The Art of Self Custody

(Last Updated on February 18, 2022)

Coldcard wallet seed phrase backup

Why should you self-custody your bitcoin?

  • Only way to access the world’s most powerful, decentralized, computing network 24/7/365 for store of value, immutable hard money asset capped at 21 million supply, near instant settlement finality, trustless transactions, borderless transfers, and use of Layer 2 solutions like Lightning
  • Only way to ensure your individual financial sovereignty for a hedge against monetary debasement (inflation through fiat policy), Government censorship, and freedom of mobility across various economic and physical landscapes
  • Only way to VERIFY your ownership to UTXO’s on the Bitcoin blockchain anytime, anywhere, and sign

What is the best way to self-custody?

Hardware wallet device + Unique seed generation + 2FA device

What is the best way to eliminate physical threat to the individual?

Setup a 2 of 3 multi-signature wallet to better manage risk of loss and physical security

Multi-signature wallets utilize a “K of N” formula for the signatures or keys required to verify a transaction. The most common multi-sign platform is 2 of 3. This allows for the 3rd key to be used as a “spare” or “backup” key that can be stored in a highly unique and secure way.

  • 2 of 3 signatures required to spend BTC
  • Each key has its own seed phrase and hardware device
  • 3 different keys = 3 different physical locations
  • 3rd key can be held by a trusted or legally contracted party for distribution of trust in complex key setups

What type of self-custody is available in 2022?

  1. Hardware wallet device setup with a SeedSigner for random rolls and seed generation coupled with two-factor authentication and a physically held seed phrase.
  2. Software or Browser based wallet on trusted computer with two-factor authentication and physically held seed phrase.
  3. Mobile wallet on trusted phone and physically held seed phrase.
  4. Paper wallet without any passphrase or seed phrase .

Any Bitcoin you “own” on an exchange or 3rd party platform is NOT yours. So lets take the time to educate ourselves and take responsibility over our wealth. Not only building individual self-sovereignty, but giving yourself immediate and genuine access to the most inclusive financial network alive today.

What do I need to understand about Bitcoin?

Private key -> UTXO Ownership -> Total value of your Bitcoin

1. Private vs. Public keys

Your private key(s) is the direct representation of your ownership over unspent transaction outputs or UTXOs.

Total Bitcoin value = total UTXOs owned by a private key

Your private key is a direct 256 bit (SHA-256 encrypted) address that is randomly generated by your wallet upon creation.

Base58 private key -> 5Kb9nTf9xyMOjogidNB65NxKi6TsZZY62fJXMlLSzPygZYZT3RQ

This key has a 10^77 unique rarity that is nearly impossible (extremely improbable) chance of being duplicated. It is hashed twice to create a master public key using the elliptic curve digital signature algorithm which makes it impossible to generate an actual value for the ‘hash function’ used to then backout or devise the original private key.

Basically – your private Bitcoin key is highly unique and damn near impossible to guess or hack.. Keep it safe!

Your public key is used to generate fresh receiving addresses for use over the Bitcoin network. You can generate a few different types of BTC addresses today depending on needs.

The private key is the ONLY thing needed to prove ownership for unspent transaction outputs or UTXOs on the network.

“Not your keys, not your coins!”

Never give out your private key or the seed phrase that is derived from it!

2. How a 24 word mnemonic seed phrase works

The vast majority of cryptocurrency wallets setup today will use a 12 or 24 word mnemonic seed phrase to represent your private wallet key. The seed phrase is derived directly from your private key – but is not your actual key. This makes it simple to backup through written words and increases efficiency for ownership verification through your hardware wallet device. Most wallets have a “dumpprivkey” like feature to download, export, or show your private key for backup.

Seed phrases must be kept in secure locations.

Seed phrases are always backed up physically – eliminating the liability of loss with a physical copy existing.

Coldcard wallet seed phrase backup and hardware device
Your hardware device means nothing if your seed phrase is stolen!

But – this creates a new vulnerability in the physical world and individual security can now be a concern.

A physical attacker is now a legitimate threat similar to taking ownership of physical gold at your home or business. What kind of precautions are you willing to take for the physical security of your keys?

Multi-sig wallets are a great strategy for defending against a physical attacker by separating three or five keys, each with their own device, in different secured physical locations.

3. The various types of Bitcoin addresses

Originally the only transaction address used on the Bitcoin network started with a “1”. This is now considered a “Legacy” address and is considered the most secure and highest fee.

Pay to Script Hash or P2SH was introduced later and upgraded user security through adding multi-signature wallets. These addresses start with the a “3” and do not have to be used for multi-sig.

Segwit addresses were added through BIP 141 and a few other BIP functions since then. These addresses start with “bc1” and greatly reduce fees at a small cost to security.

The latest addition are Taproot addresses which begin with a “bc1q” and have added security/efficiency functions including Schnorr aggregation for more efficient multi-sig validation through batching. This is for more advanced users but may become used more frequently if we do see congestion in the mempool starting to load up on the network.

What should I know how to do?

Trust in code – not people.

Knowledge is the key to security – go slow, do your research, be diligent and double check everything.

Bitcoin is a trustless system that is created so you can verify and confirm all transactions easily without the need of a 3rd party or financial intermediary telling you that you can spend or receive funds.

To best utilize this trustless network you must remember to verify your seed, public key and receiving addresses every time you sign to confirm a transaction.

1. Know how to verify Bitcoin addresses for Xpub verification

Always double check Xpub addresses on your device and wallet software before making transactions to confirm your wallet software has not been compromised.

  • Write down your wallets Xpub address and store physically
  • Double check for added control each use

Ledger, Coldcard, Trezor, and Bitbox have all updated their software within the last few years to show master public keys and verify UTXO balances. See individual hardware wallet websites for method.

