10x Security Bitcoin Guide: How To Store Bitcoin Without Any Single Point of Failure
10x Security Bitcoin Guide: How To Store Bitcoin Without Any Single Point of Failure
Michael Flaxman
10x Security Bitcoin Guide
Contents
1 Preface 5
1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Project Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 Project Lead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.2 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.3 Reviewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.4 Wallet Manufacturers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5 Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5.1 1. Information published on btcguide.github.io . . . . . . . . . . . . . . . . . 6
1.5.2 2. Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5.3 3. Risks related to the use of Bitcoin . . . . . . . . . . . . . . . . . . . . . . . 7
1.5.4 4. Investment risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5.5 5. Compliance with tax obligations . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5.6 6. The Website does not store, send, or receive bitcoins . . . . . . . . . . . . . 8
1.5.7 7. No warranties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5.8 8. Limitation of liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5.9 9. Arbitration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5.10 10. Last amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Why Multisig? 8
2.1 Why Multisig Advanced? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Pick Quorum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Pick Quorum Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.1 Picking Your M and N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.1 Bitcoin Core Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.2 Recommended Additions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.3 Sourcing Hardware Wallets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.4 Dedicated Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.5 Bitcoin Core Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.6 Simplify Receive-Address Verification . . . . . . . . . . . . . . . . . . . . . . . 17
Michael Flaxman 2
10x Security Bitcoin Guide
6 Backup Wallet 53
6.1 Seeds and Public Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2 Backup Seeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.3 Think Hard About Your Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.4 Multiple Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.5 Estate Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.6 Protect Your Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.7 Backup Public Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Michael Flaxman 3
10x Security Bitcoin Guide
7 Send Bitcoin 58
7.1 Complexity of Multisig Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.2 Sign on Coldcard via SD Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.3 Inspect Signed Transactions Before Broadcasting . . . . . . . . . . . . . . . . . . . . 63
8 Emergency Recovery 63
8.1 Emergency Recovery Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.2 Option A - Trezor Hardware Wallet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.3 Option B - Electrum Software Wallet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Michael Flaxman 4
10x Security Bitcoin Guide
9.5.5 BitBox02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9.6 Other Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9.6.1 Advanced Single Sig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9.6.2 Glacier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
9.6.3 Yeti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
1 Preface
1.1 Purpose
Multisig security is a difference in kind and not in degree. It affords you the ability to avoid loss while
making 1 (or more) catastrophic failures in securing your bitcoin. By using a security system that
is fault-tolerant, you can move much faster (with less caution) through each step and still attain far
higher levels of security vs any single-key system. This guide will show you how.
The purpose of this guide is to make multisig accessible to a tech-savvy audience who does not write
code. While it may be helpful if you are comfortable using the command line (especially for some of
the optional advanced steps), it is not required.
This guide is currently a work in progress. While the ultimate goal is for the process to be easy enough
for non-technical users, there may be kinks to work out. Pull requests are welcome.
1.3 Compensation
While I do not accept any compensation from bitcoin companies in connection with this project, the
following companies have sent me their hardware devices for free to play with:
• Trezor
• Coldcard
• Cobo Vault
• Specter DIY (parts)
Note that I have written bitcoin wallet software for a number of companies in the space since 2013,
though none of them are involved in the hardware wallet space.
Michael Flaxman 5
10x Security Bitcoin Guide
1.4 Contributors
Michael Flaxman
1.4.2 Contributors
• Stephan Livera
• Holger Nahrstaedt
1.4.3 Reviewers
• TODO: add
Thank you to all the hardware wallet developers who have sent me sample units, fixed bug reports
and responded to feature requests. In particular:
Note that being on this page does not mean you endorse the recommendations given. Pull requests
to improve this guide are always welcome.
1.5 Disclaimer
The website https://btcguide.github.io/ and all created documents from the same content (here-
inafter, referred to as the “Website”) provides information and material of a general nature. You are
not authorized and nor should you rely on the Website for legal advice, business advice, or advice
of any kind. You act at your own risk in reliance on the contents of the Website. Should you make a
decision to act or not act you should contact a licensed attorney in the relevant jurisdiction in which
Michael Flaxman 6
10x Security Bitcoin Guide
you want or need help. In no way are the owners of, or contributors to, the Website responsible for
the actions, decisions, or other behavior taken or not taken by you in reliance upon the Website.
1.5.2 2. Translations
The Website may contain translations of the English version of the content available on the Website.
These translations are provided only as a convenience. In the event of any conflict between the English
language version and the translated version, the English language version shall take precedence. If
you notice any inconsistency, please report them on GitHub.
The Website will not be responsible for any losses, damages or claims arising from events falling within
the scope of the following five categories:
(1) Mistakes made by the user of any Bitcoin-related software or service, e.g., forgotten passwords,
payments sent to wrong Bitcoin addresses, and accidental deletion of wallets.
(2) Software problems of the Website and/or any Bitcoin-related software or service, e.g., corrupted
wallet file, incorrectly constructed transactions, unsafe cryptographic libraries, malware affect-
ing the Website and/or any Bitcoin-related software or service.
(3) Technical failures in the hardware of the user of any Bitcoin-related software or service, e.g.,
data loss due to a faulty or damaged storage device.
(4) Security problems experienced by the user of any Bitcoin-related software or service, e.g., unau-
thorized access to users’ wallets and/or accounts.
(5) Actions or inactions of third parties and/or events experienced by third parties, e.g., bankruptcy
of service providers, information security attacks on service providers, and fraud conducted by
third parties.
The investment in Bitcoin can lead to loss of money over short or even long periods. The investors
in Bitcoin should expect prices to have large range fluctuations. The information published on the
Website cannot guarantee that the investors in Bitcoin would not lose money.
Michael Flaxman 7
10x Security Bitcoin Guide
The users of the Website are solely responsible to determinate what, if any, taxes apply to their Bitcoin
transactions. The owners of, or contributors to, the Website are NOT responsible for determining the
taxes that apply to Bitcoin transactions.
The Website does not store, send or receive bitcoins. This is because bitcoins exist only by virtue of
the ownership record maintained in the Bitcoin network. Any transfer of title in bitcoins occurs within
a decentralized Bitcoin network, and not on the Website.
1.5.7 7. No warranties
The Website is provided on an “as is” basis without any warranties of any kind regarding the Website
and/or any content, data, materials and/or services provided on the Website.
Unless otherwise required by law, in no event shall the owners of, or contributors to, the Website be
liable for any damages of any kind, including, but not limited to, loss of use, loss of profits, or loss of
data arising out of or in any way connected with the use of the Website.
1.5.9 9. Arbitration
The user of the Website agrees to arbitrate any dispute arising from or in connection with the Website
or this disclaimer, except for disputes related to copyrights, logos, trademarks, trade names, trade
secrets or patents.
2 Why Multisig?
Michael Flaxman 8
10x Security Bitcoin Guide
“Your keys, your bitcoin. Not your keys, not your bitcoin.” – Andreas Antonopolous
This is true, but managing your own keys is really hard. The math behind the bitcoin protocol is bul-
letproof, but being your own bank requires you to be near perfect in your execution. When it comes
to cryptography, you are only as strong as your weakest link. For traditional single-key signature
schemes, the only thing between your bitcoin and an attacker is a single mistake! Learn more about
some of these risks by listening to SLP Episode 97 with Michael Flaxman.
The central goal of this guide is to help you implement a security scheme with no single points of
failure. To accomplish this, you will setup your own multisig wallet using multiple hardware wallets
from multiple different vendors. The goal of this guide is to achieve a basic multisig setup: 2-of-3
signatures from different hardware wallets made by different manufacturers.
In order to compromise your multisig setup an attacker must break multiple redundant systems,
which, due to the additive power of multisig, is incredibly challenging. Therefore, your level of
caution/paranoia/effort (vs a traditional single-key scheme) can be much lower and still achieve
much higher security.
If you follow these instructions, you can suffer at least one catastrophic failure and not lose any
bitcoin. This could include things like:
While this setup is far more secure than a traditional single-key signature scheme (which has
little/no fault tolerance), be mindful that the wrong combination of 2+ major mistakes could be
enough to lose all of your bitcoin!
Switching to fault-tolerant multisig is the most important thing you can do to improve your security.
A lot of people stick with a bad setup – trusted custody or a single-key setup – for fear of change. Don’t
Michael Flaxman 9
10x Security Bitcoin Guide
let “perfect” be the enemy of “good”; upgrade to multisig today for a solid foundation and continue
to learn and iterate over time!
We support users being as paranoid as they want to be, but think that with proper multisig it is overkill
for all but the largest HODLers. At each step, there are recommendations for how you can harden your
security, and you alone must decide how much time/money you want to spend on hardening your
security.
This guide is free, and there are no refunds. There are no bailouts in Bitcoin. We highly recommend
you practice all of this first. See disclaimer here.
Multisig has always been amazing in theory, but in practice it has been too difficult for non-expert
users.
Multisig is still not as easy as we would like it to be, but it is getting better every day. It is finally at the
point where the security benefits far outweigh the costs for large HODLers. Here are some changes
that have made multisig more accessible for mainstream users:
• BIP174 (PSBT) created a standard for multisig interoperability between hardware wallets.
• Multiple hardware wallets now support multisig, and their quality is increasing (better air-
gaps, hardware, UX, compatibility, etc).
• Multiple software implementations now exist to coordinate multisig transactions (Electrum,
specter-desktop, Caravan) as well as paid services (Casa, Unchained Capital, etc).
• Reduction in popularity of airdrop coins that were harder (or sometimes impossible) to claim
for bitcoin multisig users.
• Open-source paper wallets like SeedPicker are now available to enable adding seed(s) to multi-
sig quorums for recovery without having to purchase additional hardware wallets to get started
(until/unless you need to perform emergency recovery).
• Lower fees: segwit gives a witness discount for p2wsh transactions, which has led to them
being labelled “Unfairly Cheap”!
• Running a node has never been easier - not only do the resources required continue to be low
(an engineering marvel!), but there are now many companies that will sell you a node-in-a-box
as well as open source scripts/tutorials for simplifying node deployment/administration.
• Safer airgap signing: BIP143 (segwit) allows hardware wallets to sign the input values on trans-
actions directly, making it harder to exploit vulnerabilities in the rest of your stack.
There have been so many hardware wallet vulnerabilities and we expect new ones will continue to be
discovered; multisig fundamentally doesn’t change that. The big difference is that a proper multisig
scheme allows for 1 (or more) catastrophic failures without putting funds at risk.
Michael Flaxman 10
10x Security Bitcoin Guide
2.1.0.1 Shamir’s Secret Sharing Scheme Multisig is strictly superior to Shamir’s Secret Sharing
Scheme (SSSS), and while SSSS is elegant in theory it is very easy to mess up in practice. SSSS also
reintroduces a single point of failure; in order for a key to be generated (or used) it must be recom-
bined in a single place. We prefer to call it Shamir’s Secret Snakeoil. SSSS should only be considered
for expert users after you’ve maxed out your multisig scheme (3-of-5 for most use-cases) and need
additional protection. For that use-case, you may want to look into SLIP-0039 or alternatively divide
1 (or more) of the BIP39 seed passphrases using Shamir’s Secret Sharing Scheme. The open-source
software available to do this is still unfortunately somewhat lacking, but should improve over time.
The main theme of this guide is to create fault tolerance by avoiding a single point of failure. This
means multiple signatures (“multi-sig”) to move your bitcoin is an absolute must.
You’ll need three hardware wallets, made by three different manufacturers. In order to avoid having to
buy three hardware wallets (and because there are only very few high-quality hardware wallets with
good multisig support), we’ll generate this third key less securely on your computer offline.
