Overview of Bitcoin Wallets, Private Keys and Beginner Security Practices
Self custodying, akin to self sovereignty, is important in the bitcoin sphere. You may often here the mantra “Not your keys, not your coins”
Self custody is when you hold the private keys to your own bitcoin. By holding your private keys you are not entrusted to any third party, like a bank. The act of acquiring and securing your own keys, puts you on the path towards fully controlling your monetary decisions in a censorship-resistant manner which is one of the key features and promises of bitcoin.
This may sound overwhelming at first, but we hope to break this down in a simple to follow guide to help you towards this path.
For a technical discussion of how public keys and private keys function to allow you to spend your Bitcoin securely read this article: https://learnmeabitcoin.com/beginners/keys_addresses
After acquiring some bitcoin you may be wondering, what is the best way to store my bitcoin? There is a surprising bit of nuance to this question, as self sovereignty does truly depend on the individual.
There is a plethora of information on the internet regarding various different wallets and security practices. Our recommendation is to take self-custody in stages. You do not need to be a security expert with your first bitcoin purchase, but there are best practices to help you progress through the levels of security.
The first step to self custody is to withdraw your bitcoin from an exchange to a Bitcoin wallet.
In this article we discuss:
Reasons to self custody
Overview of Bitcoin Wallet types
Multi signature setups
Running your own node
Lightning network, CoinJoins and Non-kyc for enhanced privacy
Reasons to Self Custody:
In 2022 you may be familiar with headlines of Canada enacting the Emergencies Act to freeze bank accounts of citizens and restrict access to their funds. The ability for governments to restrict funds do not just apply to banks, but also applies to cryptocurrency exchanges. This may be best put by Jesse Powell, the CEO of Kraken (Crypto Exchange):
Even if you do not fear governments freezing your funds, keeping your coins on an exchange means you need permission from the exchange to spend them. The exchange can block you from moving your funds based on their own policies. For example- they may impose a value limit per 24 hours. There may be a maintenance issue when you need access to your funds. They may even block you from withdrawing your funds because of new identification requirements. Again, “Not your keys, not your coins”.
Without your private keys, you are trusting the exchange to actually have the bitcoin you are owed. Akin to fractional reserve banking -- exchange bitcoin are IOUs. If the exchange gets hacked, those coins may be gone forever.
Though, Bitcoin the network has near perfect uptime and the cryptographic public key/ private key pairs are next to impossible to crack. Keeping your coins on exchanges is trusting their security practices (how they store the keys, who has access to these keys, as well as how they implement buy and sell coding). Many exchanges have been hacked in the past (through social engineering and/or malicious software hackers) and coins have been stolen from those exchanges:
More and more Bitcoin/Crypto exchanges are popping up with interest bearing accounts. APRs of 5% on your bitcoin may sound extremely lucrative in this low yield macro-environment, however understanding how these yields are generated is vital in assessing the risk/reward of giving up your private keys to an exchange. While beyond the scope of this article, if coins are left on an exchange, they can engage in fractional reserve lending – lending YOUR bitcoin for an interest rate. If defaulted on this loan, that bitcoin is gone and they are paid back in dollars. If a hack, or mass withdrawal of bitcoin happens on this exchange for any reason, those coins may be gone forever.
Bitcoin is beautifully simple and simultaneously quite complex. Owning your own keys will help you start to truly appreciate how bitcoin works.
Bitcoin Wallet Overview:
Now you want to own your private keys, the first step is to decide how to store your Bitcoin.
With Bitcoin wallets, you are often making tradeoffs of convenience vs security.
The first thing we must know is that wallets DO NOT hold your bitcoin. They hold private keys. Private keys produce signatures that allow you to spend your bitcoin. Private keys must be kept hidden to prevent others from spending YOUR bitcoin.
Technically, your private key is an unimaginably long number. The goal of a Bitcoin wallet is to keep this number safe, while letting you use it. Wallets will represent this number to/for you in a variety of ways. Commonly they produce a backup of this number as a 12-24 word seed phrase that YOU must keep safe.
It is best practice to store this phrase on paper or engraved in steel, completely off-line.
Having this phrase connected to the internet in any way, drastically increases your chance of getting your funds stolen.
Understanding this will help you start to understand some of the trade offs of the different wallets:
Mobile Bitcoin Wallets:
Web and mobile wallet software services often store your private key on your behalf on their servers in a way that ONLY YOU can decrypt. Some other mobile wallets (that we prefer) won’t store private keys on your behalf. Instead, all the wallet data, private keys and passwords are extensively encrypted and stored on your phone.
This option is great for beginners and smaller amounts of bitcoin. Mobile wallets are great for quick transactions (they often enable both on-chain and lightning transactions) and certain mobile wallets also help improve your privacy.
The drawback of mobile wallets is that the device is almost always connected to the internet. This leaves you vulnerable to certain attacks (phishing/malware for example). Further, if an attacker gains physical access to your phone, they can drain your funds easier than other methods.
