8 Reasons to Use a Bitcoin Hardware Wallet
As the value of Bitcoin increases, so does the need for secure key storage. One such solution is a hardware wallet, which is a physical device that allows you to safely store the keys to your Bitcoin. However, hardware wallets are not the only option for storing Bitcoin keys. There are software wallets, paper wallets, and even “brain wallets.” So why choose a hardware wallet in particular?
1. Keep your keys offline and protected from remote attacks
Hardware wallets allow you to create and store keys for your Bitcoin completely offline, known as cold storage. This contrasts with hot wallets, which are more vulnerable to remote attacks such as malware and SIM swap attacks (still more secure than custodians or exchanges!).
You can think of this as similar to making a ship in a bottle. The wallet seed used to generate Bitcoin keys is generated internally on the device and cannot be digitally exported. Under no circumstances will the keys leave the device. Even if your hardware wallet is connected to a virus-infected computer (not recommended), your keys will still be protected by a secure element.
To move Bitcoin, you use wallet software to create transactions, send them to your hardware wallet, and sign them. On the hardware wallet itself The private key is then sent back to the internet-connected wallet software to be broadcast to the Bitcoin network.
2. Protection against physical attacks
If someone gains physical access to your hardware wallet, there are unique features that hardware wallets offer that can help you defend against attacks. Some of these security features include secure element, firmware verification, and PIN for first line of defense.
security element
The secure element is a microprocessor used to isolate, store, and protect sensitive data. In hardware wallets, the secure element provides a higher level of protection against physical damage compared to the standard environment on a mobile phone, desktop, or laptop. For example, it becomes more difficult to compromise a device through fault attacks, side-channel attacks, or cold boot attacks.
Firmware Verification
Firmware verification is a method of verifying the validity of the software installed in a hardware wallet. This protects against counterfeit versions and supply chain attacks. Verifying your firmware ensures that you have a genuine, unaltered version of your hardware. Wallet software from manufacturers such as Trezor, Ledger, etc. checks the device firmware every time you connect the device to your PC.
Access your PIN
The access PIN found on many hardware wallets helps prevent anyone but the owner from immediately accessing functions that sign with keys stored on the device. In most cases, if you fail to enter your PIN correctly more than a certain number of times, the delay between incorrect guesses will increase. For some hardware wallets, exceeding the allowed number of PIN guesses may cause your device to be factory reset or become permanently unusable.
Blackmail PIN
A blackmail PIN is a security feature that helps protect your Bitcoin in the event of a $5 wrench attack. Duress PINs are especially important for hardware wallets (since they are used to secure larger amounts of Bitcoin), and in some cases the features available are particularly powerful.
For example, the Coldcard hardware wallet offers three types of duress PINs: One is to unlock the decoy wallet, one is to destroy the seed upon entry, and one is to create a countdown to a customizable “brick mode”. If you ever find yourself in a blackmail scenario, using these tools will give you confidence that the attacker will never have access to your underlying Bitcoin keys.
3. Provides a smaller attack surface
You can store your keys offline on your laptop or desktop and protect them from physical attacks. However, the general-purpose architecture of these devices presents a larger attack surface for skilled attackers. This means there are more ways for attackers to exploit software, firmware, and hardware to design ways to steal private keys.
In contrast, hardware wallets are built with specialized hardware that simplifies functionality for very specific tasks and limits connectivity to the Internet and other devices. Even though they have secure elements that keep key data behind a firewall, some hardware wallets limit how they physically connect to external devices. That said, air-gapped hardware wallets interface with other devices primarily through microSD cards. Additionally, many manufacturers offer Bitcoin-specific firmware to further simplify functionality.
Hardware wallets may have more limited functionality and convenience compared to commodity devices, but limited functionality also means limited vulnerabilities. This also has the side benefit of reducing the risk of new holes being discovered that require manufacturers to plug in firmware updates or hardware revisions.
4. Prepare for a rise in value
You might think you don’t have enough Bitcoin to buy a hardware wallet and learn how to keep your keys safe offline. One of the reasons you should buy a hardware wallet now is to prepare for a rise in the price of Bitcoin.
