Storing Bitcoin Private Keys (Cold Storage & Encryption)
When setting up a Bitcoin wallet, you're normally provided a backup seed, so that if you lose access to the wallet you can recover any money in it. This backup seed needs to be kept very safe, as without it you may lose access to your Bitcoin, and if someone else gets it they can steal your money (e.g. you should never store this in plain text, or take a picture of it on your smartphone).
This guide will go through how to store this backup seed in a secure way.
Risks of popular crypto wallets
This guide focuses more on backing up your private key/seed rather than using a Bitcoin wallet securely, but you should be aware that popular desktop wallets like Exodus, and even hardware wallets like a Ledger Nano S do often have vulerabilities in them. So if you're storing a very large amount of crypto, look into these potential vulerabilities and make sure you're taking steps to protect against them. Alternatively, look into paper wallets (these are considered very secure if configured correctly).
What are recovery seeds?
So there are two types of Bitcoin wallet; non deterministic, and more commonly, deterministic. This word just means that keys are generated 'from a single starting point known as a seed'. So if your wallet is deterministic, rather than backing up a private key, you'd just back up the seed, which is normally provided when setting up the wallet. Then if you lose access to your wallet, you can restore it using the seed - because it can regenerate the private keys associated with the wallet (a deterministic wallet can have multiple private keys, which you'd have to backup manually otherwise). If you have a non deterministic wallet, you do need to backup your private key though.
Generating your private key/seed
If you plan to generate a private key/seed yourself, see this post with lots of good security advice. In general:
- Avoid using any kind of web-based generators.
- Generate it locally, and disconnect your computer from the internet before hand.
- Consider using a fresh install of your operating system to avoid potential keyloggers and malware.
- Be aware that if you save your seed to an unencrypted file and then delete it, that file likely still exists. You're just deleting the virtual pathway to it. Do some research into overwriting files like this.
If you're not very technical (e.g. you're not sure what Linux is for example, or what a private key/seed was prior to reading this guide), then consider using a hardware wallet like a Ledger Nano S, which will generate a seed for you securely.
In general, there are two approaches to backing up your private key/seed:
- Back it up to a physical document (e.g. write it on a piece of paper).
- Back it up on your computer.
Backing up to a physical document
Many security conscious people will recommend this approach, where when setting up a wallet you should write down your seed on a piece of paper and keep that pysically secure. Hardware wallets like a Ledger Nano S give you a piece of paper labelled 'My recovery phrase' where they require you to write this 24 word seed down before you can finish setting up the wallet.
A few important things to note:
- Generally you should avoid printing your seed unless you've configured your printer securely, as many printers keep logs of what's been printed and are internet-connected, so may expose your seed to someone malicious (so you should write it down yourself).
- Although this approach protects your seed from any potential malware, it does mean you need to think about physical security. If someone works out where you live, they can break into your house and steal the paper with the seed on it, so you need to think about where to store this (see below for some ideas).
Some suggestions for keeping a document physically secure:
- Storage location. Many people tend to store their backup keys in a folder or on a shelf, not really thinking about losing it or someone potentially stealing it. If you own large amounts of crypto, consider for example buying a small safe. You can get one for less than $100 which might not be very secure, but it's better than leaving it on a shelf, and makes it harder to lose! If you have very large amounts of crypto, maybe look into safety deposit boxes at banks (careful about insurance on crypto for safety deposit boxes, if you're unlucky enough to have your safety deposit box stolen, your crypto might not be covered).
- If you hold smaller amounts of crypto, hiding in plain sight can be a good approach. An example might be printing it on a small piece of paper, and putting that in a favourite book; or maybe make yourself a matrix-style poster with lots of green numbers/letters, with every 4th character being a part of your backup seed. Be creative here! If you own a significant amount of crypto then this wouldn't be sufficient, you should really look into physically secure locations (as keep in mind worst-case scenario your house could burn down, or be effected by a natural disaster). But for someone holding a smaller amount of crypto this offers a way to store it long-term without having to pay anything, and means that your average house robber wouldn't be likely to steal it, unless they happen to be a fan of the matrix/whatever book your picked! *In all seriousness, don't put it in a book and then go posting on social media that sed book is your favourite, keep clues like this private or pick a random book*
- Burying it is a more extreme approach, where devices are available like Cryptosteel allowing you to assemble characters engraved in stainless steel, and then be buried somewhere (or you can just hide this in your house with the peace of mind that it's flood/fire resistant).
