BS1:3-How to secure your bitcoin keys ⛓️

If you don’t plan on owning very much bitcoin, it’s probably fine to just make two or three paper copies of your seed words and store them in secure places. But if you want to own a lot of bitcoin, you should take particular care how you secure your keys.

This isn’t a complicated process, but it is one that you should understand and pay attention to. A little work up front will make your life a lot easier later.

Previously, we’ve said that if you have your keys, you control your bitcoin. We’ve mostly talked about keys like they were a password to your wallet—you use them when you create your wallet, and after that you don’t really think about them too much. Loading your keys into a wallet like this is called having a hot wallet.

For small amounts of bitcoin, hot wallets are fine—they’re convenient and easy to spend from. But if you want to hold bitcoin more securely, and you don’t plan on spending it very often, you should keep your keys away from anything that touches the internet.

The first and most important thing you can do to secure your bitcoin keys is generate them on a device that is not connected to the Internet (this is what people call an ‘air-gapped’ device). Generating your keys on an air-gapped device is important because it ensures that even if the device is compromised, the keys cannot leave the device.

A wallet that is never connected to the internet is called a cold wallet, or, more often, cold storage. You might wonder how private keys that are never on the internet can even work—how does anyone else know that you have the keys?

bitcoin has some rules to handle this. bitcoin allows you to create a wallet that can view your balances, see your transaction history, and even generate addresses for receiving bitcoin into the wallet, but that can not spend any of your bitcoin. These wallets are called Watch-only wallets, although they sometimes also go by other names.

The usefulness of such a wallet is that you create it on a computer or phone connected to the internet, but if someone compromises this device, they will not be able to take any of your bitcoin. You can also use this kind of wallet to create what is called a partially signed bitcoin transaction (PSBT).

A PSBT is like a bank check that has been filled out but not signed. You can specify the amount you want to send, the address to which you are sending, and the fee rate—just as with a normal transaction—but the transaction is unsigned. This means that if you broadcast it to the blockchain, no one will accept it because it doesn’t follow the rules.

If you have a device that generated your keys and is not connected to the internet, you could transfer the PSBT to that device (perhaps with a microSD card or a USB drive or some similar medium) and use the keys on the offline device to sign the transaction. When you transfer it back to your watch-only wallet and broadcast it, it will be accepted by the blockchain as a normal transaction.

All good hardware wallets use the functionality of PSBTs to keep your bitcoin keys safe.

Hardware wallets and nodes

Every bitcoin wallet also connects to a node. In the case of the mobile wallets we discussed in earlier lessons, the node is often run by the company that developed the wallet software. What this means is that they are keeping the copy of the blockchain that the wallet software queries to see if a transaction has been made with your wallet.

When you made your first bitcoin transaction, and your friend sent you some bitcoin, the wallet software on your phone asked a node run by the software developer if it saw any bitcoin transactions associated with your wallet. When the transaction was added to the mempool, the node told the wallet on your phone that there was an unconfirmed transaction for your wallet. And when it was included in a new block on the blockchain, the node told your wallet that the transaction had a confirmation.

There is no risk that the node run by the wallet software will take your bitcoin, but they do know how much bitcoin you have and every transaction you make.

Once again, you may ask: Isn’t this just how it is with investment accounts and banks? They know how much money you have. Why should you care if your hardware wallet manufacturer knows how much money you have?

Using bitcoin with someone else’s node is kind of like using a smartphone only for calling and texting: you’re missing out on some of the most important features. To a large degree, bitcoin allows you to be your own bank. Not only does this make it harder for someone to take your money, but it also gives you the advantage of having much more control about who knows how much money you have, and where you spend it.

Considering that almost every big company has been hacked and failed to secure their customers’ information, it is not unlikely that your bank balance (or your bitcoin balance, if you don’t use your own node) will end up being public knowledge.

For this reason, I suggest avoiding wallets like Trezor and Ledger, which default to having your wallet talk to their nodes.

