Skip to content

Level 3: Dedicated Hardware

Save Bitcoin using a dedicated offline device (as much as you'd be comfortable hiding under your mattress).

Level 3

Level 3 -- typical home network with accessible cold storage

In order to save large amounts of money, and do so securely, you'll want to setup a dedicated signing device. Essentially, separate the private keys from the public keys. Public keys will be managed in a transaction manager (used to verify addresses for receiving Bitcoin, checking balances, and created unsigned transactions). Private keys will be managed in an offline signing device (used only for spending Bitcoin).

While there are many alternatives-- we will use coldcard as an example, but any offline signing device can be used.

no paid nor influenced content -- all views are from personal experience

Transaction Manager

A transaction manager can be any device, although it's recommended to use a dedicated laptop that you can install a Linux flavor such as Ubuntu. You will still be using Tails OS on a USB drive, however, it's recommended to also install a Bitcoin client (such as Electrum or Sparrow) on the transaction manager directly. You will use this client as a decoy or honeypot.

Honeypot

A recommended approach

Tails OS (xPub only)

Similar to level-2 we will use a bootable Tails OS USB drive,

https://coldcard.com/docs/paths#dump-summary-file

Create new wallet, select Standard wallet and then Use a master key,

electrum-use-master-key

You can than paste or do a QR capture of the xpub you got from above. When you open this wallet you'll get the following warning,

electrum-watch-only

When you try to send from this wallet it will instead create an unsigned transaction file, which will need to be signed by the signing device (see below).

Signing Device

Adapted from the coldcard docs,

  1. Connect your COLDCARD to power and enter your PIN if you haven't already done so.
  2. Select Ready to Sign from the main menu.
  3. The COLDCARD briefly shows Reading . . . and Validating . . . before displaying transaction details. Take every opportunity to check and double check transaction information. Make sure the address you are sending funds to is absolutely correct.
  4. If the transaction information is correct and the fee acceptable, press OK(✓). Otherwise, you can abort the transaction by pressing X.
  5. Your COLDCARD signs the transaction and saves two files to the microSD card, one ending in -signed.psbt, the other -final.txn.
  6. Press OK(✓) to return to the Main Menu.

You can now power off the coldcard, and transfer the microSD card back to the transaction manager running Tails OS.