It might seem easy, but this choice is actually complex, especially since we want no hardware wallet
vendor to be used for a quorum of seeds. We’ll see below that you want your m-of-n multisig threshold
to be 1 < m < n.
2.3.1.1 Problems with 1-of-n This has similar security to a single-key signature, with many possible
single keys that are capable of signing. A vulnerability in any one of these seeds (random-number gen-
eration, the hardware wallet used, etc) could lead to loss of all your bitcoin. You suffer the negatives
of multisig without the positive.
Recommendation: only expert users with a unique use-case should ever consider this.
Michael Flaxman 11
10x Security Bitcoin Guide
2.3.1.2 Problems with 2-of-2 A common fallacy is to take your 1-of-1 and convert it to a 2-of-
2, as multisig’s security model is additive. However, a 2-of-2 multisig introduces a new single
point of failure: should you have an issue with either wallet, you could be locked out of your funds.
The most likely scenario would be key loss, but even with excellent backups something as simple as
a software bug in one of your hardware wallets could harm you. For example, if one hardware wallet
were displaying an extended public key for which it didn’t have the associated private key, you could
be locked out of your funds. In some clever attacks involving bip32 derivation paths, an attacker could
even try to ransom your funds back to you (kind of like CryptoLocker).
The big negative is that it only has tolerance for one catastrophic failure (vs zero in single-key signature
schemes), and your use-case might desire greater distribution of your keys (more locations, or trusted
parties). We’ll see below why 3-of-5 helps address (some of) these concerns.
2.3.1.4 Problems with 2-of-4 It’s good that you need multiple signatures, but eliminating a single
point of failure requires having 4 different HW wallet vendors! Imagine that you have 4 seeds but only
3 different hardware-wallet vendors: 1 seed generated/protected by vendor A, 1 by vendor B, and 2 by
vendor C. If there were a serious bug with vendor C where 2 of your seeds are known to an attacker,
then in the worst case they can spend all of your bitcoin!
Recommendation: expert users can avoid this problem on receiving funds by performing their
own random number generation for multiple paper wallets in their quorum as described here.
However, keep in mind that there are currently very few high-quality hardware wallets with good mul-
tisig support, so if you need to use those recovery keys you may be forced to use the same hardware
wallet vendor for 2+ seeds.
2.3.1.5 3-of-5 is Excellent Like 2-of-3, 3-of-5 is a great choice. It offers more redundancy vs
2-of-3 (you can suffer two serious issues and not lose funds). The obvious negative is that you now
need to buy and keep track of five hardware wallets (instead of 3). Since there are currently very
few high-quality hardware wallets with good multisig support, your keys will almost certainly not be
guarded by 5 wallets from 5 different vendors.
Michael Flaxman 12
10x Security Bitcoin Guide
Recommendation: this is a good quorum to use. For simplicity, this guide is focused on 2-of-
3 but a future version may include explicit instructions for 3-of-5. Advanced users will be able to
figure out how to adopt the steps in the guide to a larger quorum.
2.3.1.6 4-of-5 Works, But Is Risky Lose two seeds and all your funds are lost. This is the same as
2-of-3, but instead of having 3 seeds to protect, you now have 5. This tradeoff makes sense for very
few people; those who are far more worried about theft vs loss. Keep in mind that on average loss is
far more common than theft.
Recommendation: only expert users with a strong use-case should ever consider this.
2.3.1.7 N > 5 is Costly and Risky N > 5 is technically possible (see e.g. this demonstration of 15-
of-15).
But unless you know exactly what you’re doing and why, you should avoid N > 5. At that point, the
cost and complexity likely exceeds any additional security benefits.
Furthermore, N > 5 can be dangerous. Due to size limits (legacy, segwit), using M and N values that are
too large carries the additional risk of creating “nonstandard” transactions (unlikely to be propagated
and mined) or even invalid transactions, which could result in permanent loss of funds!
Recommendation: only expert users with a strong use-case should ever consider this.
2.4 Equipment
This guide will assume your computer is running the free and open source Ubuntu operating system,
because it offers a good mix of security, bitcoin software compatibility, and end-user configurability.
Advanced users should be able to get other operating systems to work, but you will be on your own to
figure that out for now.
The purpose of the computer will be to run Specter-Desktop, which will communicate blockchain infor-
mation between Bitcoin Core and your hardware wallets for verification and signing. You will need an
up-to-date Bitcoin Core Full Node, which can be running on this same computer or another. For more
information about this, see the section called Running Bitcoin. Bitcoin Core’s initial block download
takes a few days to sync, so we recommend you get started on that while you wait for your hardware
wallets to arrive.
Michael Flaxman 13
10x Security Bitcoin Guide
• 1 low-end computer with webcam - see below for more information about system requirements
• 1 Coldcard Mark3 Hardware Wallet with 1 microSD card - must be <= 32 GB for FAT formatting,
but much smaller is fine. (The previous Mark2 version may work, but since this is a security
product it is always recommended to buy the latest version.)
• 1 Cobo Vault - Essential or Pro model
• 1 DVD-R (if your computer has a DVD drive) or USB stick for installing Ubuntu
• 1 pen + 3 pieces of paper (or notecards) to write down your BIP39 seed phrases
• 1 printer, 2 pieces of paper, and scissors - to print out 2 pages of non-sensitive (public) informa-
tion. You don’t need to buy a printer if you can ask someone else to print these pages out for
you. You will use the scissors to cut out the words.
2.4.0.2 Computer System Requirements The software you’re running on this machine has very
low resource requirements, so you can likely repurpose an old laptop that you have laying around. You
can read the exact Ubuntu Desktop System requirements here. Most notably, you’ll want the machine
to be 64-bit, have at least 4GB RAM, and a 2 GHz dual-core processor.
While the optimal laptop would not be used for anything else, it is acceptable for this to be a multi-
purpose machine that you use day-to-day; by design this laptop will not see bitcoin private key mate-
rial and we will always treat it as-if it is infected by malware.
You do not need to use a laptop, any desktop computer can work. We find laptops ideal because:
• They are portable and have batteries, meaning they can easily be taken into secure rooms (like
bank vaults) that may not have a power source.
• They usually have built-in webcams, which are needed for a high-quality airgap (using QR codes)
that we will be using. It’s also easy to physically pick up laptops to scan QR codes if needed.
• They have less cables for the mouse/keyboard, which is helpful when dealing with the clutter
of multiple hardware wallets.
(more here).
For advanced users, you can run your own Bitcoin Core node for more details.
Michael Flaxman 14
10x Security Bitcoin Guide
2.4.2.1 Tweezers It is very hard to remove the SD card from the Cobo Vault, and can occasionally
be challenging to do so from the Coldcard. Any cheap pair of tweezers (the kind you might use to
remove a splinter) will make this easy.
2.4.2.2 Physical Bitcoin Seed Storage The best choice is to etch your seed words into metal. This is
far more durable than words written on paper that can be destroyed by fire or water. Here are reviews
of several metal seed-storage products.
A cheaper alternative that is not nearly as durable is archival paper with an archival ink pen. These are
available online or at your local stationary store. If you go this route, you’ll want to place this paper
into a plastic bag with a good seal (vacuum seal is even better) so that it doesn’t get destroyed in the
event of water damage.
You can also use fireproof document bags for ~10-20 USD each. This is a popular brand (not an en-
dorsement, just an example).
However you secure these backups, you want one set of gear for each seed, or a minimum of 3 in
total.
2.4.2.3 Hardware wallet storage bags Electromagnetic pulse (EMP) bags, also known as a Faraday
cage or bag, should be used to store your hardware wallets. EMP bags may protect your hardware
wallets from damage by electromagnetic radiation such as cellular, GPS, Bluetooth, WiFi, RFID, NFC
radio waves, etc. which may damage your devices.
A more extreme, but unlikely, attack vector that an EMP bag may protect you from is an EMP. EMPs
are strong waves of electromagnetic energy that can damage electronic devices like hardware wal-
lets. EMPs are usually associated with nuclear weapons or solar weather events like a coronal mass
ejection, but minor EMPs can also occur from lightning strikes or even power-line surges.
Various Faraday cage / EMP bag products exist on the market but a cheap and effective option is to
vacuum seal your hardware wallets in Mylar which can be found cheaply on Amazon. Silent Pocket
is one of many companies that offer a range of Faraday cage products (not an endorsement, just an
example).
2.4.2.4 DVD Drive Instead of USB Drive Using a DVD for installing Ubuntu is slightly preferred over
a USB drive. It’s read-only, and has less attack surface vs the whole USB stack. If your DVD drive is built
into a laptop, then it’s also nice that it doesn’t require using up one of your USB ports. You can also
use this for ferrying public information (extended public keys, fingerprints, bip32 paths, etc.) between
computers, see Setup Your Hardware Wallets for more info.
Michael Flaxman 15
10x Security Bitcoin Guide
2.4.2.5 Extra DVDs or USB Sticks for Backing Up Public Key Material The data these protect will
only affect your privacy (not security), so you can secure it in many ways (store on your hard drive,
print to paper, backup to cloud, etc.). Since this is longer than a seed phrase, a digital medium (DVD
or USB drive) is strongly preferred. If you keep 2 copies per seed (and have 3 seeds in total), then you’re
going to need 6 DVD-Rs (or 6 USB drives). Read more about backing up your public keys here.
To reduce the risk of tampering or counterfeits, you can buy your hardware wallets directly from the
manufacturer in-person at a conference/meetup. If buying online, purchase directly from the manu-
facturer and avoid resellers.
Protect your operational security by taking delivery to an alternate address instead of your home ad-
dress (e.g. company address, PO box, shipping locker, etc.)
Hardware wallets are designed to protect you from malware-infected computers, but malware on your
computer could still try to trick (or even compromise) your hardware wallets. Using a dedicated com-
puter (not your day-to-day computer), can reduce the attack surface.
It may be even safer to buy your computer and other equipment (USB drives, DVDs, microSD cards,
etc.) offline at a physical store to reduce the risk of targeted tampering en-route.
Advanced users can get by on very cheap computers (like a Raspberry Pi), but since we’re using
Ubuntu we need to meet their (still lightweight) minimum requirements.
For improved security, build your own bitcoin-core node from scratch! You can read more about Bit-
coin Core’s requirements here. Some node operators take pride in getting by on extremely minimal
hardware, others use an SSD drive and/or a more powerful CPU for extra performance.
Specter-Desktop can connect to a node anywhere, so your Bitcoin Core node does not need to be on
the same computer. Some people with laptops like to run Specter-Desktop on that as their primary
device and connect to a Bitcoin Core Node that they control.
A node hosted on a machine you physically control (in a colo or more realistically your home/office)
is better than one in a cloud provider. If your cloud provider is malicious (or government-compelled)
and clever they could:
Michael Flaxman 16
10x Security Bitcoin Guide
The author of this guide is proud to have written a privacy-preserving defense against this using
merkle proofs (currently only for advanced users).
2.4.5.1 Pruning Bitcoin Core If you run a pruned full node, you can use very little disk space (cur-
rently ~5GB vs ~300GB) and massively lower your hardware requirements. However, for now pruning
your node is only recommended for expert users.
2.4.5.1.1 Rescan There are uncommon situations where you may need to -rescan the blockchain.
This might happen during a reinstallation/recovery process, if funds are stored on the bitcoin
blockchain in an address not yet added to your Bitcoin Core watch-only wallet. A pruned node must
be -reindexed (can take many hours/days), whereas a regular (non-pruned) node can be quickly
-rescan-ed (currently < 1 hour). Expert-user users can rescan from a specific block height.
