Tiered Crypto Storage: How to do it right
If you hold cryptocurrencies, there’s never too much security. It is not even such an inconvenience to have separate devices for different activities, though: That’s cold, warm, hot and also beater devices.
Read also our newer article on how cryptocurrency stealing boomed since the start of 2018.
Cold device for cryptocurrencies
What’s a cold wallet
A cold wallet is where cryptocurrency traders and holders store coins they are planning to hold for multiple years.
The cold wallet is “air-gapped”, it doesn’t ever get online and lives on a device that is not normally used for anything.
The device that carries it
A device that carries cold wallet is not to be used for your normal day to day work. It is offline, it had its disk scrubbed and OS reinstalled before the cold wallet came on to it and it does not connect to the internet ideally not even for making a transaction.
Of course, a perfectly ideal device is no device: learn about paper wallets.
The wallets on the cold device must be backed up to make sure it’s not your single point of failure. The best backup is the seed written in pencil on a sheet of paper stored in a safety deposit box or split and given to multiple people, but depending on what you do it might be important for you to backup the wallet files too because the seed recovery doesn’t retain your transaction notes nor address labels.
Back in the day before commercial hardware wallets, bitcoiners used to use Bitcoin Armory as their cold storage solution.
The idea was that you created a real wallet on an offline machine, you exported the keys and created a watch-only version of the wallet on your warm or hot device. To make a transaction, you’d create an unsigned transaction in the watch-only wallet and you’d export it to transfer it to your offline device. You’d sign your transaction in your cold wallet and export it again to your online machine, where you’d load the signed transaction and broadcast it. This system makes sure your private keys won’t get exposed while they are decrypted during the transaction signing – as long as your cold device is indeed safe and you transfer the transactions securely.
This oldschool cold wallet setup with Armory is still possible, as it is possible with Electrum bitcoin wallet – here are the official docs.
Here is also an old tutorial on how to use a Raspberry Pi for cold storage that is still valid, perhaps with minor adjustments since the hardware got better.
Altcoin cold storage
Altcoin wallets typically focus on user-friendliness rather than on security so the cold wallet feature is not so common. With Ethereum, Monero and Iota you can choose to work with seed phrase only though, which can reside on a cold device.
- ETH and ERC20 tokens: myetherwallet.com
- Monero: mymonero.com
- IOTA: full tutorial
For most popular coins you can also safely generate a paper wallet.
Warm device for cryptocurrencies
Warm device is a dedicated device that you use for handling cryptocurrencies, but either it gets online sometimes or you don’t really know what’s in it and whether it is actually safe. So:
Is your Ledger wallet or your Trezor not a cold wallet?
Cold device is a device that is secure and you know it inside out. Hence, no, a commercial hardware wallet is not a cold wallet. It is reasonably safe and in most cases that’s good enough but it is not the best thing you can do.
Imagine the sh1tstorm if commercial hardware wallets all of a sudden started getting hacked, maybe because a fault in a piece of hardware the wallet vendor got from a third party.
Commercial hardware wallets are warm wallets.
Your hot device for cryptocurrencies
What’s a hot wallet
Hot wallet is a cryptocurrency wallet that is connected to the internet most times. The term “hot wallet” is mostly used to describe a wallet that belongs to a crypto exchange, and it is where your withdrawals come from. If you are a trader, you will want to have your own hot wallet though. Crypto traders have their trading stash in hot wallets too – think Electrum, Jaxx or Exodus desktop wallets. These should be reliable wallets on their trading computer where they withdraw money from exchanges once they’ve closed their positions and called it a day.
The laptop that carries your hot wallet
That’s the second point of this section: have a trading computer. The place that you use to access your exchange accounts and your trading stash storage has to be online but it shouldn’t be exposed to unnecessary dangers. You should use your hot device only for your trading and work, your social media, email accounts and generally trusted websites only.
All you can secure with a 2FA should be secured that way, and the app that generates your 2FA codes should be installed on an old smartphone that you don’t use for much else.
Your beater device
A beater device is a laptop, smartphone or tablet that you use to visit untrusted websites, watching porn or streams on dodgy websites with loads of ads that can carry viruses, downloading movies, installing pirated software and generally doing all the things that put you at risk of accidentally getting your device infected with viruses or malware.
- Your beater device does not store any cryptocurrency wallets.
- It is never used to login to your exchange accounts or online wallets.
- It is not used to login to the email accounts that you use for cryptocurrency exchanges.
- It does not store backups of anything crypto-related.
Still have an antivirus though, it’s pointless to spend time cleaning up a laptop when with an antivirus you maybe wouldn’t have to.