2. Know how to generate, verify, and confirm Bitcoin addresses

Each hardware device is slightly different, but realize that the following steps must occur.

  • You must generate a master public key before public addresses can be made
  • Always create fresh receiving addresses for any new transaction
  • Never use addresses twice
  • Confirm and double check every address included in any transaction

3. Know how to recover your wallet and 2FA if needed

  • Will you recover with just a seed phrase?
  • Have you swept your private keys and stored them offline?
  • QR codes or other backup types?

This will be done with physically written down or stamped seed phrases and backup QR codes for 2FA. Up to you how you set each one up – but – ensure all words are legible, easily read, and easily store for long periods of time.

Is your computer compromised?

  • How is your computer security? Malware? Viruses? Keyloggers?
  • Have you done any maintenance?
  • Do you need a VPN or any network based concerns?
  • Has your hardware device been tampered with? Shipping?

A new, fresh computer or laptop is cheap security to ensure clean transactions for a large sum of Bitcoin.

The Most Trusted Wallet Devices in 2022

Coldcard hardware with 3D printed case
ColdCard with a 3D printed protective case from CryptoCloaks

1. Coldcard – highest security / advanced users only

  • Open source software and highest in component quality
  • Does not have native software wallet – must use 3rd party wallet Electrum, Wasabi, Sparrow, etc
  • Can airgap with MicroSD for increased security
  • Random roll and other customizable setups for seed creation and more

2. Trezor – good security / beginner friendly / least amount of reputation loss

  • Native software included which guides user through setup
  • Does not have airgap ability at this time
  • Wallet has easy functionality
  • Expensive with Trezor Model T being the flagship device at $215 USD
Ledger live software interface
Ledger Live is one of the simplest Bitcoin wallets to use today.

3. Ledger – good security / beginner friendly / leaked 250,000+ original ledger users information in hack a few years back

  • Native software included which guides user through setup
  • Does not have airgap ability at this time
  • Wallet has easy functionality
  • Cheap price with Nano S starting at $59

4. Bitbox – good security / beginner friendly / least proven with shortest history

  • Native software included which guides user through setup
  • Does not have airgap ability at this time
  • Wallet has easy functionality
  • No verifiable seed generation
  • Medium price at $139

Want a Do-It-Yourself hardware wallet to build?

Start with a PiTrezor for a fun, DIY budget build!

PiTrezor is a fun DIY hardware wallet build with a Raspberry Zero
Setting up a PiTrezor image on a Raspberry Pi Zero W

PiTrezor is a great project that has been out for awhile and basically replicates the open source Trezor software on a small Raspberry Pi. Even the old-school Raspberry Pi Zero along with any MicroSD card over 5GB and you are golden.

Keep it simple stupid.

The PiTrezor works directly with Trezor’s secure website at -> Wallet.Trezor.Io

Project is still being updated and maintained, many PiTrezors have been built, transacted over, and used since 2018. I would not necessarily hold my entire stash on such a device as the Raspberry platform is not the most durable and long lasting.

I prefer this style of hardware device wallet for portability and fun – small balances to bring to a Bitcoin meetup or convention.

Buy some T-shirts, coffee mugs, or beer!

PiTrezor Features:

  • Low cost parts
  • Easy to build if an existing Raspberry Pi hat is used
  • Run on Pi Zero, Pi Zero 2w and Pi 4.
  • Use the original Trezor One code. Only a thin layer is used to adapt the code to the Raspberry Pi Linux platform. 
  • All code modifications are open source, like the original Trezor code.
  • 100% Compatible with Trezor web wallet to perform transactions.
  • Use the hardware random number generator of the Raspberry Pi for more security.
  • Can be very secure if you use a pass phrase
  • Support small 128×64 OLED display and/or display via HDMI output.
  • Adjustable display scale factor on HDMI output
  • Fast boot (around 5 seconds)
  • Software is free (but donations are accepted!)

Please donate and support all open source projects that you use!

Even a small amount goes a long way and these are probably the cheapest types of option in creating a wallet through a Raspberry platform.

Specter Wallet is a pricier, but more advanced DIY hardware wallet.

Specter Wallet is a highly touted 100% open source wallet that has seen a lot of media coverage and use from Swan Bitcoin. A slightly more expensive build with robust capabilities as a hardware wallet that is also fully open source and well established. Includes air-gap functionality, smartcard-reader and camera for QR code capabilities. This setup includes a digital camera and the larger touchscreen is ergonomic and easy to use with a QR scanner for fast transactions.

This is a great way to setup a multi-sig involving one DIY device that you have had full control over building, installing open source software, and setting up.

Can assemble in 5-10 minutes using common parts available online such as a STM32F7508 discovery board (micro electronics board similar to a Raspberry Pi).

Cost is just under $125 for all parts depending on your location.

Why use a SeedSigner or other 3D printed, open source signing device?

Seed Signer is an amazing addition to your Bitcoin setup

One extra control for unique seed phrase generation is to add a separate hardware device that you can 3D print, build, and install the code for generating your 24 word mnemonic seed phrases. These signing devices can be used to do a lot more than just generate a uniquely rolled seed phrase such as: fast multi-sig transaction signing, Xpub generation, scan and parse animated QR codes, custom user defined derivation paths, and receiving address verifications.

  • Unique Seed generation
  • Added layer of security using 3rd device separate from hardware wallet
  • Unique signing device for any transactions
  • Camera for QR reading

You do not need to own a 3D printer or any sophisticated tools. You can order all of the parts individually, assemble, and get it running in a single evening.

Hardware components total to under $100 today by utilizing cheap components such as the Raspberry Pi Zero and matching accessories.

Leave a Comment

Your email address will not be published.