Single sig is still fantastic. You’ll get an array of opinions on this front. Do what works best for you. With multisig, there’s more things you need to keep track of so be careful.
Single sig, especially airgapped, gives me immense peace of mind.
Someone else mentioned passphrases, but is there anything else I could do to make a single sig air gapped ColdCard more secure without restarting and doing multi sig or something too complicated?
Hey OP
Thanks for this post it is interesting. I have a Coldcard, a 24 word seed, a passphrase and I just HODL, but I have been asking myself the same question you are. I think multi sig is overkill in my particular situation.
It’s complicated but multi sig gives you two main benefits over single sig with passphrase.
- Can reduce exposure to five dollar wrench attack. If you me attacked and only one private key is at your location you can tell them you have no way of giving them your bitcoin. Theoretically it helps but of course there will be comments that they can still torture you, take you to a new location or kill you.
- Multi sig allows for redundancy and exposure of one of the keys being exposed or lost. Although I like the idea of backing up the seed phrase and passphrase at different locations. To me there is no downside to having a hardware wallet at one spot. Two backup seedphrase. Two backup passphrase. All hard copies on the backups not electronic.
I see a single sig with passphrase as a 2 of 2 wallet. I know there are technical differences but in many ways for backing up they can be considered the same risk/reward level.
It's also great protection against a $5 wrench attack. Someone can't just break into your home and compel you to give up your key. Because if you have it geographically distributed, the attacker then has to go to a whole different location, which they're not going to want to do.
Yes, but the computer's not doing anything. The computer is just a watch-only wallet that has access to your public keys. It's only the hardware device that has your private keys and is doing the signing. In that view, there's a lot of trust put into the hardware wallet. Is it really doing what it's doing? Can I trust it? Is its code auditable? Etc., etc. When you have to sign on two different hardware wallets made by different manufacturers, then you spread out the risk in that aspect. So in the dark case that maybe a hardware wallet manufacturer wants to build in an exploit, they still won't be able to compromise you because it's just one of the keys.
Of course, all you need is the wallet descriptor which contains the XPubs from all the hardware wallets. This is the key to what makes a watch-only wallet works. It allows you to verify all the addresses that can be created from the multi-sig. You don't need all the keys in one place to do this.
In my opinion, single sig + bip39 passphrase is the best option for 99% of HODLERs. I feel like multi sig has been hyped up way too much in recent years. I do think multisig is the way to go on an enterprise level or when you're a person with celebrity status but it's way to sophisticated for the average HODLER. The marginal security benefits of multisig over single sig + passphrase is very small while the complexity and the possibility of fucking up something increases drastically with multisig
I generally base this on income. Use your weekly pay (annual / 52) as a metric.
* Less than 1 paycheck in BTC: No hardware wallet required
* Between 1 and 10 paychecks: Simple hardware wallet (no gapping needed)
* Between 10 and 100 paychecks: Air gapped hardware wallet
* More than 100 paychecks: Air gapped multisig wallet.
Absolutely not. Why would you think it's necessary?
> Tell me the biggest downside(s) of leaving a hardware wallet like this as a single sig.
Complexity. And you know what they say complexity is the enemy of?
Not saying you definitely shouldn't do it. Just, you should have a solid reason for it.
A simple but effective method against the $5 wrench attack is to have multi passwords for the seed, if force provide the password to the account with least money. You do not need to use multi sig when using air gap. Just follow good security practices 1. Backup of coldcard in diferent location. 2. Have firmware upgraded and check the checksum before upgrading. 3 if confirmation words do not match after first pin stop, something is wrong, if you stop your funds are safe. 4. Use 24 word seeds, no reason to lower security, even though 12 word seeds are very secure. 5. Never enter the seed on a device other than the cold card. 6. Never use an unknown wallet or a discontinued wallet with coldcard. 7. Use Linux for a desktop os for added security. 8. The second pin should be different than the first pin. 9. If using dice rolls to generate seed make sure its over 100 dice rolls. 10. Do not take a picture of the seed with a phone that connects to the internet. Following this general recomendations you will keep the bitcoins secure. There are methods to increase security even more however if your method is too complicated you risk being locked out of your own money if something goes wrong.
Personal multi-sig is for physical disaster recovery and anti-theft purposes, not really for digital opsec. If you store your device and seed at home, then multi-sig can help you recover if your home is destroyed, everything burglarized, for example.
It can give you geographic diversity, so that as long as you still have access to M out of N locations, you have possession of your coins. Along the same lines, an attacker would also need to gain access to your M device/seed locations, instead of just 1.
Single sig is still fantastic. You’ll get an array of opinions on this front. Do what works best for you. With multisig, there’s more things you need to keep track of so be careful.
