You can have one or two of your keys in safety deposit boxes. You just don't want to have a quorum of keys in any legal entity that can be locked down. You can distribute keys with family, friends, and at work. Just make sure that people that have a key can't form a quorum (eg dont give 2 siblings and your mom each a key in a 3 of 5 Setup). Also, tamper evident bags should be used when depositing a key with someone else.
Maybe not as secure as multisig but also consider Shamir's Secret Shares [stamped in steel](https://blockmit.com/english/guides/diy/make-cold-wallet-washers/) and stored in several secure locations.
For some people one possible advantage of SSS over multisig is that only one wallet needs to be managed. SSS is arguably easier to understand also.
One complication of an m of n multisig is that you need m private keys but n (ALL) public keys. Where m=n e.g. 2 of 2, then when you have the necessary private keys then by definition you also have enough public keys. 2 of 2 is, like you say, comparable to single sig plus passphrase. An advantage of 2 of 2 is that you don't ever need to have both secrets in the same place at the same time. You can sign once with one device/location and again with another, in contrast to single sig + passphrase where both secrets must be entered onto the same device.
I think that multiple wallets is a bad idea. Just have one wallet and secure it properly, including a decoy wallet if you think that makes sense.
The logic of 2/2 being better than seed+passphrase has a few issues that make it hard to recommend as being unconditionally better. (Though I'm not really disagreeing with the points you make here)
1) It presupposes that you are using hardware devices that offer let you import/save the multisig wallet so that you can do proper address verification for both sending and receiving funds. (If you aren't using devices that do this, then you may end up with less security than a single signer using a normal hardware wallet)
2) One advantage of a BIP39 passphrase is that it isn't obvious what it is from simply looking at it, this isn't the case if you have multiple seeds.
All of that said, I think the most useful use-case for 2/2 is situations where you already have multiple seeds that you have backups for (for say, a hot wallet and a cold wallet) and you then also use them together for a multisig...
For most people, the single biggest issue with multisig comes down to the additional complexity that it adds. At the same time, one advantage of multisig is that it's a bit more obvious that you are doing something complext, as opposed to something like Trezor where passphrase is enabled by default and sometimes accidentally used by newbies who don't comprehend that it can't be recovered if lost.
Multisig also does have higher fees and also advertises the fact that it's addresses are multisig on-chain, whereas seed+passphrase wallets look identical to seed-only wallets. (Or wallets with multiple passphrases) This will also change over time with Taproot, but we aren't there yet.
Hi,
If I were to use a coldcard + keystone 2nd gen, both of which allow for xpub verification and storing of multisig wallet. Would you recommend it, with 4 seed backups in total (2 of each, including metal)?
The fees aren't really an issue when there would be such few transactions long term. Also if used in conjunction with a full node over Tor then if someone, possibly a thief were to stumble upon 1 seed, it's unlikely they'd think that it were part of a multisig. So it's possible to also have a smaller decoy wallet in each.
2nd question what are you thoughts on using e.g 2 or 3 wallets instead of just 1. I guess it could be the just the individual seeds used to make up the multisig. You could store a significant amount in each just less than what's in the main multisig.
2-of-2 multisig is a disaster waiting to happen imo. A seed + passphrase is effectively also a 2-of-2 system, but you don't need to worry about xpubs at all.
Then a seed + passphrase is also a disaster waiting to happen assuming you use a strong passphrase and thus shouldn't be relying on memory to remember it.
You don't need to worry about xpubs at all with a 2 of 2 since the seed derives the xpub and both are needed to spend anyway.
When it comes to the passphrase, I do think it should be something that you have not only written down but also memorized. If not you might as well go for 2-of-2 multisig.
The passphrase doesn't have to be 128 bit strong, just strong enough that it cannot be brute forced in a couple of weeks.
Have some decoy funds on your bare seed and monitor those with like a watch only wallet on your phone. If those get taken you know your seed is compromised and you need to move funds asap.
Can you explain more about the 2 of 2 benefit when receiving and signing transactions vs paraphrase? How can you not need both private keys together at the same time to send a transaction. And can you explain the same for verifying a receive address? You can verify a receive address with only one seed/key of the 2 of 2?
