What environmental factors should one consider when deciding upon the various options available to store and manage Bitcoin private keys?
Bitcoin key management is probably one of the scariest aspects of interacting with your money for a new user with any sizable amount of value. It’s also one of the most important aspects. One of the core aspects of bitcoin that truly differentiates it from the forms of digital value that preceded it historically is the ability to control and custody your own funds, to not have to depend on some central authority or record keeper to maintain possession of and retain the ability to transfer or spend it. Without the ability to hold your own private keys, it would not be possible to truly use bitcoin in a self-sovereign way without third parties. This opens up a door of massive potential and possibilities, but also a door to massive responsibility and risk. As has commonly been reiterated many times over the years, there is no Bitcoin customer support. There is no help desk to call, no one to hold your hand and undo mistakes you might make, there’s just you.
This is the most difficult hurdle to overcome in terms of taking custody of your own bitcoin, and it is both a mental and practical hurdle. The space is awash with different ideas of best practices, how-to guides, opinions on the best device to use, and new users are bombarded from all directions with this information when they arrive here. The simple reality though, is that there is no one-size-fits-all solution to how to store your bitcoin. There are some things that are more widely applicable to people than other things, there are solutions that are better suited for larger or smaller amounts, there are some solutions that make no sense or make perfect sense depending on your living situation. But there is no one best practice for managing your private keys that applies to everyone equally. Anyone who tells you otherwise is probably not someone you should be listening to in regards to advice on the subject.
There are all kinds of ways to manage your keys, but things have come a long way since Bitcoin was first created. The original Bitcoin client generated single stand-alone keys backed up in a password-protected digital file and every time you received new coins you would have to make a new backup or risk losing that money; each new receive address was a newly-generated key totally unrelated to the other ones, and not contained in the last backup you made. Nowadays we have mnemonic seeds and deterministic wallets to allow a user to make a single backup and not have to worry about renewing that every time they receive new funds.
However, there is a lot more to safely managing keys than just the form your backup takes.
Singlesig And Multisig
One of the first things people will run into in regards to key management advice is the contention of whether or not to use a single-signature wallet or a multisig wallet. Both “camps” tend to take an extremist view that they are the one-size-fits-all solution for your average user, and tend to bombastically advise only using one or the other, it’s “automatically more security!” But as I said above, there is no such thing as a one-size-fits-all solution when it comes to key management. Every individual person is in their own personal situation, and that needs to be considered above all else before deciding how to go about things.
Let’s look at some of the benefits of a singlesig wallet before we go into multisig. First, the entire wallet requires only retaining a copy of your mnemonic seed in order to be recoverable. Every single Bitcoin address that you send money to can be deterministically generated again on another device. The seed is literally the only thing that you need to recover all of your coins. Another benefit is the cost of spending. When sending coins using a single signature on the blockchain, they take up less blockspace and thus cost less in fees because only a single signature is required in the witness data of the transaction. In terms of inheritance situations, single-signature also has the benefit of being a simple thing (the mnemonic seed) that can be left for your friends and family. As long as they have a simple-to-use and secure device to import it into, it’s pretty easy to handle with some basic guidance. What is the obvious major downside? A single point of failure. If your mnemonic or keys are compromised, that’s all she wrote. That is all that is required for a malicious actor to steal your coins, and there is no undoing that once it is done. No support line to call, no chargebacks. They’re gone for good.
What are the upsides of a multisig wallet? There is no single point of failure; you are unable to spend coins in a multisig wallet without access to multiple sets of private keys. This allows the geographic distribution of mnemonic seeds to increase the cost of gaining access to enough key sets in order to steal someone’s bitcoin. It also opens the door to letting other people take possession of one set of keys in the multisig aside from the actual owner, or distributing the keys amongst a group of people so that no one individual “owns'' them from the point of view of having enough keys to spend them on their own. This is how companies like Casa or Unchained Capital are able to offer services that to some degree do hold user’s hands, offering them a safety net in the form of a recovery key held by the service to safeguard the user against losing some (although not all) of the keys they possess in the multisig. What are some of the downsides of multisig? The necessity to safeguard all of the master public keys involved in the wallet. When you use a singlesig, all you need is the mnemonic seed to recover it. But because a multisig wallet uses all of the public keys from every mnemonic seed involved, you have to back them up as well. The problem here is that if you lose a mnemonic seed involved in the multisig, and don’t have a separate backup of the matching public key, you have no way to recover it, and without that public key you cannot regenerate the multisig address to find your funds on chain, and therefore have lost access to those funds. Multisig (at least until MuSig schemes using Schnorr/Taproot are adopted) are also more expensive to spend on chain than a singlesig, so sending your money anywhere is more expensive than with a singlesig address.
So let’s look at an imaginary Bitcoiner: they live alone in an apartment, they do not get along well with their family, their friends are not the most responsible people, and they are sitting around contemplating how to set up their key management solution. Some person attempting to be helpful on Twitter advises they set up a multisig wallet with Specter or Blue Wallet. How does multisig help this person? They have no place to store keys aside from their apartment, so they are going to be keeping all the keys in one place. This prevents any benefits of spreading multisig keys around to be redundant against loss or theft, and comes with the cost of more expensive transactions on chain. As well, even though not the most likely scenario because all the seeds are stored together, they risk losing funds if they misplace or damage one seed and do not maintain public key backups. It adds no meaningful security, increases the cost of spending their bitcoin, and adds additional ways for them to lose access to their money. What might make sense for such a person is utilizing a multisig service where the provider holds a key for them to assist in recovery. If using a 2-of-3, they can keep two seeds at their apartment, the provider has one, and leave a single seed with untrusted family or irresponsible friends knowing that the single seed is not enough for them to spend the funds. They can even leave that one seed with multiple people in case someone loses or destroys their copy, so they can still recover funds if they were to lose access to both of their seeds kept at home.