2.4.5.1.2 Merkle Proofs Pruned nodes currently do not support merkle proofs. This may be fine
for locally hosted nodes, but is inherently risky for cloud-hosted nodes.
Verifying receive addresses on a quorum of trusted devices is incredibly important. Unfortunately, this
can be cumbersome, especially if they’re in separate geographic locations. One hack people use is to
setup a clean machine that can generate addresses from extended public key information without
being connected to the internet.
Not relying fully on your trusted hardware devices introduces new risks and should only be con-
sidered by expert users. You can read more about this here.
2.4.6.1 Option A - Eternally Quarantined Machine This machine is setup once and never needs to
be configured/updated again, so it is strongly recommended to have no internet access. If you choose
to do this, you can use a very low-end machine. It’s a great way to use a Raspberry Pi for example.
Michael Flaxman 17
10x Security Bitcoin Guide
2.4.6.2 Option B - Print Out Addresses An eternally quarantined machine is good, but requires
another electronic device to be permanently configured and available to use. Some users prefer to
print out many hundred (or even thousands) of receive addresses at wallet creation and then use this
physical paper to aid in verification. If you go this route, you will need a printer and paper.
We will sometimes refer to this computer as “watch-only” because it can only see transac-
tions/balances, and cannot spend. If your computer is infected by malware it can try to deceive you,
but, unlike your hardware wallets, it does not have access to your private keys. For this reason, it may
be reasonable for you to skimp on many of the advanced security/validation steps.
For Windows and macOS users, it often makes sense to simply use your existing laptop or desktop
for ease of setup. Bitcoin Core and Specter Desktop have executable “double click” install versions
available. You may need to buy an extra ~1TB hard drive to store bitcoin blockchain data (see detailed
instructions linked below).
Other users may prefer using a pre-built bitcoin node package which includes Bitcoin Core and
Specter-Desktop:
Advanced users who have an extra focus on security and/or enjoy customization may prefer to setup
their own computer, Bitcoin Core node, and Specter-Desktop following these instructions:
1. Setup Computer
2. Run Bitcoin Core Node
3. Install Specter-Desktop
Michael Flaxman 18
10x Security Bitcoin Guide
3.1.0.1 A Note on Caution In a perfect world, you’d carefully verify the software you’re installing.
However, since this machine won’t store private key material* (and multiple signatures will be re-
quired to move funds) it may be acceptable for you to install software that seems correct without
properly verifying it using the command-line.
*While we recommend that no private key material ever touch this machine, that setup is slightly more
involved and thus you may choose to generate 1 seed on this machine (and then wipe it after). Remember
that this alone is not sufficient to steal/lockup funds, so it may present an acceptable tradeoff for smaller
HODLers. For more details, see Paper Wallet Setup steps.
You’ll want to download and install the latest Long-Term Support (LTS) version of Ubuntu Desktop
(currently 20.04.1). Put the installer on a USB stick or burn it onto a DVD. Both options are good,
though we find DVDs are slightly preferable as they are slightly more secure and don’t take up a USB
port. See these step-by-step instructions.
3.2.1.2 Encrypt Your Hard Drive Use a long passphrase, so that anyone who gets physical access
to your computer will not be able to see private info like your balances and transaction history.
https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
Think of your bitcoin node as a fake bitcoin detector, it will confirm that bitcoin’s consensus rules are
being followed so that when you receive a payment you can validate that you are getting real bitcoins.
It will also help with fee estimation, coin selection, and generating transactions.
Keep in mind that while a malicious full node can try to deceive you, it does not have access to your
private keys.
You can install Specter-Desktop on your home computer alongside Bitcoin Core. Alternatively, you
can use a pre-configured product to setup your Bitcoin Core node, such as RaspiBlitz, Nodl, Umbrel,
and MyNode (Premium edition). They all come with Specter-Desktop packaged, but only RaspiBlitz is
free (Nodl and myNode Premium are paid products).
Michael Flaxman 19
10x Security Bitcoin Guide
3.3.0.1 Required Configuration In order for Specter-Desktop to connect to this full node, you’ll
need to configure some settings in your bitcoin.conf file. You can do this by going to the directory
where Bitcoin Core is installed, and opening the bitcoin.conf file in a text editor (e.g. Notepad).
Insert the following 3 lines:
server=1
blockfilterindex=1
disablewallet=0
(you don’t want to store private keys in Bitcoin Core, but you need wallet functionality enabled for
building unsigned transactions)
Save your changes to bitcoin.conf, close Bitcoin Core, and finally re-open Bitcoin Core for your
changes to take effect.
3.3.0.2 Remote nodes You’ll also need a way to authenticate a connection to your node. If this
node is run on a different computer (a “remote” machine), you’ll need to know the rpcuser and
rpcpassword that your Bitcoin Core node is using. We recommend setting rpcuser to specter
(if you can) for simplicity.
3.3.0.3 HWI Bridge Note that for physically connecting hardware wallets using your lap-
top/desktop with Specter-Desktop packaged on another device (e.g. myNode, RaspiBlitz or Nodl),
you may need to set up HWI Bridge.
3.3.0.4 Optional Configuration If you can tweak your settings, we recommend the following (op-
tional):
• Do not run your node in pruning mode as this disables rescan functionality. (In some rare
situations you may need to instruct Bitcoin Core to perform a rescan; if pruning is enabled
Bitcoin Core will instead need to (automatically) reindex the whole blockchain, which can
take many hours to many days)
• If you have set blockfilterindex=1, as suggested above, it takes just a few GB of storage
and helps speed up rescan operations.
3.3.1.1 Simple: Verify Signature Bitcoin Core developer Luke Dashjr has a good guide titled How
to securely install Bitcoin. It explains and steps through the process of ensuring your install of Bitcoin
is secure and free of malware.
Michael Flaxman 20
10x Security Bitcoin Guide
Jameson Lopp has a good guide on increasing the privacy of your node (as well as the Bitcoin network
in general) by running your node over Tor:
https://blog.lopp.net/how-to-run-bitcoin-as-a-tor-hidden-service-on-ubuntu/
https://wolfmcnally.com/115/developer-notes-setting-up-a-bitcoin-node-on-aws/
3.4.0.2 Connect Specter-Desktop to Your Bitcoin Core Node If Bitcoin Core is running on the
same computer as Specter-Desktop, then Specter-Desktop should automatically detect authentica-
tion info from the default Bitcoin Core data directory.
Michael Flaxman 21
10x Security Bitcoin Guide
3.4.0.3 Enable Merkle Proofs This optional feature in Specter-Desktop provides protection from
a compromised Bitcoin Core node tricking you into believing you received a fake payment. Enabling
this feature should be considered “nice to have” for locally hosted Bitcoin Core, but very important
for cloud-hosted Bitcoin Core. Note that enabling this feature does not harm your privacy.
To enable:
1. Navigate to the Bitcoin Core settings in Specter-Desktop and click on the General tab (this link
should work if you have Specter-Desktop running).
2. Enable the Validate Merkle Proofs option and click Save.
Michael Flaxman 22
10x Security Bitcoin Guide
3.4.0.4 Build from Source Follow these instructions to build Specter-Desktop from source. More
details here.
4.1 Overview
We’re going to configure a 2-of-3 multisignature scheme, meaning you will have 3 keys, and a quo-
rum of 2 will be required to send funds (or safely verify an address to receive funds on).
1. A “paper wallet” key intended only for backup/recovery purposes - To simplify setup (and re-
duce upfront costs associated with hardware purchases), this key will be generated on your
computer. By design this key is only for backup/recovery, and therefore will hopefully never be
needed.
2. A key generated by your Cobo Vault hardware wallet
3. A key generated by your Coldcard hardware wallet
While there are a lot of steps here, you only ever need to do them once. After setup is complete, you
will be able to generate (nearly) infinite addresses and sign (nearly) infinite transactions.
4.1.0.1 Update Your Firmware Updating firmware is a step where things could go wrong, so we
want to do this before putting any funds on the hardware wallet.
Hardware wallets by default refuse to update their own firmware unless the manufacturer has cryp-
tographically signed the update, meaning it should be impossible for a third party to trick you into
installing their “update” (malware). Still, it’s a good idea to exercise common sense and be a little
paranoid here.
There are many incentives for a hacker to try to override the behavior of your hardware wallet. The
good news for your multisig scheme’s security is that by requiring signatures from multiple keys (from
Michael Flaxman 23
10x Security Bitcoin Guide
devices manufactured by different vendors) an attacker would need to trick you into installing com-
promised firmware simultaneously on multiple devices.
For extra security when updating firmware via SD Card, use a unique SD card for each hardware wal-
let. In the unlikely even that one of your hardware wallets is compromised and is attempting to push
malware on another, this will make it harder for that attack to succeed.
4.1.0.2 Use a Passphrase for Each Wallet While this is a way to harden your security, in practice it
is quite complex as users are terrible about:
• Generating strong random passwords, which by definition must be long (high entropy)
• Remembering strong passwords, especially when they’re long (and sometimes not used for
many months/years)
• Implementing a secure backup/recovery system (like Shamir’s Secret Sharing Scheme)
We prefer instead to rely on the added security that multisig itself provides.
For now, this step should only be considered for expert users, and only after increasing your quo-
rum (from 2-of-3 to 3-of-5).
In order to eliminate the risk of a compromised random-number generator, you will be the random-
number generator!
You will draw the first 23 words out of a “hat” to create your seed phrase (“hat”, or any other con-
tainer, like a ziploc bag, which is a good choice because it enables you to shake/shuffle the words
easily without playing “2048-Card Pickup”!). The last word of a BIP39 seed phrase is actually a check-
sum, meaning you need a computer to calculate it for you. It will also calculate some extended public
key information that will be used to identify payments and generate transactions for your hardware
wallets to sign.
Michael Flaxman 24
10x Security Bitcoin Guide
4.2.1.1 Print Out Seed Words You are going to print out all 2048 words from the official BIP39
wordlist so you can select your seed words randomly. Download this nicely formatted PDF and print
out both pages (single-sided). There is no private information in this PDF, having it only reveals that
you’re interested in bitcoin. You don’t need your own printer; you could safely ask a friend to print it
out for you, print it out at work, go to a Kinko’s location, etc.
4.2.1.2 Cut Out Seed Words Cut the paper up into 2048 evenly-sized pieces (each with 1 word on
it) and put them in a “hat”.
This step will likely take a few hours with scissors (a good paper cutter may reduce the time), so it
might be a good opportunity to catch up on the Stephan Livera Podcast while you cut.
4.2.1.3 Have a Monkey Draw 23 Words Out of the Hat If you don’t have a monkey, you can do it
yourself. As you pull each word out, write it down on a piece of paper. In the end you will have 23
words that look like this (do NOT use this seed phrase):
define rifle cliff summer priority ability chimney cotton tennis crash husband try tr
4.2.2 Calculate the 24th Word and Other Seed Data using SeedPicker
The 24th word cannot be calculated on paper or in your head, so you will need a secure computer for
this step. This guide recommends the open source tool SeedPicker, which was designed for this
purpose.
4.2.2.1 Practice First with a Dry Run Let’s start with a dry run. As this is just for testing, you don’t
have to worry about security at all. Use the following insecure seed phrase (the word zoo repeated
23 times):
zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo zoo
(an unbiased monkey would not pull the same word out of a hat 23 times in a row)
1. Visit seedpicker.net
2. Enter the practice phrase (zoo zoo zoo...) and hit Calculate!
Michael Flaxman 25
10x Security Bitcoin Guide
3. You will see that the 24th word calculation result is buddy:
1. Write down the whole 24 word phrase (zoo repeated 23 times + buddy as the 24th word) offline
on paper only. Do not save this to any computer.
