Secure Storage of Private Keys

Listen to the audio recording of this article.

In part one of this series, we discussed the fact that blockchain technology relies on a public and private key pair to hold assets and authorize transactions, such as selling or transferring.  Because of the cryptographic design of the blockchain, it is impossible for transactions to occur without an interaction involving a given private key. Furthermore, because most major blockchains are thoroughly decentralized, it is impossible to “undo” transactions. Once a transaction is posted to the blockchain, the movement of assets cannot be reversed. This means that there are two important facts to understand when considering holding financial assets in blockchain-based investment vehicles.

  1. If a private seed phrase is lost (i.e. destroyed, misplaced), all assets held in that ‘wallet’ are permanently unrecoverable. Given modern computing power, it is impossible to regenerate the private key. Consider the fact that an estimated 20% of all Bitcoin tokens are considered unrecoverable—at today’s prices, those assets total more than US$200 billion.
  2. If a private seed phrase is acquired by somebody else other than the owner, the ‘wallet’ and all of the assets associated with that address can be claimed by the new individual. If the individual imports the seed phrase into any common third-party wallet application, they can immediately and irreversibly sell or transfer all of the assets to any other address. (Note: If someone asks you to submit your seed phrase into any online forum, website, application, etc., it is very likely to be a scam. Never input your seed phrase into anything but a trusted wallet application specifically for the purpose of REGAINING access to a wallet, or your assets may be stolen).

With this in mind, we can see how it is critically important to protect access to seed phrases.

When a blockchain user creates a wallet through a third-party application on a computer or mobile device (such as TrustWallet, Metamask or SafePal), the application provides the user with a 12- to 24-word randomly generated phrase of words. The words selected by the generator are from a standardized list of 2,048 words, known as the Bitcoin Improvement Protocol: 39 or BIP39, which can be downloaded by anyone.

Users will need to copy down the seed phrase and store it in a safe location. The user is able to input this seed phrase to a new device and re-import their wallet should, for example, their phone break or go missing. Once the seed phrase is imported, the user regains full and complete control over their assets once again. It is worth reinforcing that if the seed phrase generated by the application is not backed up, or the backup is lost or destroyed, all of the financial assets associated with that wallet will be unrecoverable in the case of a broken or lost device.

Basic Secure Storage of Seed Phrases

There are several schools of thought when it comes to securely storing seed phrases. What will be presented in this article are those practices that the author has found to be most logical, based on personal experience and interactions with hundreds of other DeFi investors. These are by no means the only solutions; in fact, the options presented should only serve to start your research into the most effective means of securing your seed phrases. Every investor’s situation is different, and therefore no two security solutions will be the same.

There are certain precautions that should always be taken when backing up a new seed phrase from a wallet device.

  1. Copy your seed phrase in a private place – First and foremost, the entire seed phrase generation event should be done in a private place where others cannot accidentally (or intentionally) see your seed phrase as it is presented. The best time and place to do this is when alone at home, away from windows and doors.
  2. Hide from video recording equipment – Always keep the seed phrase out of sight of any video recording equipment, such as home security cameras, webcams on computers, or other mobile devices. While it is unlikely that an unknown third party has access to your home’s camera feeds, there have been numerous reports of security systems being hacked/monitored. It is better to be a bit more cautious than to accept an unnecessary risk that your home’s internal activity may be compromised.
  3. Don’t use erasable pens – If writing down the seed phrase using paper and pen, be sure to use ink that will not fade over time or will disappear with a degree of heat applied. While “erasable pens” are great for fixing simple mistakes when writing, they are a bad idea when documenting seed phrases because of the risk that the temperature could rise and fade your seed phrase away.
  4. Don’t take screen shots – similarly to the risks associated with your home’s video recording equipment, there is a risk of wallet compromise should the seed phrase be recorded using a device’s screen capture feature. Many modern phones send pictures automatically to backup services, such as Apple’s iCloud or Microsoft’s OneDrive. While these services are great for backing up photos of your family vacation, there have been numerous reports of hacks and identified exploits that enable hackers to sift through your entire album. With the emergence of Optical Character Recognition (OCR) technology, it would take very little time for a hacker to search through thousands of compromised photos and identify seed phrases stored in the cloud. As with video recording equipment, it is simply best to avoid this issue entirely. By manually documenting your seed phrase off the device itself, you are ensuring that a future hack of your personal account does not result in the loss of your entire financial portfolio.

Once the seed phrase is written down on a piece of paper, keep track of it. It is best to fold and place the document into a security envelope, so that the words cannot be read through the paper. Annotate on the outside of the envelop in a way that will remind you of the contents—you don’t want to accidentally shred your seed phrase thinking that it’s an old electric bill.

Now that you have your seed phrase written down, it’s time to put it in a secure location. The physical location where the seed phrase will be placed is going be different for each person, and will be highly dependent on their living situation, the trust they place in their relatives, how likely their home is to be vandalized, etc. In general, the best places to store a seed phrase would be out of sight of curious house guests, out of reach of children, and protected from the elements. For example, it would not be advisable to post the seed phrase on the front of a refrigerator door using a magnet, for obvious reasons. It is also not necessarily a good idea to bury the seed phrase in the back yard. Even if properly protected and sealed from the elements, there is always a possibility that the area could become inaccessible, the specific location could be forgotten, etc. A buried copy of the seed phrase could be an appropriate secondary backup (see the below discussion on additional options), but it shouldn’t be the sole copy.