Conventional wisdom in Bitcoin is to treat your holdings as worth 10 times their current value. Historically, movements like this can happen quickly and unexpectedly. Additionally, if your Bitcoin holdings increase tenfold and become uncomfortably large for standard single-signature self-storage, it may be time to consider a more secure self-storage model such as multi-signature.
5. Check address on device
Bitcoin transactions are irreversible, so when sending Bitcoin, it is important to make sure it is delivered to the correct address. This is important both when sending Bitcoin to someone else and when sending Bitcoin to a wallet controlled by the keys of a hardware wallet you own.
Using a software wallet, malware can replace your real address with the attacker’s address in the UI, making it difficult to verify its authenticity. There is also “clipper” malware that switches the receiving address of the computer’s clipboard and other attack vectors.
Hardware wallets help with this by including a physical screen that displays the address you want to send funds to, allowing you to verify this before spending. Unless the device is physically damaged, you can be assured that the addresses you see are controlled by keys stored offline on the device. If you’re sending funds to a remote recipient, it’s best to verify sending addresses across multiple channels.
6. An ideal environment to create your own entropy
Every Bitcoin wallet relies on entropy (randomness) to generate a seed, which is the master secret that generates the Bitcoin private key. Entropy can be generated in a variety of ways, from basic on-device random number generators to long random text input strings, to rolling dice or playing cards.
Rolling dice is widely regarded as one of the best ways to generate your own entropy, minimizing third-party involvement in generating the randomness needed to initialize a Bitcoin wallet. Some hardware wallets, such as Coldcard, allow you to generate a seed phrase by entering a die roll into your device. Pressing 1-6 for each roll will generate a seed using the roll.
Although you don’t need a hardware wallet to generate your own entropy (you can do so on a permanently offline laptop, for example), a hardware wallet allows you to generate entropy in a convenient and secure way. Creating your own entropy in the physical world can be fun and a great learning activity, but it’s meaningless without the right environment to help maintain the marginal security that comes with doing so.
7. Travel safer
Traveling with small amounts of Bitcoin is easy to do using a cell phone or other less secure device, but traveling with large amounts of Bitcoin requires more forethought. Traveling with your keys on a laptop computer or mobile device is risky. This is because these devices are typically hotter (internet-connected), have more limited physical protection, and a larger attack surface.
Hardware wallets offer convenience and security if you need to carry one or more Bitcoin keys with you while traveling.
No need to worry about Wi-Fi connectivity or USB ports. You can use the blackmail feature as described above if someone physically attacks you, if your device is lost, stolen, or confiscated (an attacker would need to break the special-purpose security of your hardware wallet), and even if you need to spend money for convenient access. You can.
8. Enhanced security of multi-signature settings
Multi-signature wallets are built by combining multiple keys (compared to single-signature wallets, which use just one). Bitcoin requires more than one key, which adds security and redundancy to your wallet, making it useful for securing larger amounts of Bitcoin.
The more secure the individual keys involved in constructing a multisig wallet, the more secure the multisig wallet itself becomes. Hardware wallets allow you to conveniently build multi-signature wallets using clearly described keys that are stored securely offline. Like single signature, hardware wallets also allow you to verify multi-signature addresses offline when sending Bitcoin.
Since multi-sig is often used to maximize security and redundancy for large amounts of cold storage Bitcoin, using multiple hardware wallets is a natural fit for multi-sig. This is a goal that also helps achieve physical device and seed phrase backups.
Start with self-care
The first step to upgrading your Bitcoin security is to always maintain self-custody, whether hot or cold, to eliminate the risks associated with trusted custodians such as exchanges. From here, you can explore additional security tools, like multisig, to find the right balance of security and accessibility for your situation.
Original published date unchained.com.
Unchained Capital is Bitcoin Magazine’s Official US Co-Managing Partner and an essential sponsor of related content published through Bitcoin Magazine. For more information about the services offered, storage products, and the relationship between Unchained and Bitcoin Magazine, please visit: our website.