2. Scroll down to Export Public Key Info To Specter Desktop and click on the
Download button. This will download a json file to your computer, containing the extended
public key info. Save the file to a DVD-R or USB drive to later share with Specter-Desktop.
4.2.2.4 Do it Live Quit all applications, remove any removable media, and turn off your inter-
net access before continuing. Do not save the seed phrase to your hard drive (write it down on
paper only), and restart your computer before restoring internet access.
It is highly recommended that you wipe your hard drive before restoring internet access. See advanced
section for more info.
Michael Flaxman 26
10x Security Bitcoin Guide
In the previous step, you saved your extended public key information (seedpickerxp-foo.json)
to a DVD-R or USB drive.
1. On Specter-Desktop: Click + Add new device, enter a Name (like Paper Wallet), click
Choose files and select your file (seedpickerxp-foo.json), and hit continue. Your
file will be automatically parsed into something like this:
Michael Flaxman 27
10x Security Bitcoin Guide
Michael Flaxman 28
10x Security Bitcoin Guide
4.3.0.1 Use a Clean Machine If there were malware on your machine and this seed escaped, it
would significantly degrade the security of your multisig scheme. Assuming your attacker has 1 of
your 2-of-3 needed keys, then you effectively now have a 1-of-2 scheme. Introducing the pos-
sibility of a single point of failure would mean we’re now suffering the negatives of multisig, without
getting (most of) the benefits.
That is why it is essential that you turn off (and unplug) your internet access before performing
these steps.
4.3.0.2 Option A (preferred): Tails Operating System For our one-time offline key generation, it
is preferable to use a live operating system that cannot store information on the file system. Tails is
a live OS that is designed to wipe itself completely on shutdown. Conveniently, Electrum also comes
pre-installed with Tails.
Follow the official Tails installation instructions to install Tails. Then perform the regular steps in the
Setup Paper Wallet section using that machine. Your computer will automatically wipe itself com-
pletely (including RAM) on shutdown.
If you are truly paranoid, remove the hard drive from the machine (before booting up Tails) so there
is no possibility that any private key material can be written to disk.
Michael Flaxman 29
10x Security Bitcoin Guide
4.3.0.3 Option B (less secure): Wipe Your Machine While Tails is preferred for self-destruction,
you can get a similar effect by wiping the hard drive after generating your seed. If you have an Ubuntu
installer DVD or USB drive (see Computer Configuration section), you can use that to perform the fol-
lowing steps:
• Before getting started, setup full disk encryption (see Advanced Computer Configuration sec-
tion) with a very long passphrase so that any data that may have persisted on your hard drive
after step 3 (above) can never be recovered.
• When wiping your hard drive, use a secure erase program to make sure that nothing survives.
Note that these do not work perfectly on Flash memory (SSD drives), so the previous technique is
preferred. You can read more about this here and here.
4.3.0.5 Confirm Seed Matches Zpub This is important in case SeedPicker was actually replaced
by malware trying to steal your bitcoin! We will confirm that the seed is valid, matches the expected
root fingerprint and Zpub (for that path).
This step is unfortunately complicated, as SeedPicker (see basic section) is the only GUI software that
currently exists to make it easier. Only advanced users who are comfortable with the command
line should continue.
Michael Flaxman 30
10x Security Bitcoin Guide
4.3.0.5.2 Use a Pure Command Line Interface (CLI) Script Expert users only: https://github.com
/mflaxman/human-rng-golang
4.3.0.6.1 Option A: Write Data to CD/DVD instead of USB Drive DVDs are less able to execute mal-
ware on your computer.
4.3.0.6.2 Option B: Use a QR-Code Airgap This is not currently documented. Pull requests with
clarification are welcome. Specter-Desktop can receive this info via QR-code airgap.
4.3.0.8 Put Each Word Back in the Hat Between Draws BIP39 allows for a word to be repeated in
your seed phrase should it happen to be randomly drawn multiple times (very unlikely).
Randomly drawing 23 words with replacement, when performed correctly, has 253 bits of entropy.
Randomly drawing 23 words without replacement, when performed correctly, has “only” 252.82 bits
of entropy.
Michael Flaxman 31
10x Security Bitcoin Guide
With so many words to choose from (2048), the vast majority (over 88%) of possible seed phrases do
not contain repeated words.
The slight reduction to such a massive keyspace is insignificant. Nonetheless, we prefer to follow
standards / best practices when possible.
4.3.0.9 Use SeedPicker Cutouts Instead of having to cut out 2,048 words, you can get the same
security by cutting out only 342 raffle tickets and using a 6-sided die instead. See the SeedPicker guide
for creating your own seed phrase for more info. This will require 3 pages to be printed out, and it’s
easier if you print out another 5 (can just reference them online if you prefer). You’ll also need a fair
6-sided die.
4.3.0.10 Use Dice You can avoid all the paper cutting by using dice and a lookup table instead.
4.3.0.11 Add a Strong Passphrase to Your Seed Caution: you now have to come up with a way to
backup/protect this passphrase, and if you lose it your seed is worthless. Because this step is only for
expert users, we’re going to ignore it for now. Be sure to use a hardware wallet where you can enter
the passphrase directly on the device to avoid potential issues.
4.3.0.12 Not Perfect No setup is perfect and this one is no exception. Read more about known
issues with SeedPicker here.
Michael Flaxman 32
10x Security Bitcoin Guide
2. Copy the downloaded .zip file to your microSD card and insert it into your Cobo Vault.
3. Turn on your Cobo Vault. You will be prompted to update the firmware, click the button to ac-
cept the upgrade. If you are not prompted to update the firmware, you can click on Menu >
Settings > Version > Update Now.
4. Enter your password when prompted. The update may take several minutes to complete.
Follow the instructions on Cobo’s website to verify your device, setup a PIN, and generate your seed.
Michael Flaxman 33
10x Security Bitcoin Guide
1. On Cobo: Menu > Multisig Wallet > ••• button in the top right > Show/Export XPUB.
3. Hold the QR code on your Cobo Vault up to your webcam so your computer can scan it.
Michael Flaxman 34
10x Security Bitcoin Guide
You can perform these steps via SD card, but since it is harder to do and less secure you really shouldn’t!
4.4.3.1 Verify Your Firmware Before Installing Confirm that the sha256 hash digest of the file you
downloaded matches what is expected:
Linux:
Windows:
Michael Flaxman 35
10x Security Bitcoin Guide
(The above hashes are accurate for v1.4.0 but will become stale for future releases. Calculate the
hash digest of the new file and confirm that it matches what’s published by the company.)
Using dice:
https://support.cobo.com/hc/en-us/articles/360050478133-How-to-Use-Dice-to-Generate-Your-
Recovery-Phrase
4.4.3.3 Not Perfect No device is perfect and this one is no exception. Read more about known
issues with Cobo Vault here.
We recommend powering your Coldcard using a portable battery pack (best) or a wall outlet, instead
of a computer, because we want to maintain as much of an “airgap” as possible.
Communication between your computer and Coldcard should only happen by manually transferring
data over a microSD card.
4.5.0.1 Update Your Firmware Follow the steps on Coldcard’s website: https://coldcardwallet.c
om/docs/upgrade
1. Insert a microSD into Coldcard and then select: Settings > Multisig Wallets > Export
XPUB.
2. Remove the microSD card from your Coldcard and put it in your computer’s card reader.
Michael Flaxman 36
10x Security Bitcoin Guide
3. On Specter-Desktop: Click + Add new device > Choose files and select the exported
Michael Flaxman 37
10x Security Bitcoin Guide
4.5.0.4 Verify Coldcard Authenticity The Coldcard will come in a bag with a letter or barcode un-
der the number (e.g. C0008091). When you first start up the device, confirm that the device displays
this number. See what this verification looks like in Matt Odell’s Coldcard video (the relevant section
is ~3 mins in, in case the link doesn’t take you there).
4.5.0.6 Easy: Minimize Trust You can add additional entropy during new wallet creation using
a casino die by pressing “4” as demonstrated in Matt Odell’s Coldcard video (at timestamp ~11:25).
You can do the full 256 bits of entropy with 99 rolls, or you can do just a few rolls and add some en-
tropy at least to trust-minimize your seed generation. This step is very good at protecting you from a
compromised random-number generator implementation in your Coldcard, but if your Coldcard was
compromised in the first place this step may not protect you.
Michael Flaxman 38
10x Security Bitcoin Guide
4.5.0.7 Hard: Don’t Trust, Verify If you don’t trust Coldcard to generate your seed at all, you can
create your own seed with dice from scratch by following the instructions on the Coldcard website.
You can see a demo video here. Note that the whole benefit of this option (vs the previous one) is that
you actually have to verify that your seed rolls are being used to create this seed, which is not trivial
(see demo video here).
4.5.0.9 Power Source If the only available power source is a computer or a possibly compromised
charging port, using a charge-only (no-data) USB cable or a USB condom on a regular USB cable can
help mitigate the risk of weakening the airgap.
4.5.0.10 SD Card Interactivity Each time an SD card is taken from your computer to your Coldcard
it can theoretically introduce malware onto the Coldcard (a failure where the malware is said to have
“jumped your airgap”). Expert users can figure out how to create a multisig wallet on their Coldcard
with only 1 file from their hot machine (no need to first export the public key information from the
Coldcard).
4.5.0.11 Not Perfect No device is perfect and this one is no exception. Read more about known
issues with Coldcard here.
Now that we have all your public key information in Specter-Desktop, we need to create your 2-of-3
multisig wallet. We tell Specter-Desktop and each hardware wallet that these are your 3 public keys
and that any 2 of them is sufficient to sign a transaction. This is a one-time setup that you’ll never
need to repeat.
Michael Flaxman 39
10x Security Bitcoin Guide
2. Give a name to your wallet (e.g. Redundant Multisig), choose Segwit (default), 2-of-3
(default) and select your 3 cosigners: Cobo, Coldcard and Paper Wallet
3. Select your public keys. If you’ve followed the default steps, you’ll just select all 3 of them.
Michael Flaxman 40
10x Security Bitcoin Guide
Now that we have our multisig wallet configured in Specter-Desktop, we need to let the Cobo Vault
and Coldcard devices know about it.
Michael Flaxman 41
10x Security Bitcoin Guide
1. On Specter-Desktop, select your multisig wallet (e.g. Redundant Multisig) > Settings
> Show Cobo QR Code:
Specter-Desktop will
display a popup like this:
Michael Flaxman 42
10x Security Bitcoin Guide
1. On Specter-Desktop, select your multisig wallet (e.g. Redundant Multisig) > Settings >
Download Coldcard File:
Michael Flaxman 43
10x Security Bitcoin Guide
2. Save this file to your microSD card and put the microSD card in your Coldcard.
3. On your Coldcard, go to: Settings > Multisig Wallets > Import from SD
Even if you have the correct m-of-n (e.g. 2-of-3), you need to be sure that the public keys used
correspond to the private keys you actually control!
4.6.1.1 Cobo You can verify this when setting up your Cobo, or go to Multisig Wallet > Wal-
let Name > Wallet Info anytime:
Michael Flaxman 44
10x Security Bitcoin Guide
4.6.1.2 Coldcard On your Coldcard, go to: Settings > Multisig Wallets > Your Wallet
Name > View Details:
Newer Coldcard firmware will display the same Zpub... standard that Specter-Desktop/Cobo use.
However, older Coldcard firmware only shows xpub..., so an alternative is to verify a single receive
address on the Coldcard.
