What Is Bitcoin Cold Storage

  • A cold storage wallet has keys that never touch an internet-connected computer.
  • Cold storage offers superior security at the cost of lower convenience.
  • No storage solution is perfect. How a user chooses to store bitcoin should be based on personal comfort and risk assessment.

How Are Bitcoin Stored?

When a user holds bitcoin, they are not storing the actual coins, but rather the private keys that unlock the bitcoin they control. Arbitrary amounts of bitcoin can be locked to a single private key, so protecting these keys is vital.

Learn more about Bitcoin private keys.

The twin threats to bitcoin storage are user error, in which the user loses access to their private keys, and theft, in which an attacker gains access to the keys and can steal the associated bitcoin. We will call the former set of threats “internal” and the latter set “external” threats.

A variety of storage solutions have been developed to reduce both of these risks. There are two main storage types: hot storage and cold storage. In a technological context, the word “hot” means connected to the internet or other devices. Likewise, “cold” means completely disconnected from external devices or the internet.

Since any device connected to the internet is potentially vulnerable to data leaks, loss of privacy, and malware, the most secure device is a cold one.

Many bitcoin holders choose to implement multiple solutions in order to take advantage of the tradeoffs between convenience, privacy, and security. They will often store small amounts of bitcoin for spending or trading on less secure, more accessible devices such as a mobile app or a laptop, while storing larger amounts of bitcoin in more secure fashions.

Cold storage is a secure device that remains isolated from the internet.
The term cold describes devices completely disconnected from external devices or the internet.

A cold storage setup is most suitable for large amounts of bitcoin which are not intended to be spent often. Due to the setup of most Bitcoin wallets, it is still possible to receive bitcoin while keeping your private keys cold.

By keeping your public keys available through a watch-only wallet, you can share addresses with other people in order to receive bitcoin straight to your cold storage without any security risks.

Cold Storage Methods

The rest of this article will elaborate on the vulnerabilities of each Bitcoin cold storage option. While none of the options are perfect, all are viable. With that being said, security and privacy are a spectrum, and the device’s security is entirely dependent on the user’s practices. A good device can be compromised by improper use, while a simple solution can remain secure if implemented well.

Paper Wallet

The simplest solution to bitcoin storage is to write down or print out the private key which stores your bitcoin. As the name suggests, some users physically write or print their keys on a slip of paper.

This solution is completely cold: there is no way for a hacker to digitally access a piece of paper. However, a paper wallet usually does not give the user the ability to easily generate new addresses with which they can receive bitcoin. Thus, while they maintain high security, they are unable to receive bitcoin.

Warning: avoid address reuse to protect your privacy.
Reusing addresses—receiving multiple payments to the same address—is not advised as it reduces your privacy.

Internal Threats

The internal threats of a paper wallet are significant: paper is susceptible to water, fire, pets, children, or other everyday objects. For this reason, several companies have started offering metal products capable of storing Bitcoin secrets. These are resistant to many of the above physical threats.

External Threats

The greatest external threats to a paper wallet arise at its inception. Most users use software to generate the private key and then write it down or print it out. Some software will maliciously relay the generated key to a server, allowing a third party to access any bitcoin sent to that private key’s address. Additionally, some malware may exist on a user’s computer that is capable of tracking the keyboard and/or the clipboard—what is being copied and pasted.

Thus, to safely generate a private key for a paper wallet, always disconnect the computer from the internet and bluetooth. Any service that offers to generate a key should be capable of running offline. Additionally, avoid copy-pasting or typing the key on any device.

Almost all paper wallets will be compromised if physically accessed by an attacker. If a user writes their key verbatim on a slip of paper and an attacker finds the paper, the key will be compromised.

Users have the option to encode their key such that an attacker cannot decipher the paper wallet to derive the key, but any method of doing so could increase the difficulty of a user recovering their own funds.

Hardware Wallets

A variety of companies offer hardware devices that will digitally store private keys. These devices will also generate new addresses for the purpose of receiving more bitcoin without reusing the same address.

Hardware wallets are often single-purpose computers, only capable of storing keys, generating addresses, and signing transactions. Regardless, it’s a best practice not to install any additional software other than the official software associated with the hardware wallet. Reducing the amount of software on a hardware wallet reduces its attack surface, minimizing its vulnerability.

A hardware wallet will generate a seed, which will allow a wallet to be restored on another device if the hardware wallet is lost or damaged. The seed is encoded in the form of a 12-24 word phrase. The words must be stored in order and should be backed up. If the seed is lost, the wallet will not be able to be restored; if it is exposed, all funds in the wallet can be stolen.

Internal Threats

Hardware wallets are more secure against damage than paper wallets, but like all electronic devices, they are still vulnerable to water and should not be exposed to high heat or magnets.

External Threats

Hardware wallets have several security features that are meant to protect a device from an attacker. First, a hardware wallet is meant to stay disconnected from a computer as much as possible. This is a cold storage method that reduces the threats of malicious software being introduced to the device. Most hardware wallets also require a PIN to unlock, however, if an attacker gains physical access to a user’s hardware wallet, there is no way to ensure ultimate security. The PIN can be guessed or the seed can be extracted from the device. Thus, it is important to ensure the physical security of a hardware wallet, as well as the backup seed phrase.

Learn more about Bitcoin wallets.

Conclusion

Various methods of storing Bitcoin private keys make trade-offs between security, privacy, and convenience, including trade-offs between security against internal and external threats such as forgetfulness, physical destruction, or hacking.

Hot and cold storage solutions are implemented in a variety of ways by different companies or open-source projects, so selecting a particular solution should come after detailed research into the options.

With regards to cold storage, there is an advantage in not having to upgrade software or change the setup very often. Consideration should also be given to inheritance procedures: if something happens to you, can your relatives recover your bitcoin?

Learn more about protecting your bitcoin.