Bitcoin Security Setup
Always a good idea to check your setup and adjust
If you want to take advantage of all that Bitcoin has to offer, you should not hold your coins on exchanges and should self custody them instead. There have been plenty of headlines lately of people losing their coins when an exchange goes under. Some of these exchanges who paid a tiny rate of interest to depositors ended up pledging the deposited Bitcoin as collateral to loans gone bad, wiping out both the exchange and the depositors in the process. Even exchanges who don’t blatantly do this (like Coinbase) still warn in their SEC filings that the coins held on the exchange could be taken by someone with a higher priority in the event of bankruptcy (depositors could end up last in line as general unsecured creditors):
Moreover, because custodially held crypto assets may be considered to be the property of a bankruptcy estate, in the event of a bankruptcy, the crypto assets we hold in custody on behalf of our customers could be subject to bankruptcy proceedings and such customers could be treated as our general unsecured creditors. This may result in customers finding our custodial services more risky and less attractive and any failure to increase our customer base, discontinuation or reduction in use of our platform and products by existing customers as a result could adversely impact our business, operating results, and financial condition.
Coinbase Quarterly Report
The Bitcoin saying “not your keys, not your coins” continues to ring true.
Once making the decision to self-custody, however, you get transported into a whole new world that many of us are not prepared for, since we are so used to having other “trusted third parties” hold our financial assets including banks, stock brokerages, investment managers, etc. About the only financial assets we typically self custody is cash and maybe some gold and silver coins. Making the decision to self-custody Bitcoin is the ultimate form of self-sovereignty and also truly taking full responsibility for your finances. Once you have made the decision to self-custody, however, that’s only the beginning of the learning journey. I wanted to dedicate this post to some considerations and different options available to self-custody that I have tried and have found useful, without being overly complicated.
Basic Single Signature Setup
For a basic single signature setup, you can purchase one hardware wallet. I actually like the term “signing device” better, since it more clearly describes its function. Your coins are not actually stored on the device, they are on the Bitcoin blockchain and the device just allows you to sign transactions, prove you own the coins and move the coins around to different wallets using a combination of your public and private keys. I have used Trezor (can purchase directly from them online) and Ledger (bought on Amazon) hardware wallets. You do need to be sure you receive original, sealed packaging from the manufacturer and never use a previously-used device, just for safety. Both devices are pretty easy to use and require connecting to your computer through a USB connection and downloading an app to your computer to interact with your coins. The basic setup includes choosing a passcode for the device and generating a seed phrase or private key of 12-24 random words. The device / app pretty much walk you through the process step by step. I have also heard that the Coldcard is a good signing device and has some advantages to the others in that it does not directly connect to your computer (uses a MicroSD card) and has several other security features, but I haven’t used that one yet.
The upside of a basic single signature setup is that it is easy to implement compared to other options and it’s also faster and easier to use in practice to transfer coins around your wallets.
The downside of a basic setup is that if something happens to your signing device or if your passcode and / or your seed phrase are lost or stolen, you are in big trouble and your coins could be lost forever. You can take some precautions like making a metal “seed plate” with your seed phrase on it and storing that in a location separate from your signing device and you can also create a second backup of your seed phrase on paper and also store that safely in a separate location. If your device were to fail, you could get a new device, setup a new wallet and recover your Bitcoin using your seed phrase. But that’s a hassle and having a backup doesn’t protect you from a thief who somehow gets access to your credentials.
Multi Signature Setup
Another option is to use more than one key to sign your Bitcoin transactions. There are many ways to do this using different wallets that support multi signature - the link to the Bitcoin wiki above has some examples of wallets that support multi sig as well as a nice explanation of what multi signature is and how it works. From what I have learned, it sounds a bit more complicated to implement compared to single signature, but significantly improves your security since it eliminates the single point of failure of one key.
One multi signature option I have tried and like so far is with Unchained Capital. They are a Bitcoin only company that provides Bitcoin purchasing, custody and lending services. For custody, Unchained provides a multi signature “vault” that can be accessed by using two of three keys. I started out with them by rolling over a Roth IRA I had at JP Morgan. Their vaults use the “two of three” setup, which means any two of the three keys can be used to sign transactions. While it’s nice to have full control over your coins in an IRA, if you withdraw your coins early, you will be subject to penalties and that’s basically what their custodian Solera Bank watches out for in addition to deposits in excess of how much you are allowed to contribute each year and other IRA compliance matters. This is the only Bitcoin IRA I have found where you can truly hold your own keys, which is why I’m also rolling over the coins in my Digital Trust IRA (where you can’t hold your keys) to my Unchained IRA. I have also recently setup another vault to store some of my other (non retirement account) coins.