Expert users may be able to convert between xpub and Zpub with a tool like Jameson Lopp’s XPub
Converter to verify extended public keys. RTFM for more info: https://coldcardwallet.com/docs/mult
isig
4.6.1.3 Paper We want to verify that the pubkey from this piece of paper has been included in our
quorum. Confirm that your Zpub... from the Setup Paper Wallet Step is included on your Cobo
Vault (above).
Michael Flaxman 45
10x Security Bitcoin Guide
4.6.1.4 Specter-Desktop: For safety we assume that the computer running Specter-Desktop is in-
fected with malware, but it’s still a useful sanity-check:
It is essential to be sure you control a bitcoin address before you use it to receive funds. Unfortunately,
verifying multisig receive addresses is slightly more complicated than in single-key setups.
In order to securely receive funds, you must verify a given receive address on at least a quorum
(m in m-of-n) of your trusted displays. In the default case, this means you would check on both
your Cobo Vault and your Coldcard. Unfortunately, this step can be inconvenient, as the two devices
should be kept in different physical locations.
Once you have verified your address on a quorum of devices, it is safe to give that address out to a
payee. Advanced users can mitigate some of these issues by following these steps.
1. Specter-Desktop Instructions
2. Cobo Vault Instructions
3. Coldcard Instructions
Michael Flaxman 46
10x Security Bitcoin Guide
It is essential to be sure you control a bitcoin address before you receive funds on it, as this is a
common attack that leads to losses. You can read more about this issue here.
5.1.0.1 When to Choose A Less Secure Approach Having to travel to multiple geographies just to
verify a single receive address (not even to spend bitcoin) can be undesirable for practical reasons.
One way around this is to (partially) trust the addresses your host computer displays. If your host
computer says address X follows the rules of your quorum (m signatures required from these n seeds
your hardware wallets control), and your Cobo Vault agrees, you might decide it’s worth the risk to
consider that receive address valid. If your host computer (which may be infected with malware)
and your Cobo Vault were compromised, this could results in immediate loss of funds sent to this
address.
1. When the amount you’re receiving is low. (But remember, BTC price appreciation could in-
crease the USD/EUR/GBP/etc. value of the bitcoin in this address, so consider this as well.)
2. When the computer you’re using to verify this address is a dedicated machine. An eternally
quarantined machine significantly reduces risk.
3. When you previously saved (preferably printed) a file of addresses that you verified on a
quorum of trusted devices, your selected address is included in that file, and you are confident
that the file has not been altered/tampered with.
4. When performing a 3-of-5 multisig transaction where you verified the address on 2
trusted devices in the quorum but not the full 3 required.
5. When your hardware wallets you use to verify the address previously saved/registered the
public keys info from the rest of your seeds, so that tampering with any seed would be caught
by this wallet. TODO: add more on this.
You might consider it safe to send to an address that you’ve previously received funds on and been
able to spend, but this has two serious issues:
1. This is known as “address reuse”, and it’s bad for both privacy and security (in the event that
serious quantum computers become available/viable). TODO: add link/explanation.
2. The fact that you were previously able to spend does indicate you have control, but doesn’t
guarantee it. In an extreme case, your host computer may be malware-infected yet still relay-
ing/signing your small transactions in hopes of tricking you into making a large deposit (you can
think of this as a long-con).
Michael Flaxman 47
10x Security Bitcoin Guide
Your Specter-Desktop software is connected to the internet, or at least connected to your Bitcoin Core
node which is connected to the internet. We can improve this by using an offline/dedicated machine,
where we install only the software absolutely required for our purposes.
While this will help protect you against malware on your computer, you are still at risk from an Evil
maid attack with physical access to your computer (or paper printout). Such an “evil maid” could
tamper with this software/printout to instead show bitcoin addresses that they control, and trick you
into receiving a deposit on their address.
5.1.1.1 Option A: Offline/Dedicated Machine You will set up the multisig in the software wallet of
your choice by importing the extended public keys for all N seeds from your quorum.
It is recommended to use an eternally quarantined machine, meaning that it is never again connected
to the internet and not used for any other purpose. That way, the attack surface is reduced and you
are not at risk of malware on an ongoing basis.
Alternatively, you can use Tails, which you might already have used when setting up your Paper Wal-
let.
1. Verify that all the Zpub/xpub keys match on both the Cobo and the Coldcard
5.1.1.1.1 Electrum
1. In Specter, click on your Wallet Name -> Settings -> Export -> Export to
Wallet software -> Download Electrum (watch-only) File
2. Save this file to USB stick or SD card. Something that you can access from Tails.
3. Reboot and run Tails
4. Open Electrum, on the first window, click “Choose” and find the wallet file that you exported
above in step 2
5. The wallet should open. Go to the Addresses tab to verify the addresses match the addresses
shown on the hardware wallets. If you cannot see the Addresses tab, use the menu item for View
-> Show Addresses
5.1.1.1.2 Caravan
Michael Flaxman 48
10x Security Bitcoin Guide
4. Click “WALLET”
5. On the right side of the page, set 2 of 3 quorum, and set P2WSH address type
6. On the left side of the page, select the dropdown to “Enter as text”, and type in all 3 of your Zpub
keys shown on either your Cobo or Coldcard
7. Allow Caravan some time to generate the wallet, and then use the Addresses tab to verify the
addresses match the addresses shown on the hardware wallets
5.1.1.2 Option B: Print the Addresses to Paper One benefit of this is that you could get by without
a dedicated machine, and the other is that paper is easier for most people to secure vs a computer.
This option becomes less feasible as the number of bitcoin addresses you need rises. Consider, for
example, a bitcoin business that receives many payments each day; a paper-based solution will be
very difficult to manage in that situation.
Steps:
1. Follow the instructions in the previous step and setup a clean (freshly wiped) machine to verify
receive addresses.
2. Export a very large amount of receive addresses to a file. You never want to have to repeat this
setup and paper is cheap, so consider a very large number (say 10,000 addresses).
3. Print this file, and consider making multiple copies.
Now that you never need to check this computer again, you can go about using it for whatever you
like and not have to worry about keeping it secure. Ideally, you would wipe the computer, but since it
is only touching public key information the only risk is a privacy leak.
Verification is easy!
Click on your multisig wallet (e.g. Redundant Multisig) and then the Receive tab, and then
see Address #X:
Michael Flaxman 49
10x Security Bitcoin Guide
If you’re paranoid, you can also verify this address using an eternally quarantined machine (or file).
Verifying receive addresses is one area where the Cobo Vault wallet excels! The large screen and true
airgap improve both security and useability.
On Cobo Vault, click Multisig Wallet > Receiving tab (default selected) and click on the ad-
dress:
Michael Flaxman 50
10x Security Bitcoin Guide
To see more addresses, return to the Receiving tab, and press the big + button to add more ad-
dresses
While verifying the address is a good start, ideally you also want to reconfirm the m-of-n quorum
info each time you transact.
Michael Flaxman 51
10x Security Bitcoin Guide
As of Firmware Version 3.2.2 (January 14th, 2021) Coldcard’s Address Explorer supports multisig, so
you can verify (partially redacted) receive addresses while maintaining an airgap!
2. Scroll to the bottom of the warning message, then press the indicated number to continue
3. Scroll to the bottom of the options and select the name of your multisig wallet (btcguide.github.io
in the example):
Michael Flaxman 52
10x Security Bitcoin Guide
TODO: Consider whether it’s worth weakening the airgap and/or taking other measures to verify full
(rather than redacted) receive addresses
6 Backup Wallet
Now that we’ve confirmed everything is working as expected, let’s back it all up before receiving any
bitcoin.
There are two components to your wallet that you need to backup to guarantee future recovery: seed
phrases and public keys.
6.1.0.1 Seed Phrases BIP39 seeds are 24* word phrases that represent your bitcoin private keys.
With multisig, you only need to have m (of your total n) seed phrases to sign a transaction. Seed
phrases should be guarded very carefully as anyone who gets access to m of your n seed phrases can
steal your bitcoin!
*Expert users may choose to use shorter seed phrases, though we do not normally recommend this.
6.1.0.2 Public Keys One confusing thing about multisig is that you need all of your public keys (in-
cluding associated metadata) in order to be able to spend any of your bitcoin. Public keys do not need
to be guarded nearly as carefully as seeds; anyone who gets access to public key information can only
see which bitcoin addresses belong to you but cannot spend from them.
For non-expert users, we recommend storing a copy of all extended public keys with each individual
seed as well as redundant backups in many other places that may include:
Michael Flaxman 53
10x Security Bitcoin Guide
6.1.0.3 Protect Your Privacy Expert users may notice a potential privacy issue with having many
copies of your extended public keys floating around. You can read more about it here.
Remember that anyone who gets access to a quorum of your seeds (m in m-of-n) as well as your
much less secure public key information can steal all of your bitcoin, so do not store store a quorum
of your seeds in one place!
6.2.0.1 Redundancy You want to backup each of your 24-word bip39 seed phrases on a piece of
paper, so that you can recover if your hardware wallet is lost, defective, or destroyed. That means at a
minimum you’ll have 3 pieces of paper, each with 1 seed phrase. Then, m of your seeds along with all
n of your extended public key info (see Backup Public Keys) will allow you to recover your funds.
• Vaults at banks - safe-deposit boxes have the added benefit that in the event of your death they
should naturally transfer over to your heirs.
• Safes at home/work - you may not have the security systems/monitoring of a bank, but you also
don’t have to trust a third party to let you in (and no one will be peeking over your shoulder).
• Buried in a mountain - X marks the spot!
• With a trusted family member (or very close friend) - remember that if you give away m seeds,
this person can spend your bitcoin.
It is a natural human bias to believe theft is a greater risk than loss, despite data indicating the oppo-
site. (An analogy that gives some insight into the relevant psychology: we are all terrified of homicide
despite suicide being more common.) Non-expert users should question themselves when taking ex-
treme steps to protect against theft over loss.
There are many tradeoffs between security/redundancy below and only you can decide what the ap-
propriate balance is for your needs.
6.4.0.1 Physical Security Not only does storing all of your bitcoin information in one place make
it less secure, it also makes you a target! You don’t want a home-invader to be able to hold you at
Michael Flaxman 54
10x Security Bitcoin Guide
gunpoint for your life-savings. The downside is that funds secured by a “geographically split” scheme
will be harder to spend because you must visit multiple secure locations to gather signatures. For day-
to-day funds, you might choose a simpler single-key signature wallet setup that is easy to spend (but
not as secure).
6.4.0.2 Natural Disasters If you keep all m seeds in one location and there is a fire (or flood) you
could lose everything, perhaps when you need it most. In the unlikely event you need to evacuate, you
don’t also want to be carrying your life-savings on you (see previous section on physical security).
Imagine you have a 2-of-3 scheme with 1 seed in each of 3 cities (A, B, and C). Should you need to
evacuate city A, you can take seed A with you to city B or to city C. As you are only carrying 1 (of a
needed 2) seeds, if you are robbed during this time your attacker will be unable to spend your bitcoin.
Important note: in the event a seed is compromised you need to retrieve m seeds ASAP to “rotate” out
the seed that was stolen (this is accomplished by moving your funds to a new multisig scheme where
you control all 3 seeds again).
The hardest bitcoin security question for most bitcoiners to answer is “what happens to your bitcoin
if you get hit by a bus?” Unfortunately, ensuring your bitcoin is recoverable by your loved ones and
nobody else is a very challenging task. Multisig is the best tool we have to aid in this process.
6.5.0.1 Give One (or More) Seeds to Someone You Trust Anyone who has a quorum of seeds can
spend your bitcoins! (even if they don’t, it’s important to know that they can) Depending on your
personal situation, this may be a good thing (perhaps a spouse who you want to have complete access)
or a bad thing (perhaps a financial manager who might be tempted to steal).
