The idea of “tiered crypto storage” was first popularised by Andreas Antonopoulos.
Tiered storage in short refers to a crypto cold storage setup where you use several computers or mobile phones to store your cryptocurrency on.
The security is then enhanced by your behavior:
- You will never use a device with a lot of crypto on it for daily browsing and downloading.
- You will use a device with tiny amount of crypto for that.
This split is what makes your storage tiered.
It does mean taking extra steps. But there is no benefit in user-friendly processes if they involve large amounts of money. Why would you want to make that kind of thing easy?
Why a tiered system when we have hardware wallets?
In principle, separating your activities per device is what hardware wallets do. A hardware wallet like Ledger is a single-purpose device that can only store crypto and nothing else.
The problem with hardware wallets is that they are a black box type of commercial products. Every hardware wallet stores your private key on it, and it has been demonstrated that the seed can be retrieved under certain conditions.
While the sourcing of hardware is as questionable in case of laptops and phones as it is in hardware wallets, using a custom solution at least gives you an extra layer of security.
- Everyone knows what a hardware wallet looks like, everyone knows whats on it.
- Every hardware wallet accessed physically and flashed with a malicious firmware version will give away the private keys.
- Scripts to hack popular setups are a commodity that is sold in bulk and doesn’t require technical skills.
- Hacking a custom solution requires far more knowledge and experience.
Do you absolutely have to do a tiered storage?
The answer is no.
For some it’s not much of an inconvenience to have separate devices for different activities, but the truth is it is pretty technical way to go about things.
The next best thing is is to split your holdings over several crypto wallets. In 2023 we can already choose from a pretty good range:
- Coldcard is a Bitcoin-only hardware wallet that is specifically focused on security as well as privacy. If you are diversifying your wallets, you should not leave Coldcard out.
- Trezor One is not a good choice, but the new Trezor T models have been overhauled in some pretty major ways. They store your private key split in parts, not as a single piece of text, which is a good security enhancement.
- Ledger is obviously the most popular crypto wallet, and also one that has better score in terms of security than Trezor. Since 2022 they have a device called Nano Plus, which is affordable like the old Nano but has enough memory to hold 100+ altcoin and NFT apps.
Storing your crypto in parts on all three of these will lower your losses in case of the (unlikely) incidents like having a malicious firmware update distributed through the official channels.
Storing your crypto on multiple devices of the same type can be helpful in times of robberies of burglaries - the criminal is likely to leave with the first wallet they find, as long as you don’t store all your wallets together.
Tiered devices for for cryptocurrencies
There are four tiers - the cold, warm, hot and beater devices.
The cold device
A cold wallet is where cryptocurrency holders store coins they are planning to hold for multiple years.
A cold device, the device that carries cold wallet, is not to be used for your normal day to day work. It is an offline, so called “air-gapped” device.
It had its disk scrubbed and OS reinstalled before the cold wallet came on to it.
It does not connect to the internet, not even to make a transaction.
The technically simplest type of cold device is a “paper wallet”: Your private key written down is an item that will always stay offline. (Paper doesn’t last, use steel to do this.)
The classic crypto geek way of setting up a cold device is by air-gapping a laptop - more on that further down.
The warm device
Warm device is a dedicated device that you use for handling cryptocurrencies, but it gets online sometimes. While you don’t go to any dangerous parts of the internet, you still cannot be sure if the device is safe or not, because it connects to the internet.
Once connected to the internet, you wouldn’t know if it didn’t download any malicious file perhaps through a background process you were not aware of.
Commercial hardware wallets are warm devices: Their user interfaces are full of frills that communicate with remote destinations that can potentially be poisoned.
The hot device
Hot wallet is a cryptocurrency wallet that lives on a device that is connected to the internet most of the times.
Crypto traders have their trading stash in hot wallets like Exodus or Metamask. It’s convenient, easy to use, connects to DEX apps through your browser.
These wallets should not store major part of your crypto.
If you are crypto trader, use 2FA and have at least a trading computer and a beater computer. Multi factor auth can be breached too, so use your trading computer just for trading and don’t expose it to any extra dangers.
The beater device
A beater device is a laptop, smartphone or tablet that you use for all of your risky activities.
These include visiting untrusted websites, watching p0rn or sports streams on dodgy websites and browsing sites with loads of ads that often carry viruses. Downloading movies or pirated software belongs here too.
Your beater device should not store any cryptocurrency wallets. You shouldn’t use it to log into crypto exchanges, in case there’s a keylogger. You shouldn’t use a beater device to log into mailboxes that you signed up with at crypto exchanges.
Making a custom Bitcoin cold storage
First off, cold storage is pretty much a Bitcoin-only thing. Alt coin projects do not focus on privacy and security nearly as much as on user-friendliness. Sadly, software needed to set up a cold storage typically does not exist for alt coins.
But if you are a crypto holder, especially a large one, willing to long-term hold Bitcoin, here is why a real cold storage matters:
- A cold wallet is a Bitcoin wallet on a computer that never gets connected to the internet.
- In Bitcoin wallets like Electrum, you can create and sign a transaction out of your wallet even if the wallet is offline.
- To broadcast the transaction, you need to plug it into a different wallet on a “warm” computer that is online. A dedicated USB stick is used for this.
- Since the transaction is already signed when it reaches the online device, your private key is not involved in any action on the online computer.
- Because the private key never reaches an online device, it cannot be stolen: Neither through software nor through hardware holes.
What is the security score?
Well, the only way your private key would ever get stolen could be if somebody stole your air-gapped laptop.
They’d first need to have the information that the laptop is worth stealing and hacking into. Then they’d need to find a way to log into your user account, find the crypto wallet, obtain your decrypt password and then expose the private keys.
This is the same risk that exists with hardware wallets, except the custom solution is not standard and would require lots of professional experience on part of the hacker.
Contrary to that, scripts targeting common devices are a commodity. They can be bought as stock, set up in such a way that no technical skills are needed. This is how majority of cyber attacks is launched these days - they run on commodity scripts.
Software wallet on an offline computer
Electrum is a super simple non-commercial wallet that doesn’t have any of the shiny UX features you’ll get with wallets like Exodus, Ledger or Trezor.
But for the purpose of a cold wallet, no frill is exactly what you want.
- Electrum bitcoin wallet provides a step-by-step guide on how to set up a cold storage with it here are the official docs.
- CryptoCompare has a guide on how to do an offline transaction in Bitcoin Electrum.
Here is also an old tutorial on how to use a Raspberry Pi for cold storage that is still valid, perhaps with minor adjustments since the hardware got better.
If you have it in you to split your online activities at least between a “work device” and a “beater device”, I recommend going through with it. The benefits over the long run are beyond doubt.
If you don’t want to deal with geeky Linuxy things at all, at least split your holdings between several wallets.
Out of the commercial hardware wallets, the Bitcoin Coldcard is the best choice in terms of privacy and security.