Bitcoin: How to safely store investment quantities of bitcoin
If you go by the pragmatic principle to trust people in general, a suitable second principle is to check what people tell you, and to put yourself in a position to do more comprehensive checks as your stakes increase.
Online bitcoin wallets from the largest and most reputable companies have been hacked (e.g., Mount Gox). The bigger the company, the more it attracts hackers. Bitcoin wallets are only as secure as their private key.
It is best to control your wallet key creation. If you buy a ready-made solution from a vendor, besides checking that they work on small amounts, you need to know how the key is created and stored controlled before using them for large amounts. Of course, no such effort is required for the customer who buys such device to hold little bitcoin change just as a USD200 coin pouch may be bought to organise nickels and dimes, but then, you might as well keep the change on the exchange online wallet.
Safest of all is to create a cold wallet without relying on any opaque bitcoin-vendor tools, so that you control the process and can see its security. The tools require familiarity with git and bash.
A lot of people are helpful, scams are rare, but out of five bitcoin specific website I tried today, one of them was a scam.
Why? Agency requires reversibility, Principals must control private keys
For fiat currency, there are recourses to undo a transaction in case of error or fraud. A large bank delegates its systems maintenance and their operations to its many agents. The bank's management knows that if an agent commits wire fraud and tries to steal a sizeable portion of its asset as in the Mt Gox case, the transaction will be cancelled. If a thief commits wire fraud even for much smaller amounts, there is always a risk that the fraud be discovered and he will never enjoy the sound sleep of the innocent.
This contrasts with cryptocurrency transactions: an online exchange cannot reverse a transaction or help mediate a dispute. Irreversibility is described as being a most important feature of bitcoin from the start of the Bitcoin seminal aticle by S Nakamoto. Large organisations need reversibility if one of their agent makes a mistake or causes a dispute. Because of this, for the largest Bitcoin exchanges that employ many agents for their operation, it is the management who cannot sleep soundly.
When using a commercial wallet hardware key and software, the wallet vendor knows better than the principal how the software creates the private keys and how they are accessed. This is a case where you need to be able to spend time to evaluate the safety of the solution implemented as the wallet value increases.
Alternatively, a bitcoin wallet can be created with free Unix utilities that are not specific to Bitcoin. Using such tools ensures that you are the only owner of the private key and that no one else is sure how you created the private key. Having a transparent process for wallet key creation is important so that you can evaluate the risks.
Doing this results in the most secure wallet possible, but since you are following your own procedure, you need to test to make sure that money sent to that wallet can be retrieved by you later. It is very easy to lose funds by using the wrong address. I explain the steps I followed to do this and more importantly, to check that it works.
How? Procedure for creating a safe wallet (and knowing that it works)
Cold wallets have a public address that you can share with anyone, and private keys that are not stored on an online computer.
The following method can ensure that nobody sees your 12 to 24 generating words and your private key because it does not involve bitcoin specific binaries or tools other than a script. You need to know about git, bash either on Linux or on Windows/Cyygwin. First try it and make sure that it works. Then, if you need extra safety and are worried that someone is logging your clipboard and typing, you need to run it on a fresh Linux distro boot from a USB drive.
- start with a sheet of paper and select 24 words, using only the first 4 characters in lowercase for steel wallet compatibility.
Example phrase: echo -n "don't use this" | sha256sum
- generate a private key by using sha256sum on these 24 words.
Example output: 6782e7c3203a097a9b4c399d2ce9160e037f13646721dad9ea851ee89ac6716e
- on Linux or with Cygwin (requires git, bc, and xxd) use the bitcoin.sh script by Luc Grondin to generate the public address (which you can share with people to receive BTC), and the WIF (Wallet Import Format, aka private wallet key which allows you to spend the bitcoin).
Comparing to blockchain.org and bitaddress.com, it appears that the you need compressed address and WIF.
- create 3 wallets that way, you will burn two of them by exposing their private key as you check that they are working
- integrity of the algo can be checked with bitaddress you need to pass the compressed WIFof one of the wallet, thereby exposing the private key of the first wallet since passing the private key to a URL can only be done for a test wallet and check that the WIF and address are the same.
- wallet balance can be checked using blockchain explorer you need to pass the compressed private key, if the wallet does not exist, blockchain.com will just neglect it. You can send money from blockchain.com or any other online wallet you have to the compressed address of your second wallet.