Best Mobile Bitcoin Wallets: Muun Wallet, Blue Wallet, Samurai (privacy focused, android only), Breez wallet (Android, and IOS Beta)
Desktop Bitcoin Wallets:
Similar to mobile wallets, the private keys are stored on your computer.
Desktop wallets are often more powerful than mobile wallets. Certain desktop wallets allow you to link hardware wallets, link your own node and have great privacy benefits (access to Coinjoins).
Some hardware wallets have great user interfaces and offer a great user experience.
Again the downside is your device is connected to the internet. Common term for a wallet that is connected to the internet is Hot Wallet.
Best Desktop Wallets: Sparrow (intermediate), Electrum (advanced), Specter (intermediate), Blockstream Green (beginner)
Bitcoin Hardware Wallets
Hardware wallets are made to store your private keys offline (Cold Wallet). These electronic devices are designed to never release the private information from the device. Most hardware wallets come with a display which allows you to initiate and/or sign transactions. These devices are generally extremely secure, preventing you from a host of potential vulnerabilities mentioned above. They are suitable for securing large amounts of bitcoin.
By default most hardware wallets will have users connect to the manufacturer’s web interface and node. However, hardware wallets allow you the flexibility to connect to your own node and increase your security/privacy.
The biggest downside of hardware wallets is the need to secure the 12-24 word seed backup phrase. If your wallet breaks or is stolen, this phrase will let you restore your wallet and regain control of your funds. Keeping this phrase safe should be a well thought out strategy. We recommend backing up this phrase in multiple locations with a metal backup (to protect from potential fire damage).
Best Hardware Wallets: Cold Card (intermediate), FoundationDevices Passport (beginner to intermediate), Trezor (beginner - easier to use but makes some privacy tradeoffs by default) , Ledger Nano (beginner - easier to use but makes some privacy tradeoffs by default)
Multi-Signature Bitcoin Wallets
Multi-signature wallets as the name suggest, requires multiple signatures in order to send Bitcoin. The number of signatures needed are a proportion of the total number of possible signatures. For example a “2-of-3” multi-sig requires 2 out of 3 possible signatures to send Bitcoin.
Multi-signature set ups are extremely secure and remove single points of failure.
If a private key is found, leaked, or hacked, coins are still secure as it is very unlikely that an attacker is penetrating multiple secure platforms or locations at once. In these set-ups one of the keys can be kept in a physical location not connected to the internet for further protection.
The major downside of multi-signature set ups is that they are difficult and quite technical to accomplish on your own. There are services that do this for you, however they often require an ongoing fee for this service. In addition, multi-signature set ups are not convenient for spending bitcoin. This setup is best suited for long-term storage (deep cold storage).
Running Your Own Node:
I cannot stress enough the importance of setting up your wallet with your own
A deep dive into Bitcoin nodes is beyond the scope of this article, but running your own node is vital to the Bitcoin network and is incredibly important for increasing privacy, and self-sovereignty.
Full bitcoin nodes run the Bitcoin Software and maintain a complete copy of the Bitcoin blockchain. Nodes validate each block and transaction before adding them to the blockchain and serve as a check on the Bitcoin network.
In terms of security levels, once you are comfortable with a hardware wallet, we recommend learning about nodes and learning how to run your own.
Lightning Wallets, CoinJoins and Non-KYC Bitcoin
We briefly touched on mobile wallets that also serve as lightning wallets.
The Lightning Network is a second layer added on the Bitcoin Network that allows for secure non-custodial off-chain transactions.
Again the full scope of the implications of the lightening network requires it’s own article. Wallets that allow non-custodial lightning transactions add potential privacy benefits, as well as near 0 transaction fees. Keeping large amounts of bitcoin on the lightning network is not currently practical, but it is important to keep in mind that it exists from a security stand-point and does allow for self-custody.
Learning about CoinJoins, in our opinion, fall somewhere between using a hardware wallet and running your own nodes. CoinJoins are a trustless method of combining multiple bitcoin outputs into a single transaction. A coinjoin/ coinmixing service such as Whirlpool can return that initial output back to your wallet as a new output that breaks that link to your identity. This essentially gives you forward looking privacy.
It is good to remember that Bitcoin is a public ledger. If you acquired bitcoin by giving up your name, address, phone number, or other identifiers to a centralized exchange (KYC regulations), your future transactions can theoretically be linked back to your identity. KYC stands for "Know Your Customer" and is a rule that requires every broker-dealer (includes crypto exchanges) to use reasonable effort when opening and maintaining client accounts. It is a requirement to know and keep records on the essential facts of each customer, as well as identify each person who has authority to act on the customer's behalf.
CoinJoins help break that link for the future, but do not change the fact that a centralized exchange has the information that you bought bitcoin and originally sent it to “X” address.
There are methods to acquire bitcoin through methods that do not require KYC such as Bisq network, Bitcoin ATMS, etc. We ultimately recommend these methods of acquiring bitcoin, but do understand they may be a bit complex for a Bitcoin novice. Once you are able to hold your own keys securely through methods mentioned above, this might just be the next step in your security rabbithole.