Imagine you have a 2-of-3 scheme with seeds A, B, and C, all of which you initially control. You
and your spouse want to always have access to your bitcoins, and you want your children to only get
access in the event both you and your spouse are dead.
You might do the following:
• Give your family (you, your spouse, and your children) a copy of seed A. You/spouse store seed
A at home or work and your children also store seed A somewhere that only they have access to
(perhaps their home, work, or a safe-deposit box).
• Put seed B in a safe-deposit box that only you and your spouse have access to.
• Give seed C to your lawyer or other trusted-friend, to share with your children only after the
death of you and your spouse. They will also share it with you if needed as part of an emergency
recovery.
Michael Flaxman 55
10x Security Bitcoin Guide
• You and your spouse always have regular access via seeds A & B, provided that you didn’t lose
your copy of seed A and that you can get into your safe-deposit box for seed B. If you lose seed
A, you can ask your spouse or children for their copy as a backup. In the event of a problem
retrieving seed B from the bank, you can ask your lawyer for assistance in recovery (as they
have seed C). Keep in mind that if you lose both seeds A and B, your bitcoins are permanently
lost.
• In the event both you and your spouse die, your children can recover. They already have seed A,
they just need seed B (from the bank) or seed C (from the lawyer). They can get access to seed
B by contacting the bank (assuming you designated your children as the next-of-kin for your
safe-deposit box) or seed C by contacting the lawyer.
• If both your lawyer and the bank are dishonest (or compelled by a government order), they can
collude to steal your bitcoin (they have access to seeds B and C)!
• If both your lawyer and the bank are unlucky/negligent (perhaps they both suffer catastrophic
fires in the same day!), you can be locked out of your bitcoin forever (seeds B and C are lost, as
seed A alone is not enough to meet the 2-of-3 threshold).
• If your children want to steal their inheritance before you die and are able to collude with (or
trick) either the bank or the lawyer, they can get seed B or C and combine it with seed A (which
they already have).
• Your lawyer and your children may have some insight into your bitcoin transaction history,
which could implicate how much bitcoin you have.
Each of these situations can be addressed with a different quorum, giving different people different
access, making more backups, etc. However, each of those choices will introduce new risks.
You can quickly see that this scheme lends itself better to something like 3-of-5, so you can have
more entities/redundancy, and clearer organizational lines (less copies of keys floating around, so you
can know for sure who signed each transaction).
6.6.0.1 Metal Use durable metal for bitcoin seed storage instead of paper, which can fade, burn, or
smudge.
Michael Flaxman 56
10x Security Bitcoin Guide
6.6.0.2 Archival Paper & Ink Archival paper is obviously not as durable as metal, but better than
regular paper. Place your paper into a plastic bag with a good seal (vacuum sealed even better) so
that it doesn’t get destroyed in the event of water damage.
6.6.0.3 Fireproof Document Bag You can use these to protect seed backups, and also to protect
your physical hardware wallets.
To spend bitcoin, although only m seeds are required, you must also have all n public keys. For this rea-
son, we recommend saving many “public key sets”, each one including all of the public keys involved
in your quorum.
Your “public key sets” are sensitive in terms of privacy - anyone with access to a copy can view your
balance and full transaction history - but do not pose a loss-of-funds risk on their own.
6.7.0.1 Save to USB Drive or DVD Make many copies and store in many locations. We recommend
you keep a copy of all public keys (and related metadata) with each seed.
6.7.0.2 Save on Your Computer On Specter-Desktop, select your multisig wallet (e.g. Redundant
Multisig) > Settings > Export > Save Backup PDF
6.7.0.3 Save Online Save this data to various cloud providers (Dropbox, Google Drive, iCloud) or
backup services (Mozy, Carbonite, Backblaze, etc.) that you may already use. Keep in mind: as stated
above, anyone with access to a cleartext (unencrypted) “public key set” (such as a snooping employee
of a cloud provider) can view your balance and full transaction history.
6.7.0.4 Protect Your Public Keys Put your public key data (DVD or USB drive) in a plastic ziploc-
style bag to protect it from water damage. A vacuum-sealed bag is even better. For fire protection,
place that inside a fireproof document bag.
6.7.0.5 Secure Your Public Keys Anyone who gets access to public key information can see which
bitcoin addresses belong to you but cannot spend from them. While cloud backups may be good
from an availability perspective, it also means that a third party could potentially see your bitcoin
addresses and transaction history. To protect against this, encrypt the data with a strong passphrase
before sending it to the cloud. The problem, of course, is that you need access to another copy in case
Michael Flaxman 57
10x Security Bitcoin Guide
you lose that encryption passphrase (or your heirs do if you get hit by a bus). This is one reason why
keeping an unencrypted copy of all public keys with each of your bitcoin seeds (which should already
be stored in secure locations) is often an ideal tradeoff.
6.7.0.6 Extended Public Key Info The info needed to backup your extended public keys also in-
cludes related configuration settings/metadata:
• The Extended Public Key: this will either start with Zpub for mainnet / Vpub for testnet if using
SLIP132 encoding or xpub for mainnet / tpub for testnet.
• BIP32 Paths: Instructions for your hardware wallet to derive the specific key used for signing
from the seed.
This can be represented in many ways but might look like m/48'/0'/0'/2'.
You don’t need to know what these are, your software will handle them automatically. The main thing
to understand is that you must keep a copy of all this public key info for all of your seeds, and, unlike
your 24-word seed phrase, it’s too long/unwieldy to write down by hand.
This is why we use USB drives, DVDs, store it on our computer, in the cloud, etc.
7 Send Bitcoin
In order to send bitcoin, you will need to sign on 2-of-3 of your hardware wallets.
At this point, you should’ve completed all the previous sections. Once you’ve verified your receive
addresses and backed up your wallet, it’s safe to receive bitcoin.
1. On Specter-Desktop: Your Multisig Wallet (e.g. Redundant Multisig) > Send > New. Fill
out the transaction info and hit Create unsigned transaction:
Michael Flaxman 58
10x Security Bitcoin Guide
2. The transaction will now exist in an unsigned state. Click Open so you can sign it with your
hardware wallets (Cobo Vault and Coldcard):
Michael Flaxman 59
10x Security Bitcoin Guide
5. On Cobo Vault: Menu > Multisig Wallet > scanner icon (in the top right) and scan the QR
code that Specter-Desktop is displaying.
7. On Specter-Desktop: Scan signed transaction and hold up Cobo Vault to your com-
puter’s QR code scanner:
Michael Flaxman 60
10x Security Bitcoin Guide
Michael Flaxman 61
10x Security Bitcoin Guide
(this warning has to do with the high transaction fee for this
test transaction and is safe to ignore)
Michael Flaxman 62
10x Security Bitcoin Guide
Besides needing multiple signatures, multisig also involves complexity in that your change addresses
are m-of-n as well.
Fortunately, your wallet software will abstract this away for you.
1. On the previous page, at Step 9, choose “Sign with SD Card file” instead of choosing “Sign with
USB”
2. Click Save transaction, and save to your SD card
3. Eject the SD card from computer, and load into Coldcard
4. Click “Ready to sign” on Coldcard and confirm transaction details
5. Coldcard will save the signed transaction back to the SD card, but with the -part suffix at the
end of the filename
6. Back in Specter, click “Load transaction from file”, and choose the file on the SD card with the
part suffix
7. Broadcast
8 Emergency Recovery
By default, you sign your 2-of-3 transactions on your 2 hardware wallets (Cobo Vault and Coldcard)
that you previously configured. If either device is damaged/destroyed, you should replace it with a
new one and load the replacement device with the same seed phrase that you previously backed up.
This means that if seed phrase A was on your Cobo Vault and your Cobo Vault was destroyed in a fire,
you would do the following:
Michael Flaxman 63
10x Security Bitcoin Guide
However, if for any reason that doesn’t work (perhaps devices are sold out or the company has gone
out of business), you can load that BIP39 seed onto another device.
For this, we have two recommendations: Trezor (hardware wallet) and Electrum (software wallet).
Both have tradeoffs, and we hope that there will be better options in the future. BIP39 is the gold
standard supported by all major hardware wallets, so we expect it will continue to be compatible with
new hardware wallets as they are developed in the future.
As there are “gotchas” in both of the below setups, we recommend you read the advanced section for
tips to improve your setup.
8.0.0.1 Option A - Trezor You should be aware that this is a little more complicated than hardware
wallets you setup previously, and there are some pitfalls to avoid (see known issues).
TODO: add explanation/screenshots.
8.0.0.2 Option B - Electrum Electrum is an open-source software wallet that is free and readily
available, but difficult to use with multisig. As it will be touching private key material, we strongly
recommend you run this on an airgapped machine (see advanced section).
TODO: add screenshots.
Michael Flaxman 64
10x Security Bitcoin Guide
8.3.0.2 Verify Validity of Electrum Software You can read instructions on how to do this here.
9.1.2 Coldcard
9.1.2.1 SD Card “Airgap” While better than a USB port, SD cards are not a perfect airgap. Stuxnet
proved that the NSA was capable of jumping a USB-drive airgap to harm the Iranian nuclear reactor
program.
9.1.2.2 Small Screen This makes it hard to manually verify addresses / public key info, and impos-
sible to display QR codes (to minimize using the SD card).
9.1.2.3 UX Feels More Hacker/Prosumer than Enterprise Grade The Coldcard Mark3 has come a
long way and now features clicky-buttons, a faster processor, and a more RAM (for signing transactions
with many inputs).
However, normal users may be skeptical to trust a device to millions of dollars that looks like a child’s
calculator. Looks can be deceiving, as this is a very powerful and purpose-built device.
Michael Flaxman 65
10x Security Bitcoin Guide
9.1.2.4 Non-Reproducible Builds While Coldcard builds are signed by Coldcard, they are not built
in a way that is reproducible so they cannot be independently verified. That said, Coldcard firmware
is fully open so users can compile it themselves if they want this guarantee.
9.1.2.5 Fork of Trezor This hardware wallet was launched by forking some of Trezor’s open-source
code. That said, it is very actively maintained and has many new features since then (some that Trezor
has not been updated to support).
9.1.2.6 Written in Python This is not inherently a problem (python is a good general-purpose pro-
gramming language!), but several hardware wallets with varying level of multisig support are also
written in python, including: Trezor, Coldcard, KeepKey, Specter-DIY, and Passport. These hardware
wallets share a lot of upstream code, and it’s possible that if a vulnerability were discovered in one it
would be present in the others.
9.1.3.1 Not Fully Open-Source The device has been audited, but is not fully open-source for various
reason. See more details on their blog.
If firmware cannot be built from source reproducibly, then users are merely trusting that the bina-
ries the software developers sign are actually derived from the correct source. Unless users build the
firmware themselves, this is essentially the same tradeoff as just using closed source code. Note that
developers working on the project needn’t be malicious for issues to occur as their computers could
be hacked.
9.1.3.2 Built on General Purpose OS (Android) Most hardware wallets use special purpose operat-
ing systems to reduce their attack surface (and improve performance). Cobo did harden their Android
installation, but the attack surface is still much larger.
9.1.3.3 Altcoin-Focused In theory, supporting altcoins does not fundamentally weaken bitcoin se-
curity. In practice, the more complex a codebase is the more likely a security bug will be introduced
(or go undetected). These wallets are liable to be slow to upgrade their security, and bit rot is more
likely to set in.
Cobo does have a bitcoin-only firmware, though this is not a perfect solution (TODO: add link).
Michael Flaxman 66
10x Security Bitcoin Guide
9.1.3.4 Mild Annoyances These are all things that are annoying but not show-stoppers:
• Slow boot time. The fingerprint reader does help make up for this!
