Security tips on holding a large crypto position

Thanks for the insightful comment and congrats on jumping on the crypto train early on!

Could you please elaborate on that topic? What is your setup in terms of wallet, etc.
Have just started on crypto lately (using Kraken) and am interested in making it secure to the extent possible.

Thanks!

1 Like

@Dago how do you manage your trust in this being implemented correctly? For example, what if you discover, a few years later when you want to retrieve the bitcoins, that something went wrong (like a code is corrupt or something) and you lost access? Do you have an easy way to regularly test that you do have access without every time going to the notary?

https://blog.trezor.io/shamir-backup-the-revolution-of-private-keys-backup-is-here-858687ed7fe7 and https://wiki.trezor.io/Shamir_Backup I think he might be using something like this. TLDR: if you have your seed split into three parts you only need 2 of them for restore. That’s a way how to avoid going to notary every time.

1 Like

“Holding” of cryptos is as secure as the technology is - as you are never “holding” crypto, especially not in a (hardware-) wallet!

What you “hold” is a seed / key to access information / “coins” / data on a public distributed ledger. And: All the possible keys / seed are deterministic and known. It’s just very, very, extremely unrealistic to guess a specific seed / key (actually, you can give it a try: https://privatekeys.pw/bitcoin/random).

I keep all my seeds / keys in a (strong) encrypted KeyPass database (https://keepass.info/)

1 Like

Is it not dangerous to keep your seeds/keys in Keypass ? What if for instance your computer get compromised by a remote access attack ? Am not a tech expert but I could imagine it exists some ways of getting your passwords if you open Keypass on a corrupted PC no?

I am very far from having Dago’s level of crypto holdings, but my plan is the following:

  • Keep my modest short term holdings (the part I want to regularly trade) in a renowned exchange with 2FA authentification (Yubikey or the Google one but not the SIM auth).

  • Keep my long term holding in a cold wallet like Trezor or Ledger Nano. Then write down the recovery phrase on a durable material (see Crytotag for instance) and pay 50 to100.- per year to keep the recovery phrase in a small safe at a local Bank.

Sorry for the late reply, I am busy these days. Thank you @bojack for the split topic.

@ProvidentRetriever
I tested the procedure a lot and there is no reason for this procedure not to work any more because it is mathematical. As noted by @agniles, there is the Shamir Secret Sharing algorithm that let you have n out of m seeds to recover a wallet, which is implemented within the latest Trezor. You can also use Electrum to create a multisig wallet. You can use the public key to check that the money is there at any time. There are risks but the procedure stopping working is not one of them.

Now, here are a few thoughts about holding cryptos in a secure way. Please, please, do not jump to a conclusion and then lose everything because of this post. Be careful, don’t follow blindly any method.

Risk assessment

The first thing you should do is to assess the risks. I will list a few here:

  • computer hacked
  • device stolen (e.g. Trezor)
  • physical seed stolen (e.g. piece of paper)
  • threat to your life or someone close
  • house burns down
  • scam, social engineering
  • your death

Diversity

I consider that there are no perfect solutions, there is always a way to lose money. Thus, the safest is not to have all your eggs in the same basket. Split the money and use different methods to store it. Perhaps it is also practical to have more accessible methods but with less money at risk (“cold” vs “hot” wallet).

List of holding options

This list is not exhaustive of course. It is to give some ideas and illustrate how to assess them. I do it quick here, you can just skip it if it bores you.

  • Simple, light-weight wallet
    • Example(s) : Electrum, Coinomi, Metamask
    • Trust placed in : wallet developers, device being safe, browser developers (metamask)
    • Pros: Handy, in particular on the phone and in the browser.
    • Cons: Many ways to lose your money. Many risks and much trust involved.
  • HW wallet (multisig, pin)
    • Example(s) : Trezor, Ledger, keepkey
    • Trust placed in : the producer (sw & hw, honesty and competency), reseller, transporter, browser developers (trezor), + all the ones for a paper wallet due to the seed.
    • Pros: Don’t trust your computer, possibility to hide the money with an extra keyword
    • Cons: Less practical than a sw wallet, create a whole lot of new problems when you start wondering how to store the seed. See next item.
  • Paper wallet
    • Example(s) : just print the seed from your wallet or even just write down the private and public keys.
    • Trust placed in : the sw developers of the wallet (if applicable) or the key generators, computer being safe, the paper being safe.
    • Pros: little trust needed, in particular if you work on a fresh computer unconnected, you could even produce your own keys (beware mistakes!).
    • Cons: Really impractical and error prone. In particular, always, always, move all the coins at once because you don’t know the return address. The paper must now be kept safe and secured. Home fire ? water disaster ? burglars ? amnesia ? death ? in a safe in a bank ? Multisig alleviates a number of these issues.
  • Bank and exchanges
    • Example(s) : Swissquote, Bitcoin Suisse, Kraken, MtGox
    • Trust placed in : the bank or the exchange, your browser, your computer
    • Pros: hopefully they are better than you to keep the coins safe, at least the well known, official ones, such as SQ (which uses Bitstamp).
    • Cons: we have seen times and times again that many are worse than you at keeping the coins safe. Some were plain scams. It goes against what crypto is about, i.e. be your own bank. They take heavy fees.

A word about death

One risk that most people forget about is their own death. How convenient.