- you can take control of that wallet on blockchain.com once logged in by entering its compressed WIF. Since you are sharing the WIF private key with an online agent, this wallet is not safe for large amounts, but you need to check that you are able to send money from it.
- you can use the 3rd wallet and make QR code for receiving using this generic QR code maker or this specific Bitcoin QR code maker. Caveat: Most of the top search results for Bitcoin QR code generators lead to sites that will steal your coins. I tried the most untrustworthy site https://www.bitcoinqrcodemaker.com/, and it created a picture that does not import to my address. I trusted that site and I think that I just got scammed of USD10. You need to check such addresses with a QR scanner. A generic QR code maker is more trustworthy, although there is no Bitcoin logo in the middle, you just prefix the compressed address with "bitcoin:" as in bitcoin:1DDJxMNmYLdqYRCrALWTm9D2ZApuAYj1c1
- this is still not safe to do on a machine that has been connected to internet for long, because you do not know what happens when you copy paste a string or type something, so it is safer to do all those on a Linux box with no network access if you are going to have a big wallet. The qr code can be generated with
qrencode -o qrcode.png 'Hello World!'
Some Bitcoin vendors first ask for a lot private information, then accept to take your fiat money and have their app "declare" that you own some bitcoin. Noone knows what they do with their client's private information or who owns the private key to the client's wallets. You would think that they make their clients feel safe by submitting them to rigorous KYC which makes them look like banks.
Such a vendor as blockchain.com seems to be the more reliable type. They have a website and android/ios app. Still, the "blockchain" phone app associated with blockchain.com appears to not read QR codes correctly, no scam there as the first letters all match, whereas bitcoinqrcodemaker was a scam today because many of the first characters are different.
If you need to withdraw a small amount of BTC from a large cold wallet, you will need to prepare a new cold wallet where you can transfer the balance after you put the wallet online.
You may lose some money testing bitcoin, do small tests
Do small transfers first. I lost my first USD10 transfer, then my second USD5 transfer, then I did USD1 transfers because there is no reason to lose a lot. Tx cost is around 30ct to 66ct today. So it cost me USD18 to learn how to do this, but I could have learnt the same for USD4.
- used first google search result the scam website https://www.bitcoinqrcodemaker.com to generate QR and irretrievably lost the USD10 as I see that the QR generated is unrelated to the address I entered.
- entered uncompressed address as wallet in blockchain app and irretrievably lost USD5, as blockchain app requires compressed address
- seems that if I send USD1 send to a compressed address from bitaddress and declare the private compressed key in blockchain, I see the transaction can access my funds, this validates bitaddress and the QR code it generates
- I could also check that compressed WIF and addresses generated by bitcoin.sh can be recomputed by bitaddress.org if I enter the compressed WIF.
Completing the loop: putting the cold wallet online
For cold wallet with small amounts, a online vendor like blockchain.com can be relied to import a WIF quickly. For a larger cold wallet where you want to be safest, you need to download the bitcoin core client and download the whole blockchain to import the wallet.
As of Sep 2020, the blockchain is 300Gb and growing 60Gb per year. A 500Gb SSD will serve you until 2023, a 1Tb could serve you until 2031.
- I tried to use win10 PC, it downloaded the first 30% of blockchain very fast, then network trafic slowed down to a trickle and that PC with a non SSD drive could not downloaded the blockchain after 2 month.
- setup a linux machine like a raspberry pi 4 with 4Gb ram and 1Tb SSD disk, and downloaded the blockchain in 10 days
- I did this by downloading bitcoin-qt and run it continuously
- To import the WIF, as explained here: open the console window and type
- walletpassphrase "YourLongPassphrase" 600
- importprivkey yourPrivateKeyInWalletImportFormat "TheLabelThatIWant"
- then bitcoin-qt will go through the whole blockchain to find the wallet address. On Raspberry pi 4 with SSD, the import took 4h50 min
- Minimal way to create bitcoin wallet: steemit
- Here is the code to go from private sha256 key to the public bitcoin address and wif: grondilu github
- Cobo Tablet or CryptoSteel on amazon so that your wallet passphrase is written on something less fragile than paper.
Useful? Donate BTC Here:
Feel free to donate to this address!
hot wallet: 1PdEhiUScSKK24d7SMTEsxNf3HDGVqdgdo