• Long PIN can be annoying to enter on keyboard. However, this only matters when the finger-
print reader fails.
• The microSD card is hard to remove. A simple pair of tweezers solves the problem. More
importantly, the strong QR-code airgap means you only have to use SD card to update the
firmware.
9.1.4 SeedPicker
9.1.4.1 Software Wallets Are Dangerous It’s harder to secure a general purpose operating system
than to secure a special-purpose hardware product. SeedPicker pushes more security responsibility
onto end users.
Advanced users (those comfortable setting up an airgap machine and verifying SeedPicker’s results)
love how SeedPicker can trustlessly eliminate RNG attacks on your seed phrase. Regular users are
more likely to shoot themselves in the foot and are probably better off trusting their hardware wallets
to generate the seed phrases correctly.
Security is not a binary, and no device is 100% secure. Remember that multisig security is additive, and
using this device as part of a proper multisig setup can substantially improve your bitcoin security.
9.2.1 Multisig
While multisig offers unparalleled security (see more in the Why Multisig section), the benefits do not
come for free.
Here are some of the current negatives of using any multisig scheme:
• Added Complexity
• Limited Hardware Wallet Support
• Verifying Receive Addresses
• Extra Cost
• Seeds and Privacy Leaks
Michael Flaxman 67
10x Security Bitcoin Guide
9.2.2 Complexity
9.2.2.1 Complexity is the Enemy of Security This is a common adage when it comes to informa-
tion security, and multisig is no exception. There are two very important mitigating factors.
9.2.2.2 Multisig is Not that Complex It may seem that multisig is quite complex, but much of the
complexity is just forcing the important security steps to be done upfront before funds are deposited,
which is much more secure than doing it after funds are at risk. In single-key setups, the typical work-
flow is for a user to setup an insecure wallet (with several single-points-of-failure) and then later at-
tempt to secure it (perhaps as the value of the funds grow). Some users discover to their horror that
it is already too late.
A common example of this workflow might be to use a paper wallet (or paper seed) to receive funds,
which has two major issues that a proper multisig scheme is designed to mitigate:
1. It is typically not possible to independently verify the source of randomness used to gener-
ate private key material. This leaves all funds subject to theft, even if the funds were generated
on an airgapped/eternally quarantined machine.
2. Verifying the backed-up seed matches the addresses generated requires testing this on a
secondary device. If you’re going to do this, you should just use multisig so you can get the
benefits of real fault tolerance! See Verifying Your Receive Addresses.
9.2.2.3 Multisig Recognizes Humans Are Imperfect It turns out that cryptography in meatspace
is very challenging. It is far harder to execute a single-key signature scheme perfectly than it is to
execute a multisig scheme decently, and the latter is far more secure than the former (see here for
more details).
9.2.2.4 Limited Airdrop/Fork Support Because multisig transactions are more complicated,
some altcoin airdrops that distributed new coins to bitcoin holders only did so when those bitcoins
were secured by a single-key address. Even if those chains did give coins to bitcoin multisig holders,
the new coins sometimes had very weak multisig support (effectively trapping those airdropped
coins for all but expert users).
Airdrops have become quite rare since 2018 and seem unlikely to make a resurgence, so this issue may
have resolved itself.
9.2.2.5 Limited Message Signing Support Messages are signed with a private key, and that sig-
nature reveals the public key. There’s no protocol/standard for signing with m-of-n bitcoin pub-
Michael Flaxman 68
10x Security Bitcoin Guide
keys (which are represented in address format as a script hash of those pubkeys). You can read more
here.
However, this feature is rarely used in single-key setups, and if it were important a workaround could
easily be implemented.
Unfortunately, there are few hardware wallets with good multisig capabilities.
Currently, only 2 hardware wallets (Coldcard & Cobo Vault) even offer BIP174 support. Partially Signed
Bitcoin Transactions (PSBT or BIP174) was proposed in July 2017 and merged into Bitcoin Core in Oc-
tober 2018. Wallets that don’t update their software could easily become abandonware.
Because multisig schemes require m-of-n signatures, you must verify a new receive address on at
least m trusted devices before receiving funds. Otherwise, you could fall prey to a clever attack.
Let’s say you have a 2-of-3 multisig (with seeds A, B, and C), and your host computer is infected with
malware. Remember that we always assume your host computer running Specter-Desktop is infected
with malware as this is the problem hardware wallets exist to solve.
9.2.6.1 Simple Attack Unfortunately for you, 1 of your hardware wallets is also compromised/fake.
When you use Specter-Desktop to lookup one of your bitcoin addresses (to receive funds on) a clever
attacker could replace it with one that they control. Here is how the attack work:
Michael Flaxman 69
10x Security Bitcoin Guide
3. You then deposit funds to this address without checking on any other hardware wallet dis-
plays.
4. You discover that the bitcoin you thought was sent to you was sent to your attacker :(
9.2.6.2 Complex Attack A similar attack is possible where < m of your seeds are part of the multisig
wallet, but your attacker controls >= m seeds. If your hardware wallets are stateless (like Trezor), then
this attack is possible even if none of your hardware wallets are compromised!
9.2.6.3 Defense Smart hardware wallets implement a defense against this where they register all
extended public key information when the wallet is setup, which can make this attack much harder to
pull off. If you’re willing to trust one of those hardware wallets exclusively (potentially creating a single
point of failure), you can choose to accept the result on your hardware wallet’s trusted display.
If you have a large-value transaction, you should always confirm the address on at least m trusted
displays. If you have a very large-value transaction, you may want to confirm the address on all n
trusted displays. Not only does this eliminate the risk, but it serves as a redundant check when making
a deposit.
While perhaps a little counter-intuitive, this is an excellent safety feature as redundant verification
applies to single-key signature users as well. Verification in single-key schemes adds new issues due
to the inherent single point of failure in single-key signature schemes; you now have your seed floating
around in multiple places for verification, and suffering a breach in any one of these is enough to lose
all your funds!
9.2.6.4 Potential Mitigation This guide spells out a less secure approach that is available for users
who choose to sacrifice some convenience for security.
Michael Flaxman 70
10x Security Bitcoin Guide
9.2.8 Cost
While multisig is slightly more expensive, for securing large amounts of bitcoin it’s well worth it. You
can see more about recent multisig improvements here.
9.2.8.1 More Hardware Buying multiple hardware wallets is more expensive than buying one.
Fortunately, open-source paper wallet software, like SeedPicker, is now available to enable you to add
seed(s) to your multisig quorum for recovery without having to purchase additional hardware wallets
to get started (until/unless you need to perform emergency recovery).
9.2.8.2 Higher Transaction Fees The more signatures in your transaction, the higher your trans-
action fees.
The good news is that segwit gives a witness discount for p2wsh transactions, which has led to them
being labelled “Unfairly Cheap”!
In the event that an unauthorized third party gains access to a single seed and knows the correspond-
ing bip32 path used, they will be able to calculate the child public keys that it would (likely) contribute
to a multisig scheme. This means that if this third party is savvy, they can scan the bitcoin blockchain
to see all the transactions that these addresses previously controlled (meaning that their public key
was part of the quorum of addresses that could spend those bitcoin). We say “previously” because
this third party cannot know which multisig addresses (if any) that key currently participates in.
Keep in mind that this issue already exists with single-key signatures and is much worse: an unautho-
rized third party who gains access to your seed can not only see your previously used addresses, they
can also see your current ones and, more importantly, steal all your funds. So, while this is a negative
of bitcoin multisig it is still strictly superior to single-key schemes.
9.2.9.1 Option A: Nonstandard BIP32 Path One solution to this is to use a non-standard bip32
path as a way to hide your activity on the blockchain from anyone who gains unauthorized access to
Michael Flaxman 71
10x Security Bitcoin Guide
a seed. That way if a 3rd party gains unauthorized access to a seed, they can’t see how much it was
ever protecting (to spend bitcoin they need access to m seeds).
This has the added benefit that it could be combined with Shamir’s Secret Sharing Scheme to make it
so that someone would have to break into multiple secure locations in order to get access to private
information. This standard is still being developed, especially since many hardware wallets currently
do not support non-standard paths (see Verifying a Receive Address).
9.2.9.2 Option B: Store Passphrases Separate from Seeds This solves one problem and creates
another: now you have to store those passphrases securely. This creates a whole other set of security
tradeoffs. We recommend this for experts only and is outside the scope of this guide.
9.3.1 Casa
9.3.1.1 Coldcard Implementation Doesn’t Verify Cosigner Wallets Casa recommends you trust
PSBTs of your cosigner wallets (meaning don’t verify them). In the event Casa were compromised,
this leaves you at risk of loss when transacting.
9.3.1.2 1 Key Kept on Phone Hot Wallet Software hot wallets are inherently less secure but they
have a better UX and offer one less device to buy/configure/update. You can export your mobile key
from the app for sovereign recovery purposes (instructions here).
9.3.1.3 Outdated Firmware Casa recommends users don’t update their firmware. This is likely to
prevent hardware wallet vendors from being able to make breaking changes like this one. This will
hopefully be resolved naturally in the future as hardware wallet vendors have strong incentives not to
jeopardize access to user funds.
9.3.1.4 Sovereign Recovery Is Very Hard While you can leave their service (or recover your coins
if they go out of business), the process is likely only possible for advanced users.
9.3.1.5 Privacy Alert Any third party service that can participate/coordinate multisig transactions
will have access to your balance and transaction history. They may be forced to share your records
with multiple government agencies, and often be legally unable to disclose their compliance with
Michael Flaxman 72
10x Security Bitcoin Guide
requests. Of course most bitcoiners buy their coins on exchanges that follow KYC/AML procedures, so
this may or may not be a factor for your use-case.
Casa is unique in that they do not perform traditional KYC, and it is even possible to signup without
sharing your name. Customers can pay anonymously with bitcoin or prepaid cards. Their privacy
policy is intentionally very customer-friendly.
9.3.1.6 Seedless Casa is Seedless, meaning that by default there are no seed backups from your
hardware wallets (the mobile and Casa keys are backed up automatically). This has some UX benefits
that may improve security, but can also increases the risk of loss.
• Casa offers Casa Covenant for inheritance, though the public details are sparse. Opting into this
would likely be incompatible with using their service anonymously.
• Their health check feature is useful for promoting best practices.
• They support 3-of-5 which is an excellent setup, and make it easy by providing 2 of the keys.
This is an especially good fit when using a hosted service that abstracts away a lot of multisig’s com-
plexity. Casa users should strongly consider this option as Casa is seedless and uses 1 software wallet
(see above).
9.3.2.1 Privacy Alert Any third party service that can participate/coordinate multisig transactions
will have access to your balance and transaction history. They may be forced to share your records
with multiple government agencies, and often be legally unable to disclose their compliance with
requests. Of course most bitcoiners buy their coins on exchanges that follow KYC/AML procedures, so
this may or may not be a factor for your use-case.
9.3.2.2 Only Option is 2-of-3 3-of-5 would be better, especially when using a hosted service that
already:
• Unchained has gone to great lengths to streamline their sovereign recovery process by releasing
an open-source product called Caravan that abstracts all the steps away from end-users.
• Their key checks feature is useful for promoting best practices.
• Current estate-planning offerings are barely disclosed, but they are in a position to be extremely
helpful to your heirs/estate should something happen to you.
Michael Flaxman 73
10x Security Bitcoin Guide
9.4.1 Electrum
In theory, it would be possible to do everything described in this guide using Electrum instead of
Specter-Desktop. However, there are a number of reasons we’re using Specter-Desktop instead.
