How to protect your seed phrases for a hardware wallet or multisig.

Where To Store Bitcoin

Everyone is different and I’ll reiterate that you need to do what is right for you. This is how I broadly think of where to store coins:

Hardware Wallets

Pound for pound, a simple hardware wallet is the best first step and maybe only step you need to take. I have tried multiple hardware wallets and they all come with their own unique trade offs. If you are buying your first one, find the one that is right for you. If you are going to do a multisig set up, buy from multiple vendors as opposed to three or five devices from your favorite vendor.

Miscellaneous information

Ledger: Ledger has suffered from two data breaches in 2020. The data exposed was millions of people on its mailing list as well as millions of names, addresses, and phone numbers from orders itself. While these issues have been addressed, you may want to order a device off of Amazon or use your work address with fake information.

Hardware Wallets For Multisig

For a multisig set up, you should use multiple devices from a variety of brands. Some features such as a passphrase are additive when it comes to security. Adding multiple devices becomes multiplicative to security as an attacker would need to compromise numerous things across brands as opposed to one thing across numerous devices from one brand.

Source: Michael Flaxman

What You’ll Need

Now that you understand your devices, you’ll need to figure out how large you want your quorum to be in an m of n set up. Do you want a 2 of 3, 3 of 5, or something else all together? From there, you need to save:

How To Store Your Seed Phrase

When you are generating your seed phrase, read each word on the device itself, write it down on the first sheet of paper, and do that until you go through all 12 or 24 words. Once you get through the first round, your hardware wallet will ask you to verify it. Read the first word on the device, make sure it matches what you wrote down on your first piece of paper, then write it down on the second piece of paper. If you write it down on both at the same time, you may create two mistakes or catch one mistake but leave the second.

Additional Protection

If you are going to leave your seed in a location that is not entirely private, you may want to consider buying some tamper evident bags. These are plastic bags often used by cash businesses or banks to ensure that no one has tampered with the contents of the bag. You can place your paper, laminated, or metal seed in a tamper evident bag so if you come into your office and see the bag as opened, you know the seed has been compromised.

Source: SasaNataLyaArt on Etsy
Source: Vemingo
Source
Source

Locations

Again, do what is right for you but the copies of your seed phrases for a multisig wallet should ideally be dispersed across multiple locations. Your ability to do this safely will vary as does the complexity if you did a 2 of 3 or 3 of 5 or other multisig set up.

DIY vs Collaborative Custody

If for someone reason you don’t think you can do it yourself or if you don’t have a place to store one of the seed phrase backups you can try something called collaborative custody. There are services such as Casa and Unchained Capital that allow you to set up a multisig but they hold 1 of the 3 or 5 keys. For example, you can set up a Trezor and a Coldcard for a 2 of 3 multisig and if you lose one of your signers or you can’t get to the safety deposit box that is another state, you can ask them to sign with the 3rd key that they hold. The biggest trade off is privacy as they would know your balance which is also why Casa lets you sign up with a pseudonym. Casa also lets you use your phone as one of the signers so you only need to order one hardware wallet instead of two.

Collaborative Custody Paranoid

If you are going to do a collaborative custody model and you are paranoid about security, buy your hardware wallets directly from the manufacturer themselves. I can’t imagine this happening from any reputable company BUT let’s say Collaborative Custody Corp. sends you the two hardware wallets directly and you set them up yourself with all of the above steps. You plug in your Trezor, verify the receive address, and the xpub confirms that it is 1 of the 3 signers in a 2 of 3 multisig. You plug in a Coldcard, verify the receive address, and the xpub confirms that it is 1 of the 3 signers in a 2 of 3 multisig. You then send your Bitcoin to the multisig address and feel great that you just secured your coins except that you may have sent it to an attacker at Collaborative Custody Corp.

Casa Paranoid

I recommend Casa all the time. For $10 a month, you can get a 2 of 3 multisig which is a very affordable option especially since you can stack within the app. Personally, I think Casa is a highly underrated service for nubes and often point people there instead of Coinbase or Gemini. That being said, the 2 of 3 multisig is really a 1.5 of 3 multisig without one extra step.

Collaborative Custody Privacy

The benefit of having a multisig set up is that you can lose a device or the seed backup and everything will be alright. The downside is that you need all of the xpubs in order to spend any coins with your quorum. That being said, if you use a collaborative custody service and your other hardware wallets have funds on them, the service will know about all of those funds. Normally, a node would protect against a third party knowing your xpub but that doesn’t work for multisig. If you are going to use one of your hardware wallets for funds in addition to your multisig set up, you might want to use a passphrase for that device so the exposed xpup is different from the xpup with the passphrase.

Additional Passphrase

The next thing you may want to consider when leveling up seed phrase security is adding a passphrase. If you are only using a single hardware wallet, I would highly recommend it to most people. If you are generating a multisig from a single vendor, you may want to consider it. If you are generating a multisig from a variety of vendors, it is probably not needed.

Source: Sorry, I don’t have the source for this but it was funny. If this is your site or app, please let me know so I can credit you.
How long it would take to crack a password using different classes of computers (Note that class C and D not exist today but could in the future). Source: Coldbit blog.
Source

Cloud storage and password managers

Do not store your seed in the cloud. Do not store your seed on anything digital or has a connection to the internet. If you are not going to listen to that bit of advice, fine, but do not store your password/phrase in the same location.

Source: 1Password Blog
Source: Twitter

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Raymond Durk

Raymond Durk

Making shoes you love @atoms. Under caffeinated and over connected. MBA in Sustainability. Please consider the environment before printing this tweet.