Backing up to your computer
This approach is more technically complex, but if done correctly can be done securely and avoid potential physical security risks. Be aware that this does have risks of its own though, where there are many horror stories of people losing access to their encrypted harddrives which store their private keys/seeds. So if you're not very technical, backing up to a physical document may be a better option.
Encrypting Your PC
Encrypting your PC is a good idea in general, especially if it leaves your home (so laptops for example). Many people aren't aware that if you don't encrypt your PC, anyone who has physical access to the harddrives on that PC can access the data, regardless of if you have a password on it. The Ubuntu operating system for example can be launched from a memory stick or CD, where someone malicious can plug this in and for example disable your PC's password. Alternatively they may just be able to navigate your files straight away in certain configurations, where an unencrypted file would be readable to them immediately.
Some other things to be aware of:
- If you're encrypting a computer with files on it already (e.g. a few months/years after first installing it), there will still be remnants of the unencrypted files (so if you stored for example private keys in text files beforehand, you should transfer any money controlled by that to another private key).
- On newer hardware encrypting a PC doesn't have a significant effect on performance, but on older hardware it can.
- When you successfully login to an encrypted PC, some files will be decrypted and stored in memory; someone malicious may be able to plug in say a USB stick and gain access to this data. So avoid leaving your computer turned on/locked, and disable drivers on for example USB ports if you're in a shared workspace.
NOTE: If you plan to encrypt your computer make a backup first, then destroy this backup when you know the encryption was successful (e.g. save important files to a cheap USB stick, then physically destroy that USB stick afterwards).
For windows there are two methods to encrypt your PC depending on your version of windows and hardware. These methods are:
- Windows 8.1 & 10: Device Encryption. Found under Settings -> System -> About.
- Windows Vista, 7, 8, 8.1 & 10 (and some other versions): Bitlocker (this is generally considered better as it offers more functionality, and under the hood seems to use the same encryption as Device Encryption). Search "Bitlocker" in the start menu to load this.
More info on these and alternatives can be found here.
On Mac you can use FileVault to encrypt your PC. There are two ways to access it:
- Go to System Preferences -> Security & Privacy -> FileVault.
- Or type "FileVault" into spotlight search.
If you want other users on this PC to access the files, make sure you set this up. More information can be found here.
There are many Linux distributions offering good encryption solutions, but each works slightly differently so we'll focus on Ubuntu in this guide. On Ubuntu you have an option to encrypt your PC when you initially install it. Alternatively if you already have Ubuntu installed unencrypted, see this guide.
Encrypting Specific Files
There are many tools for encrypting files, so do your own research in this area. If you're familiar with using a terminal, you can encrypt/decrypt a file using OpenSSL.
Alternatively, if you want a user interface, VeraCrypt is our favourite free open-source encryption software. With support for Windows, Mac and Linux, it's based on TrueCrypt - software that was once very popular for encryption but stopped being supported (VeraCrypt fixes many vulnerabilities and security issues found with TrueCrypt). First using it can be very confusing, so it's important to read all the instructions when using it. Also note this does not encrypt existing data but rather will give you a place to put that data (so if you target an existing file, it will overwrite it).
Remember that nothing is 100% secure, and that security is all about building barriers. Each barrier on its own can ultimately be crossed, but if you build enough then you're better protected. Encryption is just an extra barrier to add to your arsenal. It will also get you thinking about security, and help you keep yourself and the people around you safer.
DISCLAIMER: This site cannot substitute for professional investment or financial advice, or independent factual verification. This guide is provided for general informational purposes only. Bitcoin Kit is UK-based and not regulated by the FCA (Financial Conduct Authority). The group of individuals writing these guides are cryptocurrency enthusiasts and investors, not financial advisors. The ideas presented are our analysis, learning & opinions on a range of cryptocurrency topics. Trading or mining any form of cryptocurrency is very high risk, so never invest money you can't afford to lose - you should be prepared to sustain a total loss of all invested money.
This website is monetised through affiliate links. Where used, we will disclose this and make no attempt to hide it. We don't endorse any affiliate services we use - and will not be liable for any damage, expense or other loss you may suffer from using any of these. Don't rush into anything, do your own research. As we write new content, we will update this disclaimer to encompass it.
November 11th, 2018
How to Make Money Online With Bitcoin
November 11th, 2018
How to Buy Bitcoin Safely & Securely
Never invest money you can't afford to lose.
All information on this website is for general informational purposes only, it is not intended to provide legal or financial advice. We encourage you to consult your own legal & financial advisors before making any cryptocurrency-related purchase.