9.4.1.1 Electrum Has a Very Slow Release Schedule This may be due to the fact that it’s a large
project used for many different things (lightning network, coin selection, hardware wallet integration,
multisig, validating block headers, etc.), or its nonstandard use of git (it operates with a “dirty” mas-
ter branch). For example, a new release from version 3.3.8 to 4.0.0b0 took nearly a year to release!
For mission-critical security software, we require a regular release schedule.
9.4.1.2 Limited BIP39 Support Electrum has limited support for BIP39 and is openly considering
dropping it altogether. Users cannot create BIP39 seeds, and importing them is difficult; it requires
knowing to toggle hidden checkboxes and ignoring scary user prompts with inaccurate security warn-
ings. This is confusing for hardware wallet users, as BIP39 is the universal standard that almost all
hardware wallets use.
9.4.1.3 Default Government Spying Using Electrum in the standard way is convenient, but risks
revealing which addresses are yours to anonymous/volunteer SPV servers on the internet. These vol-
unteer servers are likely to be run by blockchain surveillance companies like Chainalysis. Dishonest
SPV servers can also attempt to trick SPV clients into following a version of the blockchain that is in-
valid if it has more Proof of Work. While it is possible to run your own Electrum Server (on top of your
own Bitcoin Core node), it is easier to run your own Bitcoin Core node only, which is all that Specter-
Desktop requires.
9.4.1.4 Confusing UX Electrum’s UX is full of pitfalls that will technically not cause loss of funds but
can easily confuse non-expert users who may then make mistakes leading to loss of funds. Specter-
Desktop’s UX is already much better than Electrum and is improving rapidly.
9.4.2 Caravan
Michael Flaxman 74
10x Security Bitcoin Guide
9.4.3 Sparrow
9.5.1.1 Cannot Buy Assembled Version While the DIY version is great for expert users (and no
longer requires soldering!), the overwhelming majority of users prefer a product they can purchase.
The fewer people that use a product, the less thoroughly it is scrutinized/tested and higher risk it has
for becoming abandonware.
Small nitpick: there is no currently available case, it’s just raw electronics.
We expect both these issues to be resolved in the future, which will make this device a recommendable
addition to your multisig setup.
9.5.1.2 No Physical Security Not having a secure element means that if someone gets physical
access to your Specter DIY device they can extract your seed.
1. Many use-cases are already built around the idea of giving complete access to anyone who gets
physical access to a device. For example, if you’re storing seed phrases on metal plates (with no
passphrase) then an attacker who gets access to that plate has all the private keys associated
with it. To get the benefits of a secure element (enforcing PIN access to a secure element with
both a limit on the number of attempts and an exponentially-increasing time-delay for guesses)
means that you also need to remember a PIN.
2. A long passphrase can strongly mitigate this issue, and the iPhone-style keyboard is very good
for entering passphrases.
9.5.1.3 Written in Python This is not inherently a problem (python is a good general-purpose pro-
gramming language!), but several hardware wallets with varying level of multisig support are also
written in python, including: Trezor, Coldcard, KeepKey, Specter-DIY, and Passport. These hardware
wallets share a lot of upstream code, and it’s possible that if a vulnerability were discovered in one it
would be present in the others.
Michael Flaxman 75
10x Security Bitcoin Guide
9.5.2 Trezor
9.5.2.1 Trezor Bridge Warning Default usage leaks your xpub to Trezor’s servers (and whoever they
share records with). This is estimated at 99% of their users. This has severe privacy implications and
some potential security implications.
9.5.2.2 Limited BIP174 Support Partially Signed Bitcoin Transactions (PSBT or BIP174) was pro-
posed in July 2017 and merged into Bitcoin Core in October 2018. Wallets that don’t update their
software could easily become abandonware.
9.5.2.3 No Keyboard With only 2 buttons, it’s very hard to enter a 24-word seed or strong
passphrase. You can read about advanced recovery steps on the screen for both Trezor One here and
for the Model T here.
To mitigate this, Trezor can plug into your computer and use clever tricks to “securely” enter text on
your computer, but is not ideal from a security/UX perspective.
9.5.2.4 No Physical Security If a clever attacker with ~$100 USD of equipment gains physical ac-
cess to your Trezor (model T or Trezor One) they can extract your seed. You can read more about this
here and here (Trezor’s response here).
These attacks can be mitigated with a strong passphrase, and cannot be exploited remotely (must
have physical access to your Trezor).
9.5.2.5 Slow To Sign Multisig Transactions It is unclear why this is the case:
https://twitter.com/lopp/status/1308082310038732801
9.5.2.6 Have Made Breaking Changes in the Past In June 2020, BTCPay users found they were
no longer able to access their funds. Recovery is possible; savvy users can refuse to upgrade their
firmware (and forego potentially valuable security updates) in the first place and expert users can
load in their own firmware. You can read more about this here.
9.5.3 Ledger
9.5.3.1 Terrible Multisig Support Ledger cannot verify a receive address nor verify change ad-
dresses, making it unsuitable for both sending and receiving bitcoin in a multisig transaction. Chief
Michael Flaxman 76
10x Security Bitcoin Guide
Security Officer of Ledger Charles Guillemet has defended their decision to not support multisig by
saying (link):
“a tiny mistake that can lead to massive loss and at scale, and this is very concerning to me”
Note that the whole point of multisig is to provide fault-tolerance so that you can make mistakes and
still avoid losses! This is a very bizarre stance for a security company to publicly take, which he has
defended here. Hopefully, Ledger will join the multisig party in the future so their devices can be used
securely as part of your quorum.
9.5.3.2 No BIP174 Support Partially Signed Bitcoin Transactions (PSBT or BIP174) was proposed
in July 2017 and merged into Bitcoin Core in October 2018. Wallets that don’t update their software
could easily become abandonware.
9.5.3.3 Hard-To-Use Buttons While the physical input on most hardware devices is not perfect,
Ledger’s make it difficult to enter even a short 4-digit PIN. This leads to shorter PINs and problems
entering seeds/passphrases.
9.5.4 KeepKey
9.5.4.1 Fork of Trezor This hardware wallet was launched by forking Trezor’s open-source code.
While forking open-source projects is normal in software development, if the forked project is not
more actively maintained than the original it is less likely to catch bugs and upgrade to support new
features. For this reason, we consider the Trezor superior to KeepKey in most ways, but do be mindful
that Trezor’s Known Issues likely apply to this device as well.
9.5.4.2 Only 1 Button Only 1 button. This makes it impossible to enter a recovery seed / passphrase
on the device. They do have some clever UX options for you to do this on your host computer using a
substitution cipher but it is difficult/confusing and discourages use.
9.5.4.3 Wired “Airgap” This device must be connected to your computer in order to function.
Wired connections are bad because the USB stack presents massive attack vectors; the whole point
of hardware wallets is to keep your keys offline.
Michael Flaxman 77
10x Security Bitcoin Guide
9.5.5 BitBox02
A common response to multisig is: “but what if I do single-sig with a passphrase, is that secure?”
Well, it depends. Remember that when single-key signature schemes are performed perfectly, the
math behind them is bulletproof. Being that mere mortals are in control of the keys and the software
that interacts with them, the reality is often quite different. With single sig, an attacker needs to find
just 1 vulnerability to separate you from your bitcoin.
Let’s use some examples to demonstrate how this scheme (which was a good choice in ~2015) is strictly
inferior to multisig.
9.6.1.1 Interacting with Blockchain Data How does your wallet interact with blockchain data? Do
you maintain a perfect airgap? If your hardware wallet is plugged into your computer (meaning no
airgap), then you are 1 vulnerability (out of many) from losing your bitcoin.
This immediately eliminates Trezor, Ledger, and Keepkey. You must now be using either:
• Your own software wallet (like Electrum) which is quite dangerous for non-expert users.
• A hardware wallet like Coldcard or Cobo Vault that has an airgap. Note that these devices are
not perfect, see known issues for Coldcard and for Cobo.
For the rest of this page we’ll assume you’re using a hardware wallet, as few non-experts run software
wallets these days.
9.6.1.2 Load Your Own Firmware In order to be able to trust what your device is telling you (basic
things like a deposit address on receiving funds or advanced things like change detection when spend-
ing) you must be sure it’s running the correct software. In practice, the best way to do this is to load
the firmware onto the device yourself (note that this is not perfect, as a truly clever purchased device
could fake receipt of the firmware and still lie to you). Since it only takes one mistake to lose bitcoin,
closed-source software is reckless for storing bitcoin (note that this is not true for multisig where the
security model is additive). This leaves only the Coldcard.
Michael Flaxman 78
10x Security Bitcoin Guide
If you really want to be safe, you should order the hardware yourself and build the device on your
own.
9.6.1.3 Bad Random Number Generator Users are notoriously bad at generating strong pass-
words, but let’s assume your passphrase has enough entropy that it is truly impossible to crack, even
for an attacker with access to your seed phrase. You no longer need to worry about a compromised
random number generator on address generation, nor rolling dice for entropy (and verifying this
output is being used correctly). As this long passphrase is by definition challenging to remember,
you’re going to need to back this up.
Again, with multisig you don’t need fancy passphrases (by default) as breaking a multisig scheme
would require a quorum of devices’ seed phrases to be compromised (in a way that your attacker
could exploit).
9.6.1.4 Verification In order to achieve perfect execution (so that attacks cannot be exploited) you
need to know what your device is doing. As the saying in bitcoin goes: “don’t trust, verify.” You should
have a second device (preferably made by a second manufacturer) to confirm everything your first
device tells you (receive address verification, spend transactions send the amounts you expect, proper
change detection, etc).
If this sounds a lot like a convoluted version of multisig, it’s because it is. Single-sig products typically
don’t build that much verification into their workflows. You also now need to be worried that all the
information needed to steal your bitcoin now exists in multiple places.
9.6.1.5 Chosen Nonce Attacks If your nonce is not truly random, the private key used can be easily
calculated. If your extended public key is known to your attackers, they can trivially derive the rest of
your child private keys!
Advanced users can sign the same transaction multiple times and prove that their k-value is deter-
ministic, but this is still no guarantee of randomness (expert users can write their own code to verify
RFC6979 implementation).
Note multisig massively reduces the risk of chosen nonce attacks, as your attacker would need to be
able to extract the nonce from a quorum of your signatures.
9.6.1.6 Multiple Pieces You now have a scheme with multiple parts (seed words and passphrase)
which both need to be combined in order to recover your bitcoin. We can think of this like a 2-of-2
scheme, because if you lose either part you lose all of your bitcoin. A better scheme would be some-
thing like a 2-of-3 multisig, where you can lose a part and not lose all of your bitcoin.
Michael Flaxman 79
10x Security Bitcoin Guide
And if you’re saying you’ll use Shamir’s Secret Sharing Scheme, read this note first.
9.6.1.7 Inheritance What happens if you get hit by a bus? Multisig handles this situation reasonably
well, as you can give 1+ seeds to your heirs while you’re alive, and/or arrange for the transfer of any
remaining seeds if you die (by using a safe deposit box or a hosted service like Casa or Unchained).
The boundaries are well-defined and the recovery process uses common standards.
9.6.1.8 But I’m Perfect Let’s assume you are the rare expert who can take all of these precautions
and execute this setup flawlessly. You’re now guarding multiple pieces of information, and verifying
each step on multiple devices. Wouldn’t you be better off to combine that with a standard that en-
forces multiple signatures and explicitly allows for 1 or more mistakes? See Why Multisig section for
more details.
9.6.2 Glacier
https://glacierprotocol.org/docs/extend/improvements/
9.6.2.1 Address Reuse Multisig (using trusted stateful displays) largely solves this problem.
9.6.3 Yeti
Michael Flaxman 80