When you die, is/are your partner, children, parents able to recover the coins ?
You need to document, in details, where the coins are. But you don’t want the doc to be enough to steal from you. I do think that a notary is a good place to store these along with your will. Still don’t put private keys there, the notary could get robbed or lose it.

What I personally do

I don’t want to give too many details for obvious reasons. I use a bit of each methods, but in particular the multi-sig seeds and paper wallets. I like Metamask for quick purchases in ETH or tokens. I use Electrum as well. I don’t put coins on exchanges or in banks.

7 Likes

I only have a small crypto position, but I keep it in Ledger Nano. The recovery phrases are on a piece of paper. I think, if I were to hold a large crypto position, I would go to a large bank that works with the recognized crypto wallet providers, like Metaco or Custodigit. The bank should take responsibility that your cryptos are safe and that your private key never leaks. These wallet providers have special key ceremonies, where they split the private key and keep at 3 different entities within the company. You could then tell the bank that you do not want to make any transactions online, maybe only in person, or you would use some special verification process, where a transaction would only be executed after a certain number of days.

But the point is, you just pay a bank for the guarantee that they will keep your cryptos safe. I know it kind of defeats the purpose of crypto (decentralised, trustless system), but in this case you’re holding cryptos as an investment, not because you think the financial system will collapse.

5 Likes

You would be surprised how many printers have recoverable printing history in a little memory.

Damn… I still have an open claim of around 2 BTC with MtGox :frowning:

3 Likes

IMHO: Having your private keys / seed stored in an encrypted DB is as secure as the underlying technology is (given strong password ofc) and not “dangerous” per se. If the DB gets stolen (and is therefore openly available), it’s the same as having your “coins” in a open, distributed ledger: It’s very unlikely to have someone guess the password / private key and grant access… or there are security breaches to grant access to the DB (or the ledger itself) without knowing the private key (worst case) – thus “as secure as the technology” is…

Accessing the keys / seeds on the other hand is a different story: On a compromised system, I’m completely with you! But you also can get robbed accessing your key / seed on a paper wallet from a bank safe-deposit, and so on…
And: As you then have “to access” the open distributed ledger (i.e. over a network), there is never a 100% secure way to access your key / coins / data / information – and here again it’s “as secure as the technology is” (e.g. TLS/SSL, software-wallet, encryption of a hardware-wallet to the network, …).

Mitigating the risks of accessing the key / seeds in an encrypted DB, one can use “isolated” devices, sand-box technology, etc.… and to mitigate the risks of accessing an open distributed ledger, one can (or should!) distribute the “assets” to lots of different accounts, each holding only a small amount… those approaches in combination are pretty much secure IMHO… but always “as much secure as the technology is” :wink:

tl;dr: There is no 100% security!

2 Likes

That’s why I think you should leave this to the experts and store the crypto assets at a bank. But only if they can guarantee your assets. To be honest I don’t know if any bank offers this.

If a Bank does this now, I would like to see their faces if BTC establishes itself at +100K. :sweat_smile:

There’s no 100% security indeed. And one must be aware that as the price goes up, the incentive to put more ressource on cyber or even physical attack will increase too.

I hope I won’t end up totally paranoid if BTC becomes really big…

That is a fair point, but I am not exactly sure how the attack would work ? does it keep everything in history ?

Yep, that was a real disaster. It takes an awful time but I think that you will get something back once the procedure finishes. Have you made your claim ? Do you follow it up ?

I tend to agree, in particular if you consider it as an investment. I am not sure what is the guarantee SQ or Bitcoin Suisse proposes. It would be interesting to ask them.

Having been in the game when it was 5$, I feel weird reading that 20k is not “really big” :smiley:

2 Likes

Hahaha yeah I can imagine. :joy:

By really big i meant if it fulfills the “Becoming a well established global asset” scenario where it would be standard for any portfolio manager to have at least 1 to 5% invested in it.

Yep I’m one of the claimants and hope to eventually get something back. But the process is getting delayed and delayed.

I heard of cases where the last 15-30 documents were stored but the case was a few years back so, not sure how much of a problem it still is.

You can also make it very, very simple. Buy ABTC (listed on SIX) or GBTC (OTC in the US) or one of the companies with large crypto exposure : SI or MSTR. Personaly I hold some SI

1 Like

Not so simple, from a security perspective.
One major cockup or case of fraud in the enterprise/provider, and you‘re wiped out.

I guess you are right. My suggestion would apply to a small position. Big position is better offline.

Hopefully lower TER than HODL or KEYS.

There are some very interesting threads going on bogleheads right now, for ex:

Mmmmh ARKK might soon not be alone anymore in my fun fund.

I highly recommend Casa Hodl Gold plan that lets you easily setup a 2-3 multisig configuration with two hardware and a simple mobile app. If you have a LARGE deposit, you can also move to 3-5 multisig.

I let you check, they have a very interesting weekly newsletter on the security topic and one of their cofounder, Jameson Lopp, is a recognized authority on the topic.

1 Like

What about encrypting your keys? I do this with my passwords that I note down. Something simple like “+1” for numbers, so you note a 5 and you know it stands for a 6. You can get creative and that should be nearly impossible to decipher even getting the hands on the keys.

By reading and partipating to this forum, you confirm you have read and agree with the disclaimer presented on http://www.mustachianpost.com/
En lisant et participant à ce forum, vous confirmez avoir lu et être d'accord avec l'avis de dégagement de responsabilité présenté sur http://www.mustachianpost.com/fr/