Bitcoin storage in a hardware wallet

Credit: Decrypt

Hardware wallets are physical devices that use encryption to store private keys, allowing access to your funds in a secure, offline environment. This is generally considered to be the most secure method of storage, since you are not using an internet connected device, or relying upon a third-party, to keep your private keys secure.

Hot and cold wallets

Wallets for storing cryptocurrency fall into two categories: hot wallets and cold wallets. A web-based wallet is an example of a hot wallet, because it is connected to the internet. In contrast, hardware wallets are an example of a cold wallet, because they are offline. The hardware wallet is used in combination with an application on your computer, or smartphone. Management of funds involves opening the application, connecting the device via USB or Bluetooth and unlocking it with a PIN. The application that you interact with never holds the private key. Instead, it communicates with the device which does securely hold the private key. This separation of the private key from the application and your internet connected computer, or smartphone, is fundamental in making this form of storage very secure.

Figure 1: Hardware wallets securely hold your private key offline and interact with your computer or smartphone.

Figure credit: ( 1)

Why is a hardware wallet considered so secure?

A hardware wallet just looks like a humble USB thumb drive (Figure 1). How can this be such a secure method of storage for your cryptocurrency funds? Firstly, since it is a physical device, rather than software residing on your computer or a random server somewhere in the world, a thief would need to have the thing in their hands to have any chance of stealing your funds. Other hot methods of storage, though often immensely secure, are potentially in reach of those pesky hackers and their geeky cleverness. To be clear and to reiterate the point, these other methods are very secure, but the advantage of storing a private key offline is clear to see. Reducing the potential thieves from everybody who has access to the internet, to those people that might find your secret hiding place, in your house, under the mattress, must surely make a difference. Secondly, even with the device in their hands, a thief would have a near impossibly hard time stealing your funds. Though looking like a USB thumb drive, these devices actually contain a microcontroller, which is in fact a kind of small computer. The private key is stored on this microcontroller and protected by encryption. Access to the private key can only be gained by use of the PIN, which you set upon initialising the device. With a limited amount of attempts to enter the PIN, before the data is wiped permanently, a brute-force break is not possible. Finally, it is important to realise something that might not be apparent at first: the funds are not actually stored on the device.

What if I lose it?

This might take some effort to conceptualise, but in addition to not being in any way physical, cryptocurrency is not stored on any device. Fundamental to the principles of cryptocurrency is the idea of a distributed ledger. Funds are assigned to an ‘account’ that has a public and private key. As the names would imply, the public key can be widely disseminated, but the private key should not be shared with anyone. The ‘crypto’ in cryptocurrency comes from the fact that cryptographic mathematics is used to make it work. The public and private key are actually related, but because of the use of one-way functions, knowledge of the private key cannot be gained from knowledge of the public key. Therefore, the funds that you hold exist at an address that is identified by your private key and recorded on a ledger that is distributed across a large network of computers that are using proof-of-work to provide consensus upon the true state of the ledger. We looked at this in more detail when considering how Bitcoin works. Transfer of funds to this ‘account’ is by way of the public key, which is asymmetrically related to the private key.

This means that when we refer to a wallet, in this context, it is serving a different role than we usually consider for a wallet. Instead of holding our money, the wallet holds the key that provide access to the money. If you lose the wallet, the money remains assigned to you on the distributed ledger. As long as the wallet is secure, anybody finding or stealing it cannot access your money and it remains assigned to you on the ledger. A helpful analogy might be to consider the possessions in your house. If you lose the key to your house, you don’t automatically lose your possessions. A spare key will allow you to regain access to your house and your possessions. Fortunately, the spare key analogy works here also.

The recovery phrase

Regaining access to your cryptocurrency, following the loss of a hardware wallet, can be enabled by purchasing a new hardware wallet and restoring your keys by way of a recovery phrase. To return to the analogy of the spare key, a second hardware wallet can be setup to allow access to your funds, in addition to the first hardware wallet, preempting the difficulties of any loss.

The recovery phrase, which is also referred to as a seed phrase, is a list of words which can be used to restore a wallet. The number of words is usually 12 or 24. The use of 12 words is very safe, as we shall explore below, so 24 words is very, very safe, I suppose. An example of a 12-word phrase might be:

angry extra snap put jazz milk loyal clown sword wheel zero slush

These 12 words are not just any old words, they are from a standardised list of 2048. This standardisation is known as BIP39 and each word is associated with a number from 1–2048. Therefore, the phrase can be recorded as a sequence of numbers and there are also lists available in other languages.

With a sequence of 12 words, where each word is chosen from a list of 2048 possibilities, the number of potential unique recovery phrases is:

\[ 2048^{12} = 5.4 \times 10^{39} \]

This is a huge number and the chance of somebody else serendipitously guessing or accidentally having the same recovery phrase is vanishingly small. Generally, we humans have a hard time conceiving the very big and the very small and it may be difficult to visualise just how big numbers like this really are. With a 24-word phrase, the number of potential options increases to \(3.0 \times 10^{79}\), which is a mind-bendingly big number. For comparison, there are estimated to be approximately \(1.0 \times 10^{80}\) atoms in the universe ( 2). From this perspective, securing your bitcoin using a private key within this field of possibilities, is like choosing an atom, within a grain of sand, in a desert on a distant planet, orbiting some far-flung star, within one of the many millions of galaxies in the universe (Figure 2).

Figure 2: The immensity of the universe, as captured by the Hubble Space Telescope.