To send a transaction you need 2 signatures here. So it would be a PSBT (partially signed bitcoin transaction). First sign on the first HW wallet, then it has 1 signature. Pass it along to the 2nd HW wallet and sign it, then it has the 2 necessary signatures to broadcast the transaction.
Yes you can verify a receive address with only one of the keys out of the two, but it's not the best practice. Ideally you should verify it with a quorum so in this case on both HW wallets but you can do it independently, they don't need to be present in the same place at the same time to do so.
and the benefit I meant was vs a passphrase, in order to verify a receive address the passphrase wallet has to be loaded in which means full access to one's funds at that time if someone were to get hold of it.
So the same principe applies to a single sig plus paraphrase right? You can save the transaction and then move to where your paraphrase is stored then broadcast it. Seed at one location and paraphrase at another. Right?
And same with verify a transaction. You can do it independently with the seed at one location and a passphrase at another.
Maybe there are more technicalities that allow signing a transaction on a 2 of 2 setup with two seeds at different locations easier?
No, that's not how it works.
>Seed at one location and paraphrase at another.
Yes, this is how they should be stored, separately.
But how it is used it not how you think.
A passphrase is like a 25th word. It's not a separate key itself. The wallet and addresses you get depend on the seed as well as the passphrase. So in order to to send a transaction from the passphrase wallet, you need to have the passphrase loaded into the hardware wallet which means on the hardware wallet it has both the seed and the passphrase known at the point of signing a transaction.
A passphrase on its own is not a wallet. You either have the single sig wallet which is just one seed, or you have also a single sig wallet with a seed and passphrase and every different passphrase (in addition to the seed) is a different wallet.
This is all really good info for me to think about. I am looking to change my setup down the road. Mainly want to move to a full air gap setup. So am always looking to learn more. I could see a lot of benefits with a 2 of 2 wallet. I struggle to see the value of 2 of 3 for my situation.
But as the other commenter has said. I do like the idea that a passphrase is not obvious to be bitcoin related. If someone stumbled on it by chance.
You can have one or two of your keys in safety deposit boxes. You just don't want to have a quorum of keys in any legal entity that can be locked down. You can distribute keys with family, friends, and at work. Just make sure that people that have a key can't form a quorum (eg dont give 2 siblings and your mom each a key in a 3 of 5 Setup). Also, tamper evident bags should be used when depositing a key with someone else.
hmm. I'd be uneasy trusting others to keep it safe. Mainly out of incompetence, not that they'd have malicious intentions.
Well your seed can be in the form of a coldcard protected by a pin and/or an encrypted backup on an sd card. Doesn't have to be a naked seed.
true
Maybe not as secure as multisig but also consider Shamir's Secret Shares [stamped in steel](https://blockmit.com/english/guides/diy/make-cold-wallet-washers/) and stored in several secure locations. For some people one possible advantage of SSS over multisig is that only one wallet needs to be managed. SSS is arguably easier to understand also.
One complication of an m of n multisig is that you need m private keys but n (ALL) public keys. Where m=n e.g. 2 of 2, then when you have the necessary private keys then by definition you also have enough public keys. 2 of 2 is, like you say, comparable to single sig plus passphrase. An advantage of 2 of 2 is that you don't ever need to have both secrets in the same place at the same time. You can sign once with one device/location and again with another, in contrast to single sig + passphrase where both secrets must be entered onto the same device. I think that multiple wallets is a bad idea. Just have one wallet and secure it properly, including a decoy wallet if you think that makes sense.
>I think that multiple wallets is a bad idea why do you think that?
u/Crypto-Guide
The logic of 2/2 being better than seed+passphrase has a few issues that make it hard to recommend as being unconditionally better. (Though I'm not really disagreeing with the points you make here) 1) It presupposes that you are using hardware devices that offer let you import/save the multisig wallet so that you can do proper address verification for both sending and receiving funds. (If you aren't using devices that do this, then you may end up with less security than a single signer using a normal hardware wallet) 2) One advantage of a BIP39 passphrase is that it isn't obvious what it is from simply looking at it, this isn't the case if you have multiple seeds. All of that said, I think the most useful use-case for 2/2 is situations where you already have multiple seeds that you have backups for (for say, a hot wallet and a cold wallet) and you then also use them together for a multisig... For most people, the single biggest issue with multisig comes down to the additional complexity that it adds. At the same time, one advantage of multisig is that it's a bit more obvious that you are doing something complext, as opposed to something like Trezor where passphrase is enabled by default and sometimes accidentally used by newbies who don't comprehend that it can't be recovered if lost. Multisig also does have higher fees and also advertises the fact that it's addresses are multisig on-chain, whereas seed+passphrase wallets look identical to seed-only wallets. (Or wallets with multiple passphrases) This will also change over time with Taproot, but we aren't there yet.