If you have access to a local bank with safe deposit boxes, then this is a great option. Generally speaking, you will not need your seed phrase on a daily basis; it’s only necessary when recovering assets because of the loss of the first wallet device. Therefore, it’s not critical that the seed phrase be stored in a place that is highly convenient. In fact, the more inconvenient it is for you to access the backup—the more difficult it is for would be attackers to compromise your seed phrase. By storing your seed phrase in a bank’s safe deposit box, you are protecting your seed phrase using a very effective multi-layer security approach.

If someone with ill intents wants to gain access to your backed up seed phrase, they would have to first now specifically where you are holding it. If you don’t tell anyone where you have opened the safe deposit box, then there is an extremely small chance that someone could track down the location. Furthermore, they would need to somehow find the specific box in which the seed phrase is stored. Finally, they would still need to access it. Banks are typically protected by various security systems including alarms, cameras, multi-layer locks and automated systems that alert security services or police of any trouble. Normally, access is only granted to the account holder–in many countries, not even the bank itself is allowed to enter the safe deposit box without your explicit authorization and physical presence.

If you don’t have access to a safe deposit box at a local bank, then fire-resistant safes stored in the home may be another good option. According to Forbes, “most home burglaries… last eight to 10 minutes.” Good quality safes can be hard-mounted to the floor of a closet or other discrete location and can deny access to the vast majority of would-be thieves. If the home is further protected with alarm systems, video cameras and security monitoring services that alerts first responders of any trouble, the chance that your safe (and the seed phrase stored inside) would be compromised is significantly reduced. While this is not a perfect system, the vast majority of investors would find this option to be sufficient.

Additional Options for Hardening a Seed Phrase Backup

The aforementioned security protocols will protect the vast majority of investors looking to secure their backup seed phrase against the vast majority of threats. With that said, there may be investors who wish to take additional steps to protect their financial assets because of increased risk (i.e. public figures or high risk areas). There are additional measures that investors can take to drastically decrease the chance of a compromise.

First, don’t put all of your eggs into one basket. Just as financial advisors will always recommend diversifying a financial portfolio across an array of investment vehicles, investors in DeFi can harden their security by storing their crypto across multiple wallets. In doing so, if one wallet should become compromised, only a fraction of the total assets would be at risk. By storing backup seed phrases in multiple locations (i.e. in two separate safe deposit boxes at two geographically separated banks), you are ensuring that your assets can be recovered even if one copy were to be destroyed (i.e. due to flood or fire).

Splitting seed phrases can be another outstanding security procedure to protect against compromise. This tactic requires that a seed phrase be split into two or more parts, with each segment stored in a separate location. For example–of a 24-word seed phrase, the first 12 words could be stored in bank safe deposit box A while the second 12 would be stored in box B. The wallet cannot be recovered without the entire seed phrase, so it is impossible to compromise the stored financial assets without physical access to both halves of the backup. The inconvenience is high for the investor, should they need to recover their assets–but the chances that a split seed phrase can be compromised is astronomically small. Note: the seed phrase words must be input in the exact order they were presented at generation. Therefore, it’s important that seed phrases be properly marked (i.e. “Wallet A, Part 1 of 2”).

Steel plates or capsules are another great option for ensuring a hardened backup of your seed phrase. The devices come in a variety of forms, construction and price, and are designed to turn the paper copy into a more water-, fire- and blast- resistant medium. Seed phrases are punched, engraved or etched into a hardened material (often titanium or steel), which ensures that your backup can resist a wide array of environmental factors. Some kits also include tamper seals, which can be helpful in verifying that your seed phrase has not been compromised.

Conclusion

Because every investor’s situation is different, no one seed phrase security strategy is appropriate for everyone. Some investors will find that a simple backup stored in a home fire-resistant safe will suffice, while others will need to take advantage of steel plates and split seed phrase storage across multiple locations. The specific avenue that any one investor should take will need to be determined by a thorough and systematic analysis of their own individual situation. Included in the decision-making process should be a look at risk factors (i.e. their location, likelihood of a burglary), the size of their investment portfolio, the funds they have available to fund security costs, etc. The best approach is to be intentional from the start and to always treat your seed phrase like the keys to your kingdom. Because in truth, they really are.

About the Author

Panikd Badger is an investor in DeFi, a voice chat moderator for the FEG Token in Telegram and the head of the FEGradio program. He hosts the FEGradio Live! broadcast every Tuesday and Thursday at 6pm EST/11pm UTC in Telegram, on FEGradio.com and on YouTube. Be sure to check out FEGradio.com for information about the program, or to listen to the 24-hour FEG Token Voice Chat or wide variety of independent radio programs under the FEGradio umbrella. You are welcome to reach Panikd Badger at any time regarding this article, or for any other matter, on Telegram using the handle @FEGradioLive or on Twitter using the handle @FEGradio.

Related News

Editor's Choice