To setup a vault, you upload two public keys (not your private keys) from two separate signing devices (Unchained supports Trezor, Ledger and Coldcard) and they hold the third key. In this setup, you can access your coins anytime by using your two signing devices to sign transactions, but if for some reason one of them becomes compromised, you can reach out to Unchained to use their key as the second key to access your coins. You also have to be able to login to their portal to access the vault, which is another security check against unauthorized access. They also have optional features like requiring video identification if more than a certain percentage that you set of the coins are moved at one time before allowing the transaction. Bottom line is having two keys to access your coins makes it way harder for someone to steal your coins, versus having only one key.
The nice thing about the multi-signature setup with Unchained is that you can still have full control of your coins with the two keys, but you have someone that can help you if one of your keys is compromised, in addition to some other optional security features. The downside of this setup is if Unchained goes out of business and you no longer have access to your vault. Since you still have your two keys, you can still sign transactions with both keys by using another application (setting up your own multi signature wallet using your two keys) and then move your coins wherever you want to. It’s a hassle, but at least you still control your coins.
There are other 2 of 3 multi-signature setup options available with Unchained, including you holding one key, a trustee holding the second key and Unchained holding the third key. Any coin movement would require coordination of two of the three key holders and obviously proof that the movement is authorized would be required. This is an extremely secure setup, but is also a hassle since you would have to coordinate coin movement every time. Having said that, this would be the ultimate protection to what Bitcoiners call the “$5 wrench attack,” which is if someone physically threatens you to transfer your coins to them. With this setup, there’s no way you can move the coins by yourself.
Estate Planning
There are also advantages from an estate planning standpoint to using multi signature security, since your trustee and Unchained could work together to move your coins as part of your estate settlement process without needing your key. The other way to handle this for estate planning if you want to control the two keys is to leave a detailed letter of instruction to your successor trustee on how to access your keys when you pass using the multi signature setup (or single signature if that’s what you have). One thing I would not do is put your signing device passcode or private key in the letter. Instead, refer to a location where they are stored under lock and key and where to find the key or who has custody of the key. That way if the letter falls into the wrong hands, they can’t easily steal your coins. Bitcoin is a relatively new asset in the estate planning space, but not too dissimilar to gold / silver coins, family heirlooms and similar physical assets that need to be transferred to heirs. However, Bitcoin is certainly more complex in how it is held and transferred compared to traditional self custodied assets.
Seed Phrase Storage
As mentioned above, it is highly recommended to purchase a seed plate (I tried one call Cryptotag Zeus but there are many others on the market) to store your seed phrase. You basically punch codes into a metal plate that represent the seed words in their exact order (for example, the Cryptotag references a standard BIP39 wordlist) with a metal punch. This is a much more durable way to store the phrase than a piece of paper. I keep the seed plate stored in a bank safe deposit box so it’s away from home and inaccessible without quite a bit of extra work. I also keep a backup copy of the seed phrase in a fireproof safe, just in case it’s needed. While it’s not ideal to keep the seed phrase and signing device in the same location, it is more convenient if you need it (there are often firmware updates to the signing devices and you need to have your seed phrase handy in case there is a problem with the update). However, with a multi signature setup as described above (you control two of the three keys), there’s less risk if one of the keys is compromised as long as both signing devices are kept in different locations.
Final Thoughts
I sometimes struggle with balancing self-reliance and relying on third parties when it comes to Bitcoin. I think each person has to come to their own conclusions about the right mix to optimize self-sovereignty and security. This why Bitcoin continuing education and research are essential so you can evaluate the different security options. My setup has definitely evolved over time and I’m sure it will continue to evolve as I learn more and new services and products come into the Bitcoin space.
Accumulating Bitcoin is like planting a tree. You may not live long enough to enjoy the shade of that tree, but your future generations will. As such, the only thing more important than accumulating Bitcoin is making sure it is properly secured.
Not financial or legal advice, for entertainment only, do your own homework. I hope you find this post useful as you chart your personal financial course and Build a Financial Fortress in 2022. To see all my books on investing and leadership, click here.
Always remember: freedom, health and positivity!
Please also check out my Building a Financial Fortress Podcast on YouTube here and on all your favorite streaming platforms.