Let’s look at another imaginary Bitcoiner: someone with their own house, as well as a cabin somewhere in the wilderness they own as a vacation home. Maybe they’re a senior software engineer, or a lawyer, someone who has their own locked office in their workplace. They have many different places under a reasonable amount of their own control. In this case it makes sense for this person to utilize a multisig setup with noone involved but themselves. They can generate a 2-of-3 wallet, leave one seed at home, one seed at their cabin, and one seed at their office (obviously leaving a copy of all three public keys with each seed backup). This provides them with geographic redundancy protecting them against both loss of funds and theft because they actually have access to multiple safe locations where they can store key material, unlike the first hypothetical Bitcoiner above.
Both of these scenarios should clearly demonstrate the strengths and drawbacks of both methods depending on a person's individual circumstances. Using multisig because "it's more secure!" is not always a sensible choice for everyone. Even if it does make sense, it doesn't necessarily make sense to use it in the same way as someone else would. Before making a decision between a single key and multisig key set up, you should think long and hard about your own living circumstances and what makes sense for you.
Passphrases are also something billed as a catch-all solution to security. The reality is a lot more complicated and nuanced than that. Assume for the purposes of this discussion that you have had your mnemonic seed compromised (a passphrase is just like any internet password in that scenario from a simplistic point of view). It only adds as much security as there is entropy in the passphrase. If you used a secure passphrase, obviously this can be a good amount of added security, but this comes with the trade-off that the more secure your passphrase is the harder it will be to memorize. The core purpose of a passphrase is to have something you remember, and not physically stored anywhere, so the use of a passphrase becomes a balancing act of adding security but not creating too great a risk of forgetting it. If you don't remember your passphrase, you lose access to your funds.
This write-up on Coldbit’s website gives a good breakdown of the entropy of different styles of passphrases, from using BIP-39 mnemonic words, to other word lists, to alphanumeric passwords. The article defines different classes of attackers based on the resources at their disposal: a single laptop, a few GPUs, a specialized ASIC for passphrase cracking, and a large supercluster of passphrase ASICs. For each class of attacker they rate on average the time it would take to brute force a passphrase based on its length and what resources an attacker has. This is something that everyone using a passphrase should consider when selecting one. Unless you approach the same entropy as a mnemonic seed itself, a passphrase is just a temporary shield to allow you to move your funds to a new seed before the attacker can bruteforce your passphrase, and if you approach the same entropy as a mnemonic seed you are heavily raising the risk of forgetting the passphrase and losing access to your funds.
The last point on seed phrases is memorizing versus writing down and storing somewhere. If memorizing a seed it might be prudent to temporarily write it down until you are confident you have it memorized, and then destroy the written copy. If you do wind up making a permanent physical copy of it, then in my opinion the best thing to do is treat it like a multisig setup. Your mnemonic and passphrase each constitute two "keys" in a "multisig" at that point, and storing both of them in the same place is a bad security risk. The major benefit of a passphrase is adding "something you know" to "something you have" (your mnemonic). If you deviate from this use of a passphrase by writing it down, keep that in mind and plan accordingly to keep them separate and not easy to find together.
Storing Seed Backups
This is a key point to consider in any wallet set up; hardware wallets generally provide physical security to make extracting your keys from the device very expensive, and any software wallet that is safe to use will be storing your keys encrypted when the wallet is not open and in use. However, all of these protections are moot if you just leave a mnemonic seed sitting around on a desk. Physical security of a mnemonic seed is of the utmost importance, whether that comes from a safe, or hiding it in some place that is not somewhere a thief or attacker will look is something for you to consider based on your situation. But it should not be somewhere easily accessible by anyone but you. A safe that is difficult to remove or break into would be a good place, or somewhere that is not immediately obvious, like writing it inside a book across many pages or under a loose floorboard (don't take these examples literally per se, but the idea is that somewhere a thief is not going to think to look for something valuable).
If you wind up storing a mnemonic somewhere other than your own home, I cannot stress this enough, do not do so without a decently strong passphrase and preferably with some kind of tamperproof bag or setup so that you can periodically verify the seed is still there and has not been tampered with by anyone else since your last check. Personally I think that strong physical security or obfuscation (hiding) is the way to go in your own residence, but if you do have a need to store elsewhere due to security or disaster risks, I would advise storing it with someone you trust regardless of any tamperproof measures or passphrases you have in place (security deposit boxes are a horrible idea for singlesig addresses).
One last thing to consider if this happens to be a situation you might find yourself in, is how do you destroy a metal seed backup? Imagine you are leaving the country and never coming back, yet you have a word seed stamped with letter presses or etched in. You can't bring that through customs. You also don't want to leave it sitting around where it can be found when you leave if you plan on continuing to use it. If this is a scenario you see in your future potentially, it might make sense to use tile-based seed backups if you want to keep steel ones for durability purposes, otherwise you are going to have to migrate all of your funds to a new seed before or after leaving. This could be a time-consuming and complex thing if you have funds segregated among different passphrases, or have managed your UTXOs to keep them isolated, because you will have to move funds bit by bit without connecting them to maintain that privacy and isolation.
The Big Picture
Managing your own keys is the core of what makes Bitcoin special, but it is also a big responsibility. It's like going for a hike out in the wilderness. There are many different paths you can take; some are arduous and grueling, uphill the whole way, while some are nice easy paths, and some have obstacles in the way. You can even walk completely off the trails if you so choose, but that comes with the risk of getting lost. When you go out in the elements, there is no one you can depend on but yourself. The level of preparation and understanding needed is not going to be the same for everyone, and you shouldn't let yourself fall into the trap of thinking that is the case.
This is a guest post by Shinobi. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.