As the value of your Bitcoin grows, so does your need to store a secure key. One such solution is a hardware wallet, which is a physical device that allows you to hold your Bitcoin keys securely. But hardware wallets are not the only option for storing your Bitcoin keys, there are also software wallets, paper wallets, and even “brain wallets.” So why choose a hardware wallet specifically?
1. Keep your keys offline and protect them from remote attacks
Hardware wallets enable you to generate your Bitcoin keys and keep them offline, which is known as cold storage. This is in contrast to hot wallets, which are more vulnerable to remote attacks such as malware and SIM swap attacks (still more secure than a custodian or exchange!).
You can think of this as similar to building a ship in a bottle. Your wallet seed, which is used to generate your bitcoin keys, is generated within the device and cannot be exported digitally. The keys never leave the device. Even if the hardware wallet is connected to a virus-infected computer (which is not recommended), the keys will still be protected, often in a secure item.
When you want to transfer your Bitcoin, you write a transaction using the wallet software, send it to the hardware wallet, and sign it. On the hardware wallet itself Using your private keys, then send them back to the online wallet software to be broadcast to the Bitcoin network.
2. Protection from physical attacks
If someone gains physical access to your hardware wallet, there are unique features offered by hardware wallets that help you defend against attacks. Some of these security features include a secure element, firmware verification, and Layer 1 defense PINs.
Safe items
A secure element is a microprocessor used to isolate, store, and protect sensitive data. In a hardware wallet, the secure element provides a higher level of protection against physical hacks than a standard environment on a mobile, desktop or laptop. For example, this makes it more difficult for your device to be compromised via bot attacks, side-channel attacks, and cold boot attacks.
Verify firmware
Firmware verification is a way to verify the authenticity of the software on board a hardware wallet. This protects against counterfeit versions and supply chain attacks. Firmware verification ensures that an original, unmodified version of the device is used. Wallet software from manufacturers like Trezor, Ledger, and others check the device firmware every time you connect it to your computer.
Access PINs
Access PINs in many hardware wallets help prevent anyone except the owner from having immediate access to the ability to sign with keys stored on the device. In most cases, the penalty for failing to enter the PIN correctly within a certain number of attempts is an increased delay between incorrect guesses. In some hardware wallets, exceeding the number of allowed PIN guesses may result in the device being factory reset or even permanently rendered unusable.
Coercive PINs
A duress PIN is a security feature that can help protect your Bitcoin in the event of a $5 attack. Coercive PINs are particularly important for hardware wallets (since they are used to secure larger amounts of Bitcoin), and the functionality available is particularly powerful in some cases.
For example, the Coldcard hardware wallet offers three types of coercion PINs: one that unlocks the decoy wallet, one that destroys the seed upon entry, and one that creates a countdown to customizable “brick modes.” If you end up in a duress scenario, these tools provide you with confidence that attackers won't be able to access your Bitcoin underlying keys — if they exist at all.
3. Provides a smaller attack surface
It is possible to store your keys offline using a laptop or desktop computer and secure them from physical attacks. However, the general-purpose architectures of these devices provide a larger attack surface for skilled attackers. This means there are more ways attackers can exploit software, firmware, and hardware to design ways to steal your private keys.
In contrast, hardware wallets are built using specialized hardware that simplifies their functionality to very specific tasks and limits their connection to the Internet and other devices. Even with a secure element of keeping key data behind a firewall, some hardware wallets restrict the way you actually connect to external devices – air-gapped hardware wallets primarily interact with other devices via a microSD card. Many manufacturers also offer Bitcoin-only firmware to simplify functionality.
Hardware wallets may be limited in functionality and convenience compared to general-purpose hardware, but this limited functionality also means limited vulnerability. This also has the side benefit of reducing the risk of discovering new vulnerabilities that manufacturers must plug into firmware updates or hardware revisions.
4. Willingness to increase values
You may think that you don't have enough Bitcoin for it to be worth the effort to purchase a hardware wallet and learn how to keep your keys securely offline. One of the reasons to get a hardware wallet now is to prepare for Bitcoin's upward price fluctuations.
