This guide is targeted for the typical bitcoin user that buys a hardware wallet, follows the normal setup instructions, but doesn’t take any additional security measures. This guide requires no advanced knowledge about hardware wallets or security.
Hardware wallets are becoming popular as people realize that if you don’t control the private keys, it’s not really your bitcoin — you only have a promise, from whoever does hold the private keys, that they will deliver your bitcoin upon request. But whoever made the promise, usually an exchange, may not honor that promise. It’s up to them. Maybe they’ll claim your bitcoin was stolen.
So people are trying to do the right thing. They’re buying hardware wallets, transferring their bitcoin off exchanges and onto addresses it creates, writing the PIN, passphrase, and seed words down on a piece of paper as instructed, and then throwing everything into a drawer, home safe, or maybe even a safe deposit box. Great. Now they can sleep well at night. Except they shouldn’t. Their bitcoin is still at serious risk. Unacceptably high risk.
The problem is that everything is stored in one location. This exposes you to two major risks:
Accidental Loss Risk
If a fire, flood, earthquake, tornado, hurricane, mudslide, etc. destroys the location where you are storing your hardware wallet, then your bitcoin is lost forever. Or maybe you stored everything in a safe deposit box thinking that’s safer. But banks can also be destroyed by natural disaster. Maybe someone throws away your hardware wallet thinking it’s an old useless calculator, and now you can’t find the seed words that you wrote down on a piece of paper. Did you memorize some information without writing it down? People forget PINS’s and passwords all the time.
You could come home one day to discover everything was stolen. Now your bitcoin is lost forever. Maybe you’re not worried about theft because you have an awesome hiding place in your home. But what if thieves enter your home while you are there, and force you to transfer your bitcoin to their address under the threat of violence? Are you keeping the hardware wallet in a safe deposit box? Banks do not insure safe deposit box contents, so if the contents are stolen your bitcoin is lost forever without any compensation. In addition, the bank or government can confiscate your safe deposit box contents. Google it to see recent examples of where this has happened.
Ok, now that we know storing everything in one location is a bad idea, what exactly should we do about it? To answer that question, let’s first clearly define the problem.
Single Point of Failure
Most people using a hardware wallet store it (and the PIN, passphrase, and seed words) in a single location like their home, or a safe deposit box, as shown in Figure 1. It’s their system for storing bitcoin. It’s a relatively simple system, but it’s a system nonetheless.
As already mentioned, there are many ways you can lose all your bitcoin if something bad happens at this single location. Systems that can fail, if a single point in the system fails, contain a design flaw called a Single Point of Failure. If that single point fails, the whole system fails, meaning your bitcoin is lost forever. If a sizable portion of your net worth is in bitcoin, this loss can be devastating. It is not acceptable to lose all your bitcoin just because you stored everything in one location. A more resilient bitcoin storage system is needed. One that doesn’t contain a single point of failure.
Eliminating Single Points of Failure
Let’s redesign our bitcoin storage system so that it doesn’t contain a single point of failure. How do we do that? Can we just buy another hardware wallet, configure it with the same seed words, passphrase, and PIN as our first wallet, and then store it in different location, as shown in Figure 2, to eliminate the single point of failure?
That would certainly eliminate the single point of failure due to accidental loss: if we lost one of these locations, we can still access the bitcoin using the hardware wallet at the other location. But we are still at risk from theft. Anyone that obtains access to one of these two locations has everything they need to steal our bitcoin. In other words, each location still contains a single point of failure! We need a better system.
Let’s take a closer look at our hardware wallet. A hardware wallet is actually comprised of four different components:
- Hardware wallet
- Seed words
We now know that we mustn’t store all four components in one place, and that duplicating everything to two locations doesn’t help. So, the question boils down to: how can we split these four components into different groups so that they can be stored in separate locations that do not contain a single point of failure?
Let’s start off by grouping the four components so the bitcoin can’t be stolen if someone gains access to a group. We call these dependent groups, because they depend on each other to access the bitcoin, as shown in Figure 3.
Neither of these two groups alone will allow you to access the bitcoin. You need them both together. Great, now can we store these two dependent groups at different locations so that if a someone gains access to one of them they won’t be able to steal our bitcoin, as shown in Figure 4.
We’ve eliminated the single point of failure due to theft, but notice that if we lose one group, we lose all our bitcoin. That’s the same type of single point of failure we had when we stored everything in one location. To fix this, our system just needs one more tweak.
Let’s duplicate the dependent groups and store them at separate locations to eliminate the last single point of failure, as shown in Figure 5.
We can lose any single location and we will still be able to access the bitcoin, and if someone gains access to any single location, they cannot steal any bitcoin. That’s it! We’ve eliminated all single points of failure. Now you really can sleep more soundly at night 😊
Make sure to configure both hardware wallets with the same seed words, PIN and passphrase.
Now that we know four locations are required, and what to store at each location, let’s talk a little bit about what makes a good location.
