Kuni's Blog

Search

SearchSearch

Storing your Digital Assets Securely

Oct 17, 2023, 8 min read

In this blogpost you will learn:

  • What is public key cryptography
  • What wallet programs do under the hood
  • How to store your seed phrase
  • Common threats
  • Practice exercises:

Previous reading: Cybersecurity for Everyone (kuni.cat)

Public-key/asymmetric cryptography

Lets first define what “storage” means in the context of cryptocurrency.

Because crypto is ruled by cryptography and not human law, the only thing that determines the owner of a cryptocurrency account is the possession of its private/secret key.

A private key is a string of numbers that allows you to cryptographically sign transactions. This means that whoever knows this number will be able to spend all of the accounts balance, regardless of who the “legitimate” owner of the account is.

Example of a Private Key:

107435187097287799521563287142577638987497617375775444773171446784043234144519

Private Keys also have the task of deriving Public Keys. Public Keys are used in the sender and recipient fields of a transaction.

Example of the Public Key pair of the previous Private Key:

0424c0c77337959e372042125a9907872dccdc7c5e3ca784c846a99f8cbe09c220d2383fa661f3de10d433a8397155a68c20540ae3bcb39368ebf8a3d26187f34a

Generally, when making a cryptocurrency account, you will be given a randomly generated seed/recovery/mnemonic phrase. This phrase is made up of 12 or 24 random words from the english dictionary and derives (gives access to) many private keys (many accounts).

Key Generation

Your public key is like your bank account’s IBAN number or your Paypal username and it is used to receive funds. Your private key is like your credit card details, which lets you spend the funds in one of your bank accounts. Your seed phrase is like the password to your bank, which gives access to all your accounts.

When talking about storing cryptocurrency, we are actually talking about the safekeeping of the seed phrase and/or private keys.

Wallets

Note: Generally, when we talk about wallets we are referring to non-custodial wallets. Custodial wallets are the ones you have within exchange accounts, like Binance or Coinbase. If you have never had to write 12 or 24 words down, you’re most likely using a custodial wallet. To protect your exchange accounts you need to practice good general cybersecurity, such as using a long, random password and 2 factor authentication.

A wallet is a computer program that handles your private keys and lets you interact with them via a user interface. Under the hood, wallets:

  • Randomly generate a seed phrase
  • Derive a set of private keys from your seed phrase
  • Display your cryptocurrency balances
  • Use your private key to cryptographically sign transactions
  • Broadcast transactions with their signature to an RPC node
  • etc

Non-custodial wallets can generally be divided in two groups: software wallets and hardware wallets. Software wallets store your private keys in your computer or web browser, while hardware wallets are small independent physical devices that hold your private keys and have the only function of signing transactions without exposing your private keys to the internet.

Lets see an example of how cold wallets work:

  • user connects hardware wallet to software wallet
  • user uses a software wallet to request a transaction
  • hardware wallet receives the unsigned transaction sent by the software wallet
  • hardware wallet signs transaction inside the device
  • hardware wallet sends back the transaction + signature to the software wallet
  • software wallet broadcasts the transaction + signature to an RPC node

Hardware wallets offer more security in exchange for convenience (and the cost of buying the device). Software wallets are more suitable for smaller portfolios, short term holdings and throwaway accounts, while hardware wallets are better for large portfolios and long term positions.

To clarify, there are many people that hold large portfolios in software wallets and are doing perfectly fine, but if you are not very computer savy and/or want to sleep better at night you may want to consider a cold wallet.

Note: Using cold storage doesn’t mean that you cant lose your funds in any way. If you click a link to a phishing site and sign a transaction with your hardware wallet that drains your account the type of wallet you’re using doesn’t matter.

Storing your Seed Phrase

As previously said, your seed phrase derives all of your private keys (aka, all your accounts). Needless to say, it’s indispensable to keep a copy of your seed phrase in a secure location in case you lose access to your wallet so you can restore it, and this copy needs to be stored securely.

There are many ways to store your seed phrase.

  • You can write down the words in a piece of paper and store it somewhere safe, like a home safe or even a safe deposit box.
  • You can also store it digitally inside an encrypted file, like that of a password manager.

Contrary to what many cryptocurrency users say, saving your seed phrase digitally can be a good idea. This depends on your own personal situation, but for example I would save my seed phrase digitally if I lived in a conflictive household where I didn’t trust a family member finding and stealing a piece of paper with my seed phrase written on it.

You can also make multiple copies, and for example store one home and one in a safe deposit box in case the other is lost. Come up with your own system based on your situation, available tools and risk model.

Common Threats

Contrary to popular belief, most attacks to personal cryptocurrency portfolios arent done by a genius hacker in a black hoodie that cracks your wallet password or keylogs your computer. More often than not users lose their funds by falling for scams or practicing bad operational security.

Phishing Scams

The easiest way to lose your crypto is falling for phishing scams. Look out for things like:

  • Wrong URLs of popular crypto apps and websites.
  • Unexpected NFTs appearing in your wallet that say you qualify for an airdrop.
  • DMs from people you don’t know asking for help or offering to help you.
  • Etc.

Bookmark all the crypto sites you use.

Physical Attacks

5 Dollar Wrench Attack

Keep a low profile.

  • Be pseudonymous online and don’t reveal your real identity.
  • Don’t talk about crypto with people that know your real identity.
  • Don’t brag about the money you have or have made in crypto.

All of these put you physically at risk.

Practice

The best way to become confident managing your cryptocurrency is by having on hands experience. You may have studied so much about driving but until you get your hands on the steering wheel you don’t know how it truly is.

Here are some practice exercises you can do without using real funds.

Preparations:

  • Make a new cryptocurrency account.
  • Store the seed phrase that’s generated by your wallet in a secure place.
  • To practice without the risk of losing any real money you can receive some free testnet tokens for the Sepolia testnet using this faucet.

Actions:

  • Make new accounts inside your wallet. Remember that a seed phrase can generate multiple SK/PK pairs.
  • Identify your private key/s and your public key/s within your wallet. Copy and paste them into your password manager or text file and label every item correctly (seed phrase, private key and public key).
  • Uninstall and reinstall your wallet and restore your accounts using your seed phrase.
  • Uninstall and reinstall your wallet and restore only one account using one of your private keys.
  • Uninstall your wallet and restore your accounts using your seed phrase in a different wallet program.
  • Make a new wallet and send funds back and forth from the original wallet to the new wallet.

You can repeat these exercises and jump from one to another until you feel comfortable.

Wallet recommendations

Software Wallets

For a Bitcoin wallet use Electrum or Wasabi. For an Ethereum wallet use Rabby or Frame.

Hardware Wallets

The two most popular hardware wallet brands are Ledger and Trezor.

Ledger is infamous for the data breach they were subject to that exposed the house addresses of hundreds of thousands of costumers. Not only this, but recently Ledger revealed that they’re able to extract the private keys from the devices secure element through their closed-source firmware.

Trezor devices are completely open source: the hardware, the firmware and Trezor Suite, their software wallet. Unfortunately, their devices are very vulnerable to physical attacks. Even so, id rather use a Trezor than a Ledger device.

If you have an old phone you don’t use laying around you can also try AirGap, which effectively turns your phone into a hardware wallet (but rendering it useless for any other purpose since it can’t be connected to the internet as stated earlier).

For most people I recommend the Trezor One.

Graph View

Backlinks