Defend yourself: How to set up really cold storage
The sad and somewhat suspicious story of QuadrigaCX illustrates the importance of making your cold storage inaccessible to everyone – except those who actually need to access it.
In the five-plus years I’ve been in the crypto world, I’ve lost count of the number of times I’ve seen funds lost or stolen. Often the victim’s first response is to blame the wallet or the protocol, claiming a bug or vulnerability has led to the theft. And then you dig a little deeper, and find the same story. Every single time.
Occasionally it’s an extremely weak mnemonic phrase, or one that can easily be guessed (using a bitcoin address as a mnemonic or private key for another crypto is a very bad idea, for example). But overwhelmingly, it’s down to private keys being stored badly, which is spectacularly negligently. Like in plaintext on a DropBox account. Or unencrypted in a text file on the same computer they use to download torrents, and the friendly malware you get with certain types of file. (In the latter case, the guy complained about losing $70k in crypto; boasted that he’d sold most of it significantly higher; and then suggested that if everyone in the Slack channel donated $10 he would be ‘made whole’.)
It’s frustrating because just about everyone knows the deal. If you own your private keys, and if you look after them properly, the odds of getting hacked are essentially zero. Public key cryptography is that powerful. But if there’s a weaker link somewhere, that’s where the chain will break.
You’ll probably have heard the term ‘cold storage’ before. It’s the practice of keeping your crypto offline, in an account where the key is not exposed to the web – and, ideally, has never been exposed to the web. So long as that key stays offline, whether in digital or physical form, no one’s getting your crypto. The process of setting it up is much the same for almost any crypto.
Get set up
To do this right, you need a computer that is not connected to the internet. In fact, after set up (if at all), it will never be connected again. You can use an old desktop or a cheap computer like a Raspberry Pi to keep costs down. It’s best to start from scratch, so either format the computer or install a new OS – Ubuntu is recommended. Basically, you want to wipe everything off that machine and make sure the only software that is on it, is safe. Make sure you only download your OS from reputable sites, and verify it using the checksum, if applicable.
Install your key-generator
There are various apps you can use to generate private keys. The easiest way is probably to head for BitAddress.org and save a copy of the site so you can use it offline. It’s open source and client-side, so won’t need to send any info over the web to create private keys and their addresses. You can also use software like the well-known vanitygen. This can be used to create a personalised crypto address, though is a little harder to use and you’ll need to be happy with a command-line interface. Again, it’s open source. It should go without saying but – DO NOT USE ANYTHING THAT REQUIRES AN INTERNET CONNECTION, HAS A THIRD PARTY GENERATE KEYS FOR YOU, OR IS CLOSED SOURCE.
You’ve been warned.
Once you’ve installed a clean OS and your key generation software, it’s time to disconnect from the internet. You should stay disconnected either permanently, or until you delete any information about your private keys from that computer. That way, if you have – somehow – accidentally installed some malicious software, it won’t be able to send your keys back to the hacker.
In the next article, we’ll look at how to create your private keys and addresses, and keep and crypto you store in them safe.