Defend yourself: How to set up really cold storage #2
In our first of two articles, we looked at how to set up a computer and the software you’ll need to generate private keys offline. In this one, we’ll look at key generation and storage itself.
You’ll probably have heard the term ‘cold storage’ before. It’s the practice of keeping your crypto offline, in an account where the key is not exposed to the web – and, ideally, has never been exposed to the web. So long as that key stays offline, whether in digital or physical form, no one’s getting your crypto. The process of setting it up is much the same for almost any crypto.
Assuming you’ve followed the instructions in our first article, you’ll now be set up with a clean, offline computer with a fresh, untainted OS installation and some key-generation software you can use offline such as BitAddress or vanitygen. So let’s get started.
- Generate a private key and address
If you’re using BitAddress, this is really simple – just click Generate New Address and you’ll get a new address and private key. You can print these out (ideally staying offline, again), or copy/paste them into a text file to save to a USB or flash drive (ideally encrypted).
If you’re using vanitygen, then you can use it simply to create a random key and address. Do this by using ‘1’ as a parameter, since (legacy) Bitcoin addresses begin with ‘1’, for example:
./vanitygen 1 (Linux) or
vanitygen 1 (Windows)
Which will output something like:
If you want, you can generate a proper vanity address, which starts with a specific string of characters. (The longer the string, the longer it will take to find an address that meets those requirements – exponentially.) For example:
- Record your key really safely
You can save these keys to a file on your offline machine, so long as it’s going to stay offline. Alternatively, find a better home for it and re-format your hard drive before you connect it to the web again. There are plenty of options. Paper wallets are one – you can use BitAddress to print one out for any key. Or you can use a piece of hardware like a Cryptosteel, which is basically indestructible cold storage. Do not put all your eggs in one basket: keep at least two copies of your private key, in different locations. The addresses don’t need to be hidden, and you’ll need them to pay funds into your cold accounts.
There are a few things you should bear in mind when storing keys about the interesting forms of hacking that are possible:
- Printer memory can be accessed if the device is online, and your keys potentially recovered from this.
- Keeping keys offline is good practice. Leaving paper wallets around for anyone to find is not. Most burglars won’t know or care about crypto, but why take the chance? Hide them well.
- It is possible to access human memory and remove information about private keys and/or their whereabouts, given the correct tools. These can vary but the classical implementation of brain hacking is known as rubber hose cryptanalysis. This involves holding a crypto owner captive and beating them with a rubber hose (or other suitable weapon) until they divulge the desired information. Consequently, you might want to keep keys somewhere that even you cannot access easily, or consider multi-sig accounts.
- Fund that address
Whatever you decide, make sure those keys are stored safely – and then transfer funds to the associated address. It would be terrible if you went to the trouble of setting up super-cold storage, then put all your crypto in it, only for the keys to be lost, stolen or destroyed while you were on your way to your safety deposit box.
If ever you, or your heirs, need to retrieve that crypto, all that’s needed is the private keys and any passwords needed to decrypt them. Then simply import them into the right wallet – again, making very sure it’s a legitimate version and there’s no malware on the computer.