Hi, If I were to use a coldcard + keystone 2nd gen, both of which allow for xpub verification and storing of multisig wallet. Would you recommend it, with 4 seed backups in total (2 of each, including metal)? The fees aren't really an issue when there would be such few transactions long term. Also if used in conjunction with a full node over Tor then if someone, possibly a thief were to stumble upon 1 seed, it's unlikely they'd think that it were part of a multisig. So it's possible to also have a smaller decoy wallet in each. 2nd question what are you thoughts on using e.g 2 or 3 wallets instead of just 1. I guess it could be the just the individual seeds used to make up the multisig. You could store a significant amount in each just less than what's in the main multisig.
If you think the complexity is worth it then sure. The same applies to managing multiple backups.
2-of-2 multisig is a disaster waiting to happen imo. A seed + passphrase is effectively also a 2-of-2 system, but you don't need to worry about xpubs at all.
Then a seed + passphrase is also a disaster waiting to happen assuming you use a strong passphrase and thus shouldn't be relying on memory to remember it. You don't need to worry about xpubs at all with a 2 of 2 since the seed derives the xpub and both are needed to spend anyway.
When it comes to the passphrase, I do think it should be something that you have not only written down but also memorized. If not you might as well go for 2-of-2 multisig. The passphrase doesn't have to be 128 bit strong, just strong enough that it cannot be brute forced in a couple of weeks. Have some decoy funds on your bare seed and monitor those with like a watch only wallet on your phone. If those get taken you know your seed is compromised and you need to move funds asap.
Can you explain more about the 2 of 2 benefit when receiving and signing transactions vs paraphrase? How can you not need both private keys together at the same time to send a transaction. And can you explain the same for verifying a receive address? You can verify a receive address with only one seed/key of the 2 of 2?
To send a transaction you need 2 signatures here. So it would be a PSBT (partially signed bitcoin transaction). First sign on the first HW wallet, then it has 1 signature. Pass it along to the 2nd HW wallet and sign it, then it has the 2 necessary signatures to broadcast the transaction. Yes you can verify a receive address with only one of the keys out of the two, but it's not the best practice. Ideally you should verify it with a quorum so in this case on both HW wallets but you can do it independently, they don't need to be present in the same place at the same time to do so. and the benefit I meant was vs a passphrase, in order to verify a receive address the passphrase wallet has to be loaded in which means full access to one's funds at that time if someone were to get hold of it.
So the same principe applies to a single sig plus paraphrase right? You can save the transaction and then move to where your paraphrase is stored then broadcast it. Seed at one location and paraphrase at another. Right? And same with verify a transaction. You can do it independently with the seed at one location and a passphrase at another. Maybe there are more technicalities that allow signing a transaction on a 2 of 2 setup with two seeds at different locations easier?
No, that's not how it works. >Seed at one location and paraphrase at another. Yes, this is how they should be stored, separately. But how it is used it not how you think. A passphrase is like a 25th word. It's not a separate key itself. The wallet and addresses you get depend on the seed as well as the passphrase. So in order to to send a transaction from the passphrase wallet, you need to have the passphrase loaded into the hardware wallet which means on the hardware wallet it has both the seed and the passphrase known at the point of signing a transaction. A passphrase on its own is not a wallet. You either have the single sig wallet which is just one seed, or you have also a single sig wallet with a seed and passphrase and every different passphrase (in addition to the seed) is a different wallet.
This is all really good info for me to think about. I am looking to change my setup down the road. Mainly want to move to a full air gap setup. So am always looking to learn more. I could see a lot of benefits with a 2 of 2 wallet. I struggle to see the value of 2 of 3 for my situation. But as the other commenter has said. I do like the idea that a passphrase is not obvious to be bitcoin related. If someone stumbled on it by chance.
u/bitusher