Figure credit: ( 3)

Store your wealth in your head

The fact that a wallet can be restored with a recovery phrase offers an interesting opportunity, should things get desperate. For example, if you are unfortunate enough to live in a country with a failing economy, either today or sometime in the future, transferring your wealth from the country’s fiat currency into something more reliable might be a good idea, as the value of this fiat currency collapses. Things could get bad enough that you may choose to travel elsewhere. In addition to the traditional options of gold or silver, can now be added bitcoin. Whichever you choose, this wealth might well be at risk if attempting to leave the country with it and encountering corrupt, or desperate, border guards. Good luck with that if your pockets are stuffed with gold bullion bars! Theoretically, with a recovery phrase memorised, you could transfer your wealth across a border stored in your head. That makes confiscation much more unlikely.

The importance of the recovery phrase

While you may now be convinced of the security of a hardware wallet, the Achilles’ heel of this method of storage is obvious. Anybody in possession of the recovery phrase has access to your funds. There’s always a catch and this is it. For many in the crypto space, this responsibility is something they willingly take on, accepting that the freedom to be in sole possession of your wealth necessarily comes with a responsibility. You hold your funds and the buck stops with you. No need to trust any bankers, governments, or any other third-party. You trust yourself to secure your funds. At the risk of tautology, it’s worth making the reality of this absolutely clear: if you loose your recovery phrase, or someone unscrupulous finds it, you lose your funds. No ifs. No buts. No maybes. Gone.

Sorry if this sounds overly-dramatic, but a quick web search will demonstrate that this can happen and has happened ( 4, 5). Now, it is worth countering this with the flip-side of the coin. After all, your money can be at risk when kept in a bank and there are examples of confiscations ( 6), or limitations on how much you can withdraw ( 7). You have little power to control your own money in such situations. In the end, whether you would prefer the responsibility to be in your own hands or that of an institution, or government, might be worth considering. You may decide that storing your cryptocurrency in a web-based wallet, kept safe by a company that you trust, or that has insurance, is an option that you prefer.

Buy your device directly from verified sellers

It makes sense to buy a hardware wallet directly from a verified seller, or even better, directly from the manufacturer. There have been examples of people buying a second hand device that has already been initialised by the seller, who therefore has access to the recovery phrase ( 8). That would mean that any funds transferred to the wallet can easily be stolen by the original owner. In fact, the setup process, when using the device for the first time, includes checking the authenticity of the device and makes it very clear that you are creating a recovery phrase for the very first time. Still, when doing something unfamiliar, we can all end up doing something silly and it makes sense to reduce any chance of error. Buying a device that has potentially been tampered with, to save a few pennies, might not be the best idea. The affiliate links below, while certainly supporting this website, will take you directly to the manufacturers of well-made, trusted devices.

Examples of hardware wallets

Both Ledger and Trezor offer hardware wallets that are trusted, easy to set-up and use, with functional and intuitive interfaces, once connected to your computer or smartphone.

Ledger

Figure credit: ( 9)

The Ledger hardware wallets demonstrate the kind of stylish look that you would expect from a company based in France. The Ledger Nano X is their newest model, which offers Bluetooth connectivity.

Trezor

Figure credit: ( 10)

Manufacturers of the world’s first hardware wallet, Trezor continue to produce products that are trusted by many. The Trezor Model T is their newest model, which offers a colour touchscreen for easy navigation.

Bibliography

1. BEIGEL, Ofir. Hardware Wallets Explained, Reviewed and Compared [online]. 2021. Available from: https://99bitcoins.com/hardware-wallets/. Accessed: 2021-02-06.

2. WIKIPEDIA. Observable universe [online]. 2020. Available from: https://en.wikipedia.org/wiki/Observable%5Funiverse. Accessed: 2021-01-09. Archive: https://archive.vn/fgMUn

3. WIKIPEDIA. Universe [online]. 2021. Available from: https://en.wikipedia.org/wiki/Universe. Accessed: 2021-02-14

4. POPPER, Nathaniel. Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes [online]. 2021. Available from: https://www.nytimes.com/2021/01/12/technology/bitcoin-passwords-wallets-fortunes.html. Accessed: 2021-02-14. Archive: https://archive.vn/1W9ch

5. CARTER, Shawn M. Man accidentally threw away $127 million in bitcoin and officials won’t allow a search [online]. 2017. Available from: https://www.cnbc.com/2017/12/20/man-lost-127-million-worth-of-bitcoins-and-city-wont-let-him-look.html. Accessed: 2021-02-14. Archive: https://archive.vn/3JJ9j

6. WIKIPEDIA. 2012–13 Cypriot financial crisis [online]. 2020. Available from: https://en.wikipedia.org/wiki/2012%E2%80%932013%5FCypriot%5Ffinancial%5Fcrisis. Accessed: 2021-01-09. Archive: https://archive.vn/Y1pBg

7. WIKIPEDIA. Bank run [online]. 2020. Available from: https://en.wikipedia.org/wiki/Bank%5Frun. Accessed: 2021-01-09. Archive: https://archive.vn/6j2F7

8. LEDGER. Scam warning on second hand Ledger devices [online]. 2018. Available from: https://www.ledger.com/scam-second-hand-ledger-device. Accessed: 2021-02-14. Archive: https://archive.vn/EOAdc

9. LEDGER. Ledger Website [online]. 2021. Available from: https://www.ledger.com/. Accessed: 2021-02-14.

10. TREZOR. Trezor website [online]. 2021. Available from: https://trezor.io/. Accessed: 2021-02-14.

Newbie Crypto
Newbie Crypto
Crytpocurrency, blockchain and distributed ledger technology

Straightforward information for those new to this exciting technology, but intellectually equipped, curious and motivated to learn.

Previous

Related