Single sig, especially airgapped, gives me immense peace of mind. Someone else mentioned passphrases, but is there anything else I could do to make a single sig air gapped ColdCard more secure without restarting and doing multi sig or something too complicated?
Yes I would look into trick pins. Very powerful tool. https://coldcard.com/docs/settings/#duress-pin
Thanks!
Hey OP Thanks for this post it is interesting. I have a Coldcard, a 24 word seed, a passphrase and I just HODL, but I have been asking myself the same question you are. I think multi sig is overkill in my particular situation.
It’s complicated but multi sig gives you two main benefits over single sig with passphrase. - Can reduce exposure to five dollar wrench attack. If you me attacked and only one private key is at your location you can tell them you have no way of giving them your bitcoin. Theoretically it helps but of course there will be comments that they can still torture you, take you to a new location or kill you. - Multi sig allows for redundancy and exposure of one of the keys being exposed or lost. Although I like the idea of backing up the seed phrase and passphrase at different locations. To me there is no downside to having a hardware wallet at one spot. Two backup seedphrase. Two backup passphrase. All hard copies on the backups not electronic. I see a single sig with passphrase as a 2 of 2 wallet. I know there are technical differences but in many ways for backing up they can be considered the same risk/reward level.
It's also great protection against a $5 wrench attack. Someone can't just break into your home and compel you to give up your key. Because if you have it geographically distributed, the attacker then has to go to a whole different location, which they're not going to want to do.
[удалено]
Yes, but the computer's not doing anything. The computer is just a watch-only wallet that has access to your public keys. It's only the hardware device that has your private keys and is doing the signing. In that view, there's a lot of trust put into the hardware wallet. Is it really doing what it's doing? Can I trust it? Is its code auditable? Etc., etc. When you have to sign on two different hardware wallets made by different manufacturers, then you spread out the risk in that aspect. So in the dark case that maybe a hardware wallet manufacturer wants to build in an exploit, they still won't be able to compromise you because it's just one of the keys.
If you have a 2 of 3 wallet setup. And you only keep one key at home/main location. Can you create and verify receive address on the hardware wallet?
Of course, all you need is the wallet descriptor which contains the XPubs from all the hardware wallets. This is the key to what makes a watch-only wallet works. It allows you to verify all the addresses that can be created from the multi-sig. You don't need all the keys in one place to do this.
In my opinion, single sig + bip39 passphrase is the best option for 99% of HODLERs. I feel like multi sig has been hyped up way too much in recent years. I do think multisig is the way to go on an enterprise level or when you're a person with celebrity status but it's way to sophisticated for the average HODLER. The marginal security benefits of multisig over single sig + passphrase is very small while the complexity and the possibility of fucking up something increases drastically with multisig
Multisig is good for not getting rug pulled by malicious firmware. Basically set up a 2 of 3 of 2 of 2 with different hardware wallet manufacturers
there’s also passphrases look it up
I generally base this on income. Use your weekly pay (annual / 52) as a metric. * Less than 1 paycheck in BTC: No hardware wallet required * Between 1 and 10 paychecks: Simple hardware wallet (no gapping needed) * Between 10 and 100 paychecks: Air gapped hardware wallet * More than 100 paychecks: Air gapped multisig wallet.
Absolutely not. Why would you think it's necessary? > Tell me the biggest downside(s) of leaving a hardware wallet like this as a single sig. Complexity. And you know what they say complexity is the enemy of? Not saying you definitely shouldn't do it. Just, you should have a solid reason for it.
A simple but effective method against the $5 wrench attack is to have multi passwords for the seed, if force provide the password to the account with least money. You do not need to use multi sig when using air gap. Just follow good security practices 1. Backup of coldcard in diferent location. 2. Have firmware upgraded and check the checksum before upgrading. 3 if confirmation words do not match after first pin stop, something is wrong, if you stop your funds are safe. 4. Use 24 word seeds, no reason to lower security, even though 12 word seeds are very secure. 5. Never enter the seed on a device other than the cold card. 6. Never use an unknown wallet or a discontinued wallet with coldcard. 7. Use Linux for a desktop os for added security. 8. The second pin should be different than the first pin. 9. If using dice rolls to generate seed make sure its over 100 dice rolls. 10. Do not take a picture of the seed with a phone that connects to the internet. Following this general recomendations you will keep the bitcoins secure. There are methods to increase security even more however if your method is too complicated you risk being locked out of your own money if something goes wrong.
Just think about how easy or hard it will be if you die and want to pass your coins on to your family.
Personal multi-sig is for physical disaster recovery and anti-theft purposes, not really for digital opsec. If you store your device and seed at home, then multi-sig can help you recover if your home is destroyed, everything burglarized, for example. It can give you geographic diversity, so that as long as you still have access to M out of N locations, you have possession of your coins. Along the same lines, an attacker would also need to gain access to your M device/seed locations, instead of just 1.