Have you used Bitcoin for a while now and want to beef up your security game? Are you planning on investing significant sums and want to ensure you get your setup right the first time? Well it’s time to enter the world of Advanced Bitcoin Security where we start taking things much more seriously.
Up until this point you were likely just playing around and learning about what Bitcoin actually is, but now that you’re securing significant funds there’s more steps you need to take to ensure your funds stay safe for decades. While many are aware of Hardware Crypto Wallets, this isn’t the silver bullet many think it is. There’s a number of other critical things you should also know about and be doing to keep your funds safe.
In this Advanced level piece we’re going to help you make the right choices when it comes to your digital asset security, how you design and build your wallet, how to back it up and more.
Note: This Security guide is for “Advanced Levels” which are people with “Savings Account” level funds. If you’re securing larger amounts, please see our Expert Bitcoin Security guide.
Key Advanced Bitcoin Security Points
- Beginner Security: Ensure you do everything in our Beginners Guide To Bitcoin Security
- Use A Hardware Crypto Wallet: Use a Hardware Wallet and ensure it’s bought anonymously
- Advanced Wallet Security: Ensure 2+ backups at 2+ locations with proper location security
- Balancing Security And Complexity: Consider extra security measures carefully
- Use Your Own Full Bitcoin Node: Buy or build a full node and connect your wallet to it
- Advanced Computer Security: Ensure your network, mobile and PC are properly secured
- Test Your Backups Regularly: Routinely test your backup ensuring you can spend funds
- Security Through Anonymity: Don’t tell friends, family or social networks you own bitcoin
Advanced Bitcoin Security
Firstly, you can get a full run down on what each of our levels entail and where you might fit into them by looking at our Understanding Bitcoin piece or this overview table below. For this Advanced Bitcoin security guide we are only targeting people that have funds similar to what you might keep in your every day savings account. For most people, this is an amount they’d be pretty angry about losing, so security precautions get increased to match.
|Software (Hot) /
|Metal Seed Plate
|Fire Proof Safe
|Own Full Node
Our top priorities for this site is to help everyone learn how to safely and privately buy, use, invest and grow wealthy with Bitcoin, so know that this piece is just the start of our security information. We’ll be adding and expanding on each of the below points in much more detail as time goes on.
If you haven’t already, please make sure you’ve already read and done the security steps outlined in our Beginners Bitcoin Security guide which broadly include:
- Avoid Shitcoins: Focus on Bitcoin only and don’t buy other cryptocurrencies
- Don’t Use KYC/AML Exchanges: Use our Crypto Exchanges list for top non-KYC exchanges
- Use A Self-Custody Wallet: Download and use your own, private wallet
- Crypto Wallet Security & Backup: Use a strong password and write down your seed phrase
- Practice Good Cybersecurity: Use a password manager, 2FA, keep software updated etc
- Learn As Much As Possible: Get subscribed as knowledge is your best defence
Use A Hardware Crypto Wallet
Congratulations, you’re funds are at the Advanced stage now! If you don’t want to lose them, you should absolutely be buying a dedicated Hardware Wallet (also called Signing Devices or Key Managers). These are physical devices in meatspace that do one thing: generate and securely store you Public And Private Keys. OK we lied, they also sign transactions with your private keys too.