There are two ways to go about setting up a hardware wallet: you can buy a device that is specifically manufactured to secure bitcoin keys (often called a Hardware wallet) or you can do-it-yourself.

Pre-manufactured hardware wallets

While I am describing this option first, I do not think it is as secure as the DIY method. However, it is easier and requires less of your time. I will say that the process of experimenting with DIY cold storage is one of the best ways to learn more about how the bitcoin protocol works. There are tons and tons of resources available regarding almost any type of setup you want. As long as you are cautious, and always test thoroughly with small amounts of bitcoin, you shouldn’t ever find yourself in trouble.

There are a number of companies that make hardware wallets. Here are some important criteria to think about before you choose one of them.

Do not buy a hardware wallet at Amazon or any other third-party retailer. Only buy it from the manufacturer.

Do not buy a hardware wallet that is not open source.

Do not use a hardware wallet connected to someone else’s node.

NOTE: ColdCard is clearly the best option if you are looking to purchase a ready-to-go hardware wallet. This hardware wallet is simple, easy-to-use, and secure.


The first thing to know about doing-it-yourself is that you will probably be venturing beyond your comfort zone. This is one of the positives of this method, not a negative. You are smarter and more capable than you think you are. Go slowly, test with small amounts, don’t get give up, and you will amaze yourself with what you can learn even in the space of a weekend.

If you are going to try to do-it-yourself, you should consider buying a dedicated device for your bitcoin projects. The phone or computer that you use on a daily basis is likely full of malware and viruses (it doesn’t matter what anti-virus software you use). If you intend to hold a significant amount of money in bitcoin, it’s worth buying a fresh device. It doesn’t have to be anything special. It can be even be a secondhand computer.

There are a number of really great ways to generate your bitcoin keys yourself. This is the path that I think makes the most sense, and I will describe several ways to do it here.

Seed-Signer: This project describes itself as “build an offline, air-gapped bitcoin transaction signing device from off-the-shelf components for less than $50!” The device they refer to generates bitcoin keys and signs transactions. Seed-Signer’s guides are excellent and the process is not difficult at all.

YetiCold: This project walks you through the process of using a generic laptop to create your bitcoin keys. They have some great explainers and guides that help you along the way.

Running a node

I said above that you probably don’t want to create a cold storage wallet that relies on someone else’s node. That means you should run your own node. This may sound daunting, but it’s actually easier than creating a hardware wallet.

The easiest way to start running a node is to find a computer you can dedicate to the process (running a node uses a lot of your computer’s resources—you don’t want to do anything else on the computer), and download BitcoinCore.

Installing the program will take you through set-up and the initial block download—where you download the entire bitcoin blockchain (hundreds of gigabytes). Depending on your computer (more RAM helps) and your internet connection, this can take anywhere from 8 hours to several days. Luckily, the computer does it for you, and you don’t have to pay attention—just leave it running.

Once you’ve finished downloading the blockchain, the program (as long as you leave it running) will check each new block as it’s added to the blockchain and update it on your computer.

Congratulations! You are now running your own node.

You could install a wallet like Sparrow Wallet on the same computer and connect it to the node (instructions at Sparrow Wallet’s webpage). Your wallet will then check for transactions from the copy of the blockchain being updated on your computer. This means you aren’t trusting anyone else with information about your transactions.

Wallets that help you use your own node are Samourai Wallet, Sparrow Wallet, and Specter Desktop.

Make a physical backup

Whatever device you use to generate your keys, make sure you have physical backups. When we described creating a wallet with a mobile app, we suggested writing your seed words down on a piece of paper. This is a good start.

But paper is not very durable, and it might get wet or catch fire, so your physical backup needs to be something that will last. If you do go with paper, make sure you make several copies and keep them in separate places.

There are hosts of people selling many different methods for securing your keys (e.g. punching them in stainless steel). It doesn’t really matter how you do it, as long as you follow these rules:

Do not share your seed words with anyone (don’t use any service that asks for your seed words).

Be redundant. The most likely reason you will lose access to your bitcoin is by losing access to some part of your backups. You should always have more than one backup.

Keep it simple.