The common wisdom in Bitcoin is to treat your holdings as if they were worth 10 times what they are today – historically, a move like this can come quickly and unexpectedly. Additionally, if your Bitcoin holdings are inconveniently large for a standard single self-custody with a 10x increase in value, it may be time to consider a more secure self-custody model like multisig.
5. Confirm addresses on the device
Since Bitcoin transactions are irreversible, it is important to make sure when sending Bitcoin that it goes to the correct address. This is important for sending Bitcoin to someone else and sending Bitcoin to a wallet controlled by keys on the hardware wallet(s) you own.
Using software wallets, malware can replace the real address with the attacker's address in the user interface, making it difficult to verify its authenticity. There is also a “snipper” malware, which swaps the receiving address in your computer's clipboard, and other attack vectors.
Hardware wallets help with this by including a physical screen that displays the address you want to send money to, allowing you to verify it before spending. As long as your device hasn't actually been hacked, you can be confident that the address you're shown is controlled by keys stored offline on the device. If you're sending money to a remote recipient, it's best to confirm the address you're sending to across multiple channels.
6. An ideal environment to generate your own entropy
All Bitcoin wallets rely on entropy – randomness – to generate seeds, and the seed is the main secret that generates your Bitcoin keys. Entropy can be generated in many ways, from basic random number generators on the machine, to long strings of random text input, and even the roll of dice or playing cards.
Dice rolls are widely considered one of the best ways to generate your own entropy, reducing the involvement of third parties in generating the randomness needed to initialize your Bitcoin wallet. Some hardware wallets, such as Coldcard, allow you to enter dice rolls on the device to generate a seed phrase. You can press 1-6 per roll and you will use the rolls to create your own seeds.
Although you don't need a hardware wallet to create your entropy (for example, you can do it on a laptop that's not permanently connected to the Internet), hardware wallets uniquely allow you to do so in a convenient and secure way. Generating your own entropy in the physical world can be fun and a great learning exercise, but it's pointless without the right environment to help you maintain the marginal security you might gain by doing so.
7. Travel safer
Small amounts of Bitcoin can be easily traveled using a mobile phone or other less secure device, but larger amounts of Bitcoin require more thought. Traveling with keys on a laptop or mobile device is risky because these devices are typically hot (connected to the Internet), have limited physical security, and have larger attack surfaces.
Hardware wallets provide convenience and security if you need to keep one or more Bitcoin keys with you while traveling.
You don't have to worry about sketchy WiFi connections or USB ports You can use duress features as described above if someone physically attacks you You'll be more protected if your device is lost, stolen or confiscated (attackers will do that) You'll have to overcome tailored security for hardware wallet). And they still provide easy access if you need to spend.
8. Enhance the security of multisig settings
Multisig wallets are created by combining multiple keys (versus single wallets that use only one key). Requiring more than one key to spend Bitcoin adds security and redundancy to your wallet, making it useful for securing larger amounts of Bitcoin.
The more secure the individual keys involved in creating a multi-signature wallet, the more secure the multi-signature wallet itself is. Hardware wallets enable you to easily create a multi-signature wallet with clearly defined keys that are securely kept offline. As with Singlesig, hardware wallets also allow you to verify multisig addresses offline when sending Bitcoin.
Using multiple hardware wallets is a natural fit for multisig because multisig is often used to increase the security and redundancy of large amounts of cold storage bitcoin, a goal that physical hardware and seed statement backups also help you achieve.
Start with self-control
The first step to upgrading your Bitcoin security is always to take self-custody, whether hot or cold, to eliminate the risks involved in trusting custodians like exchanges. From there, you can explore additional security tools, such as multisig, to find the right balance between security and accessibility for your circumstances.
Originally published on Unrestricted.com.
Unchained Capital is the official US collaborative custody partner of Bitcoin Magazine and a primary sponsor of related content published through Bitcoin Magazine. For more information about the services offered, custody products, and the relationship between Unchained and Bitcoin Magazine, please visit the website Our Location.
