
Final thoughts relating to threat scenarios:
As you see ColdCard is a tank of a hardware wallet. I wouldn’t necessarily recommend it as the first choice for a noob, but even if it was, the setup is not much more complicated than a Ledger or a Trezor, their docs and YouTube channel explain it quite clearly.
I would however consider minimizing the potential for a bad situation in case of home invasion (if you think that’s a possibility), by using some “decoy information”:
- Have an area in your desk/studio with Arduinos, Raspberry Pi, other electronics, so if you are forced to reveal your keys (and have set up a paper/emergency wallet with some funds to make the robbers satisfied), you owning a ColdCard instead of a Ledger or a very user-friendly alternative may be explained away by saying “I’m just a big nerd with electronics”.
Additional security aid:
- Have your HW inside a safe box with a dual combination, so that one of them opens the safe and sends a signal to the police/security company.
- An interesting mobile + PC application that someone could develop to avoid/minimize the “this guy holds crypto” perception:
- A browser extension/app that on receiving an email/SMS/call would proceed to delete from your browsing history any crypto-related websites, delete all browser wallets (Metamask, Hiro, Binance wallet…) and any other shortcuts or programs that might reveal you as crypto native/ Defi user.
- A phone app that would allow you to either hide behind a password any crypto apps or delete them altogether with one command or remotely.
I hope this guide was the right combination of details + brevity, as the number of security features would require a small book to properly address them.
As you know, keep your keys safe, be disciplined, but most important of all: stay anon.
Conclusion + Special Announcement:
Since it’s the holidays I am feeling generous. I am hosting a *Giveaway* and one lucky subscriber will be rewarded a free hardware wallet of their choosing, or, if they don’t feel comfortable with shipping, I can award them the same amount paid out in BTC or ETH.
**Follow me on Twitter and Retweet this tweet below to enter!**
Happy Holiday’s and Merry Christmas to you all!
Thank you so much for reading my substacks.
2022 will bring more Crypto for Boomers and CBDC Watch! Special developments underway for the new year!
Disclosure: Not Legal or Financial Advice