First, it helps to notice that there are two types of locations, 1) those used to store hardware wallets and seed words, and 2) those used to store PIN’s and passphrases. Let’s name each type of location. We’ll call a location that stores a hardware wallet and seed words a “HW Location”, because the hardware wallet is stored there. And we’ll call a location that stores a PIN and passphrase a “PP location”, where PP is just the concatenation of the first letter of the words PIN and passphrase. Both types of locations are shown in Figure 6.
We’ll talk about them separately since the guidelines between the two types vary. But regardless of the type of location, there is one main rule that applies to all locations:
Main Rule — No two locations should ever be in the same place at the same time (except for short periods when you need to access the bitcoin).
With that rule in mind, let’s talk about each type of location.
Protection Against Natural Disaster
Hardware wallets, and therefore the seed words, must be stored in physical locations. It is necessary that the HW locations are geographically separate, as far away from each other as reasonably possible. Everything else being equal, two locations in different cities is better than two locations within the same city. Two locations in different states is better than two locations within the same state. Two locations in different countries is better than two locations within the same country. Once we have mastered interplanetary travel, then you may want to consider that option. In the meantime, keep HW locations as far apart as reasonably possible. This will help protect against natural disasters that destroy large areas.
Protection Against Corporate Theft
Do not use HW locations that are both under the same corporate control. For example, let’s say you rent two safe deposit boxes from your bank to use as HW locations. You know that both boxes shouldn’t be at the same location, so you get boxes in different branches across town from each other. But since the same bank corporation owns both branches, they can confiscate the contents of both boxes. A better solution would be to use boxes from two different banks. That way, a single bank cannot confiscate both boxes.
Protection Against Government Theft
Do not use HW locations that are both under the same government control. For example, even if you use safe deposit boxes from different banks, the government can confiscate your safe deposit box contents at both banks. A better solution would be to use safe deposit boxes in different banks in different countries. Since this option is outside the reach of most people, you can help protect yourself from government threat by introducing a layer of indirectness. For example, instead of renting two safe deposit boxes, it would be better to rent just one, and then use a friend or family members safe deposit box for the other location. That way, the government only knows about the safe deposit box you rent. It’s much easier for the government to confiscate things at locations they can identify through your financial records, than it is for them to follow every connection you have with friends and family.
Ultimately, the government can confiscate anything they can find. So to completely protect yourself against government theft, you must store a copy in a HW location that has no direct connection to yourself.
All the rules for HW locations also apply to PP locations, but you have a few more options for PP locations because they are pure information — they can be stored physically, digitally, or even memorized. For example, you could memorize the PIN and passphrase, and also store them in a password manager on your laptop. No physical copy would exist.
Isn’t the above scenario a violation of the Main Rule? Correct! Both PP locations are at the same location when you (with memorized PIN and passphrase) use your laptop with the password manager which also contains the PIN and passphrase. If a tornado comes through and destroys the laptop, and sadly, yourself, then both PP locations are lost (and so is all the bitcoin).
To fix this, simply configure your password manager to backup to the cloud in an encrypted format. They all provide this functionality. You are essentially creating a third PP location in the cloud. That way, only 2 of your 3 PP locations are in the same place at the same time when you use your laptop. The tornado cannot destroy the cloud copy. The Main Rule was designed to prevent total loss of information needed to access your bitcoin. So even though it’s technically being violated, the third location provides security against total loss, so it’s ok in this circumstance.
Of course, you may now ask, what good is a cloud copy if a tornado kills me? That is a different topic — how to transfer your bitcoin to beneficiaries after your death. I’ll just say for now that the first step is ensuring your bitcoin survives your death. You must not be a single point of failure.
One final note on locations — It is not necessary to worry endlessly about all the ways a location can be compromised. What is necessary is that you make a reasonable effort to pick good locations following the Main Rule.
Example Setup and Risk Scenarios
Let’s say I store a hardware wallet and seed words in a safe deposit box near my home, and also at a family member’s home in another state. I also memorized the PIN and passphrase, and recorded them in my password manager that is backed up to the cloud in encrypted format.
- The bank confiscates the safe deposit box contents because you forgot to pay the rental fee. You still have a wallet in the family member’s home.
- A fire burns down the family member’s home and destroys everything within it. You still have a wallet in the safe deposit box.
- You forgot the PIN or passphrase. You can retrieve the PIN and passphrase from the password manager.
- The password manager on your laptop and its cloud backup become permanently inaccessible. You still have the memorized PIN and passphrase.
- A thief breaks in while you are home and demands that you transfer your bitcoin to their address. You literally cannot transfer any bitcoin because neither the hardware wallet or seed words are in your home.
The typical bitcoin hardware wallet user stores everything in one location. This exposes them to many risks where they could lose all their bitcoin. To reduce this risk, we designed a distributed and redundant bitcoin security system that eliminate single points of failure. We did not have to learn or use any complicated security techniques to do it.
No security solution provides 100% protection. But the system described here is a massive improvement over storing everything in one location.