You never want your private keys touching that revolting, malware infested computer/phone of yours trust us. Hardware wallets are cheap ($50+ USD) and easy to setup and use. Some top recommendations include:
While you’re welcome to buy any hardware crypto wallet you think is appropriate, we’d only advise it after considerable scrutiny. Here are a few major considerations you should weigh up before just purchasing any random device you find on the internet:
- True Randomness Generation: It should uses two independent sources of randomness (or more) for your private key generation. One of the main purposes of hardware crypto wallets is to generate your private keys, this needs to be next level grade bullet proof! A poorly generated private key is a huge security hole
- Open Source: Its code should be 100% viewable for you or any other security researcher to review and interrogate. Open source code, vetted over many years is one of the top ways to ensure a secure environment
- Verifiable Software Binaries: It should have verifiable software binaries and PGP key signature checking with easy to follow instructions on their website. This allows you to verify that the software you’re downloading from their website hasn’t been maliciously altered or tampered with
- Uses Interoperable Standards: It should use common, industry standards such as BIP39 for its seed phrase words to allow for interoperable use in case there’s any reason to migrate away from that hardware vendor (eg they go bankrupt / get taken over / start acting stupid). To help with this, check out the major software wallets out there and see which devices they integrate with
- Reasonable Company History: The company itself should have been around for at least 5 years or more and the more revisions of the hardware they have, the better (eg. COLDCARD is up to “Mk4” while BitBox is up to “02” now). This hopefully ensures (but doesn’t guarantee) that hardware level issues have been resolved at the source and that the hardware and software have had most of their main kinks sorted out. You should also review their general practices like storage of customer data, history of how they handle security breaches and how they work with the security community in general
- Works With Standard Wallets: It should work with any industry standard third party Bitcoin wallet such as Sparrow Wallet. You should not be locked into using only their bundled software wallet program as this can be both a privacy risk and a problem if the company ever runs into troubles
- Full Bitcoin Node via Tor Support: It should fully support you connecting it to your own Full Bitcoin Node via Tor. This is vital for Advanced and Expert levels both for privacy and security and many hardware wallets “experts” recommend such as the Ledger don’t do this!
- Easy Import / Export: It should fully support importing and exporting of all required info (Including Coin / UTXO Labels) for easy backup and restore, especially across various third party wallets (eg exporting from their wallet app and importing into a third party wallet) and for Multisig wallets that require more detailed backup information than single signature ones
- Multisig Support: It should fully support Multisig Wallets as well as xPub / Watch Only wallets and this support should extend to the standardized third party wallets as well
- Labeling And Control Of Coins: It should fully support labeling of coins (UTXOs) and being able to control which coins you spend either through their own app or through a standardized third party wallet
- Purchase Only From The Supplier: It should come in a tamper evident bag directly from the supplier and no one else. Do NOT buy from other random online sellers, eBay, forums or any other source
- Consider Physical Size: When choosing a device many people prefer large screens to enable easier reading / interaction, but be aware that the larger the device is, the harder it is to store / hide. It will also likely be more expensive too
Pro Tip: Don’t buy a hardware wallet with your real world identity
If the hardware wallet company gets hacked, your identity is forever linked to “this customer has so much crypto they needed to buy a hardware wallet” = huge target. A recent example of this is how Ledger had all their customer data stolen. Now all those people are forever at physical risk with criminals knowing the names, addresses, emails and more. Not cool!
That company may also link your identity and funds to that hardware crypto wallet and monitor your device / addresses / balance / transactions via their software (eg. Ledger Live)… which they then pass on to governments, third parties etc.
Buying the device without revealing your own real world identity is a one time, highly beneficial security enhancement that ensures knowledge of your stash is never revealed no matter how many times they get rekt.
Most hardware wallet manufacturers will accept Bitcoin too making this a relatively easy way to protect yourself. Make up a name, create a one time Proton.me email account via Tor Browser, pay via Bitcoin you obtained via a non-KYC source and you’re set!
Advanced Wallet Security
While a Hardware Wallet is a must for any advanced wallet setup, it’s just one piece of the puzzle. To properly secure your Bitcoin it’s important you understand a few common terms and how they relate to one another:
- Mnemonic Sentence: Generated by you or the Hardware Wallet, usually 12 or 24 words
- Passphrase: Optional and chosen by you, it’s a 13th or 25th word for the Mnemonic Sentence
- Hardware Crypto Wallet: The physical hardware device such as a BitBox02 or COLDCARD
- PIN: Chosen by you, it’s a code used to protect your Hardware Crypto Wallet
It’s critical to understand that you have two things you need to protect. Your funds can be spent either by having access to your hardware wallet plus its PIN or your Mnemonic Sentence and its Passphrase if you use one. This is because the Hardware Wallet is generated from the Mnemonic Sentence, so both of these things must be protected at all times.
Due to the relationship of the Mnemonic Sentence, Passphrase, Hardware Wallet and PIN you should always ensure that the:
- Hardware Crypto Wallet and PIN are stored in separate physical locations
- Mnemonic Sentence and Passphrase (if used) are stored in separate physical locations
We have already created an in depth guide specifically related to protecting your Mnemonic Sentence (How To Protect Your Bitcoin Private Key). This covers many good, bad and terrible things people do and should be read before you start planning any secure crypto wallet setup. What it doesn’t deal with is the broader physical protection of the Mnemonic Sentence and the actual Hardware Wallet and its associated PIN.
This protection covers areas such as accidental loss, disasters such as fire / floods / storms / forgetting as well as theft such as through home invasion, physical duress or even kidnapping.
Critical to how you backup your Mnemonic Sentence is what physical thing you write your 12 or 24 words on. In the advanced stage it’s still quite acceptable to have it written down on a simple piece of laminated paper. You’re going to have multiple copies of this and it should be secured properly (discussed further in Key Location Security below).
Some people will insist that it has to be on a “metal seed plate” which can withstand ridiculous temperatures, but at this level of funds we still consider it optional. In reality, if your house burns down it’s very possible that both laminated paper and a metal steel plate will be lost. This isn’t because the steel plate melts, but for other reasons you might not realize.
For example, maybe you aren’t able to access your property for weeks/months due to police or fire restrictions. Maybe it’s simply lost in the huge pile of rubble, like a needle in a giant charcoal haystack. Or maybe it’s been shot out the side and down a drain by a fire hose while they were trying to put the fire out. There’s many, many reasons you may never see a metal seed plate again even if it survives the actual fire fine.
The reason this isn’t a problem though is because you should have multiple Mnemonic Sentence backups!
As larger amounts of funds are now tied to your Mnemonic Sentence, it’s unacceptable not to have multiple backups in different locations. Two locations is the minimum at this level. But. Be careful where you choose to store them as you want them to be as secure as possible.
As we are still using single signature wallets, anyone who has access to your private keys can spend or steal your funds. So don’t just give the second copy to anyone. Choose a trusted family member or friend or perhaps choose no one and use a secure separate location far away you have access to such as a safety deposit box or other property you own.
Key Location Security
In these multiple locations, make sure there is an appropriate level of physical security protecting your paper or metal seed phrase. If you don’t frequent the location very often, consider how you could be notified if it’s breached and how much notice you’d have.
Obviously the higher the security a place has the better. 24/7 security guards, locked gates, doors or boxes, surveillance cameras, laser grid arrays. All good stuff! At this level we recommend the Mnemonic Sentence be in at least some form of locked box or fire proof safe. This can be something cheap from your hardware store and bolted to the floor or something more creative.
Balancing Security And Complexity
Complexity is your enemy. Any fool can make something complicated. It is hard to keep things simpleRichard Branson
The keen eyed among you might have noticed that we haven’t once mentioned Multisig wallets. For those that aren’t aware, a Multisig wallet is a type of wallet that requires multiple keys in order to sign a Bitcoin transaction. This means in order to spend the funds in the wallet you need 2-of-3 or 3-of-5 keys rather than just a single signature.
These types of wallets are fantastic and provide significant protection from various forms of attacks, but also come at the cost of greater complexity. They’re getting more and more simple to create and use as the Bitcoin ecosystem develops, but for now we consider them a Expert level tool.
While we don’t discourage use of them even at the Advanced level, just be aware that they require more than just backing up your Mnemonic Sentence (the 12 words). We will discuss them in detail in our Expert Bitcoin Security guide as once you’re dealing with serious investment levels of funds they’re absolutely needed.
While not as complex as Multisig wallet, a Passphrase which we detailed earlier, is also another additional security measure you can use. Passphrases are a 13th or 25th word that is appended to the end of your Mnemonic Sentence and create an entirely new wallet separate from the wallets initial 12 or 24 words.
These are excellent for protecting your Mnemonic Sentence as it’s a simple way you can give someone your 12 words without that other person being able to access or spend any of your funds. The downside though is that you now have two single points of failure in your backup system. Loose either the Mnemonic Sentence or Passphrase and you loose access to your funds!
Deciding if the pros outweigh cons is something we’ll leave up to you, but always in general consider this balance of security and complexity. For the vast majority of people, the main way they end up loosing their bitcoins isn’t through theft or hacking, it’s through locking themselves out.
Whether it’s through forgetting a Passphrase, loosing your Mnemonic Sentence backup or 100 other things, make sure you properly evaluate what the most likely ways you personally might loose your funds and then optimize for protecting that in the simplest way possible.
Finally one other extra security measure you can take is to consider having one wallet for the long term storage of your savings account level funds, and a second one to use day to day that contains your pocket money level funds. For most this is achieved by keeping their Hardware Crypto Wallet on a laptop or desktop computer while they spend smaller amounts on a Mobile wallet.
This once again increases security but also increases complexity so we’ll leave it up to you to determine whether it’s worth it for you personally or not. Perhaps you have a spare laptop or phone just lying around so it’s easy, many people don’t have this luxury though which is why it’s not something we mandate.
Use Your Own Full Bitcoin Node
Not your node, not your code, babyElvis Presley
Everything in Bitcoin is done through nodes. If it’s not your node, then someone else knows your balance and spending info and can also feed you false information creating all sorts of security concerns. For example they could allow a transaction that isn’t following the rules of the Bitcoin network. If you then try to spend those bitcoins somewhere else they’ll be rejected by the rest of the network and it’s as good as them stealing your funds.
While this is a serious security and privacy risk, the natural way that people learn about Bitcoin means that it’s not until later that they understand enough about What A Bitcoin Wallet Is, how it works and why it’s so critical to run your own node. Fear not though!
Running a node is easy, has a moderate one time hardware purchase fee ($400+ USD) and helps strengthen the Bitcoin network. They can also be used for many other purposes too such as chat and podcast servers, payment processors for business and more. If you are at an Advanced or Expert level in Understanding Bitcoin and have funds invested that is approaching or exceeding what you might hold in a savings account we strongly recommend building or buying your own Full Bitcoin Node.
Once your node is online it’ll take a few days to download the entire Bitcoin blockchain or “sync”. This is totally normal, is about 530 GB in size currently, only has to be done once and is referred to as the Initial Block Download (IBD). Once it’s done then all you have to do is setup your new Bitcoin Wallet and point it at it. If you have funds in other wallets then send them across to this new one and you’re done! Examples of fantastic nodes include:
Owning your own Full Bitcoin Node also now allows you to run your own Lightning Node. You can then connect your mobile Lightning Wallets back to it and set it up to send/receive all data over the Tor network which drastically improves your privacy and security even further.
Becoming a node runner is another entire rabbit hole to go down, but a vital one. We will be covering it in a lot more detail in the future so stay subscribed!
Advanced Computer Security
If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked
Richard Clarke, White House Cybersecurity Adviser
In our Beginners Guide To Bitcoin Security we touched on basic computer security:
- Password Manager: Use a password manager to generate and store long, unique passwords for your wallet and online accounts. A great option is Bitwarden. It’s open source and offers free personal accounts plus you can even host your own Bitwarden compatible server (called Vaultwarden) and ensure all passwords never leave your control
- 2FA: If the account has Two Factor Authentication make sure you use it. SMS based is better than nothing, but App based is far better if you have the option
- Keep Clean: Make sure you install the least amount of apps possible on phones or laptops. With every app you get another hole in your security, plus it slows your computer down too
- Keep Clean Online: Similar but slightly different, make sure you sign up to the least amount of online services possible. Most people reuse passwords meaning that a data breach somewhere turns into a breach everywhere. Even if you don’t reuse passwords, the more services you have going, the more risks you run
- Updates: An easy one, always make sure you software is kept up to date
- Security Breaches: Stay updated about security breaches and how they may affect you. Use Have I Been Pwned to check if your account has been compromised
- Avoid Public WiFi: Free or public WiFi can be great… but also introduces many potentially bad actors that can intercept and spy on traffic. At a bare minimum, try to avoid using them with the computer that has your Bitcoin wallet on it
As we’re protecting more serious funds now, it’s advised that you consider some higher level precautions such as:
- Network Security: Make sure your home WiFi network is using at least WPA2 security with a strong, unique and long password. This shouldn’t be your mobile number, dogs name or something that’s only 10 characters long. Aim for a randomly generated 16+ characters or more combined with all the trimmings of upper case, lower case, punctuation etc. Also consider the devices that are permitted on your local network carefully. Many spy on and send diagnostic metrics back to their manufacturer so a good firewall or completely separate subnet can be another excellent enhancement
- Mobile Security: Make sure your mobile has a strong, unique password (not a pin!) lock on it. Again aim for 16+ characters and make it random. Also give serious consideration to whether or not it needs any Bitcoin wallet or crypto related information on it at all. While mobiles are kept with you, they can also easily be lost or stolen so making sure the thief doesn’t then have access to or knowledge of your Bitcoin funds is important
- Dedicated Device: While not mandatory at this level, consider the idea of having a totally separate and dedicated physical device for your main cold storage wallet setup. This could be a laptop or mobile device that has a locked down OS such as Tails installed and no other software installed. For the majority of its life it can also be turned of and even disconnected from the Internet by using an air gaped Hardware Crypto Wallet which further increases security
- Signing Verification: Ensure that any application files you download or update have valid PGP signing keys and that their checksums match what the developer indicates. We’ll be releasing more detailed guides on this at a later date too
Test Your Backups Regularly
One of the most important things to do when it comes to protecting your Bitcoin security is testing that it actually works! There’s no point having the most perfect system in the world if, when the all important time comes, you try and restore your wallet and it fails. So, during the setup of your wallet:
- Have your software/hardware crypto wallet generate a new wallet
- Create your Mnemonic Sentence backups however you deem is best
- Send a small amount of bitcoins into the wallet, something like $5
- Completely delete your current wallet and reset your hardware crypto wallet
- Using just your Mnemonic Sentence backup, recover your wallet and check the funds appear
- Finally (a very important step!) make sure that you can spend your funds
If you can regenerate your software/hardware crypto wallet exclusively from your Mnemonic Sentence backup and spend funds from the wallet then you have a fully tested backup system ready to go!
Security Through Anonymity
I don’t know why people are so keen to put the details of their private life in public; they forget that invisibility is a superpowerBanksy
Last be absolutely not least is anonymity. It’s hard to overstate how important containing certain information about yourself can be. All it takes is just one person to know what you have and it will never be a secret again.
You can have 1,000,000 bitcoins that you carry around in your mobile hot wallet (like a complete moron) and no one would know unless you tell them. It seems simple enough not to tell people, but most can’t stop sharing their life on social media, posting pictures of their hardware crypto wallets, bragging about how much they made during the last Bull run and so on.
For once, this security measure requires you to not do something. Don’t tell friends or family that you own bitcoin. Don’t share screen shots or information about your wallet software, setup or configuration. Don’t link your personal identity to the idea of you owning cryptocurrency and obviously don’t tell anyone if your investments hugely increase in value. Don’t do this:
If you’d like some motivation as to why anonymity is a superpower, perhaps have a quick read through some of the Known Physical Bitcoin Attacks list that Jamerson Lopp maintains. It details dozens of terrifying cases. This is very serious stuff here! Do not simply give away your anonymity!
While the day may finally come where you are forced to reveal you own billions of sats, don’t make it your unforced error. Be sensible with the information you share and try and keep all references to Bitcoin separate and hidden as best you can. Hide your Full Bitcoin Node in a cupboard. Remove the “Bitcoin” stickers from your laptop. Change the “Stack Sats” wallpaper on your phone. Be one with the no coiners.
You don’t have to never talk about Bitcoin, but don’t actively bring it up and if anyone asks, just tell them that unfortunately you never got into Bitcoin as you just don’t have any funds spare to invest. Such a shame.
How To Protect Crypto From Hackers
Protecting your bitcoins from hackers isn’t just a one time thing and involves a number of different steps because there’s many, many ways hackers can steal your funds. Some of our top recommendations involve using non-KYC exchanges, taking full self custody of your bitcoin and using a hardware wallet.
How To Protect Your Crypto On Coinbase
The number one thing you can do to protect your crypto on Coinbase is to withdraw it from Coinbase into a self custodial wallet you control. The risks involved with having your bitcoins entrusted to a third party is too big to ignore as Crypto Exchange Bankruptcies happen every year without fail, for example FTX, Celsius or Voyager.
What’s The Most Secure Cryptocurrency?
The cryptocurrency that has the highest Proof-of-Work (PoW) hashrate is universally considered the most secure as it takes the most compute power to orchestrate a 51% attack against it. Since the beginning of crypto in 2009, this has been Bitcoin and it shows no sign of ever changing.